ESAPI.encoder().canonicalize(query) is not working properly

StackOverflow https://stackoverflow.com/questions/16030995

  •  04-04-2022
  •  | 
  •  

Frage

I have a input tag like this

<input class="textBox" type="text" value="<%=ESAPI.encoder().canonicalize(query) %>" autocomplete="off" />

I tried using the ESAPI canonicalize function for query like "><script>alert(1);</script> But it doesnt work and i get alert in my browser. Am i doing it right?

War es hilfreich?

Lösung

You are using the wrong encoding for the context. You are in regular attribute context, so you should use encodeForHTMLAttribute.

Btw, for Java there is a templating language that has context-sensitive autoescaping https://code.google.com/p/hapax2/ so you don't have to

  1. Manually determine what context you are in
  2. Choose the correct encoding manually for that context
  3. Write the code to escape manually, which in this case is a mouthful and makes the template harder to read

Which is error-prone and comparable to escaping SQL manually except much harder.

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top