ESAPI.encoder().canonicalize(query) is not working properly

Question

I have a input tag like this

<input class="textBox" type="text" value="<%=ESAPI.encoder().canonicalize(query) %>" autocomplete="off" />

I tried using the ESAPI canonicalize function for query like "><script>alert(1);</script> But it doesnt work and i get alert in my browser. Am i doing it right?

Answer 1

You are using the wrong encoding for the context. You are in regular attribute context, so you should use encodeForHTMLAttribute.

Btw, for Java there is a templating language that has context-sensitive autoescaping https://code.google.com/p/hapax2/ so you don't have to

1. Manually determine what context you are in
2. Choose the correct encoding manually for that context
3. Write the code to escape manually, which in this case is a mouthful and makes the template harder to read

Which is error-prone and comparable to escaping SQL manually except much harder.