OWASP Java Encoder Project
OWASP Java Encoder Project
The OWASP Java Encoder is a Java 1.5 simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.
Please look at the javadoc for Encode to see the variety of contexts for which you can encode.
If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!
The OWASP Java Encoder is free to use under the New BSD License.
What is this?
The OWASP Java Encoder provides:
News and Events
We will be releasing a user guide soon!
The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.
For example, to use in a JSP
<input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />
<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).
Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.
The OWASP Java Encoder version 1.1.1 is now available in central!
Direct Download: encoder-1.1.1.jar
<dependency> <groupId>org.owasp.encoder</groupId> <artifactId>encoder</artifactId> <version>1.1.1</version> </dependency>
JSP Tag Library
Direct Download: encoder-jsp-1.1.1.jar
<dependency> <groupId>org.owasp.encoder</groupId> <artifactId>encoder-jsp</artifactId> <version>1.1.1</version> </dependency>
The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to Rafay Baloch for bringing this to our attention.
The grave accent (`), ASCII 96, hex 60 (wikipedia) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see Mario Heidrech's presentation.
In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. Specifically, IE treats the following as equivalent:
<body><%= Encode.forHtml(textValue) %>" /></body>
<input value="this is the value"> <input value=`this is the value`>
The following HTML snippet, demonstrates the cross-site scripting vulnerability related to grave accents on unpatched Internet Explorer:
When this snippet is run in Internet Explorer the following steps happen:
- Two div elements are created with id's "a" and "b"
- The script executes "a.innerHTML" which returns:
- The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of
<input value="" onmouseover="alert(1)">
The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue.
...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding.
This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to:
Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM.
Other Possible Solutions
As there is no encoding option available, the following options are available to web application authors:
- Do not use innerHTML copies
- Filter out the accent grave from any user input
- Clean up grave accents when using an innerHTML copy
OWASP Java Encoder Library Related Changes
The OWASP Java Encoder Library at its core is intended to be a XSS safe _encoding_ library. The grave accent is a legitimate and frequently used character, that cannot be encoded to avoid this bug in unpatched versions of IE. With enough user feedback, we may update the library to include one of the following options: (1) alternate, drop-in build that filters grave accents, with unchanged API, (2) new filtering methods.
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?