All geek questions in one place

Esapi: should encodeForHTMLAttribute be used for src attribute? encodeForURL? or both?

Which one is correct?

<img src="#encodeForHTMLAttribute(FORM.path)#">

or

 <img src="#encodeForURL(FORM.path)#">

or

 <img src="#encodeForHTMLAttribute(encodeForURL(FORM.path))#">

?

+4
source share
3 answers

Use the method (s) that matches the context of where you paste the text that needs to be encoded.


encodeForUrl is designed to host dynamic text in the url, so it will replace / with %2F ( etc. ) and if you apply it to the whole url you will have an encoded url (which is therefore broken for use in the src attribute).

If you allow users to provide a partial URL, you need to split into / (and any other appropriate separators), apply encodeForUrl for each part, and then merge again.

Note: encodeForUrl seems to pass its string directly to Java, which means that backslashes are treated as escape characters - \b\n encoded to %08%0A instead of %5Cb%5Cn - this behavior is not part of the standard URL encoding ( or no CF lines at all). To avoid this, use the UrlEncodedFormat function instead.

encodeForHTMLAttribute is designed to accommodate dynamic text in an HTML attribute - it is designed to ensure that content is treated as text (not parsed as HTML) - it does not know / does not care about whether its content is a URL or something else.


All in all , you probably want encodeForHtmlAttribute( UrlEncodedFormat( Form.Path ) ) for this situation.

+7
source

In your example, the answer should use both.

However, depending on the contents of FORM.path , you may break things.

The encodeForURL function should be called encodeUriComponent ( as done in Javascript ) because it is intended to be used on uri components, not the entire URL string. The uri component, such as name value pairs, must be encoded separately, otherwise the delimiter ("=" for value value pairs) will also be encoded.

The following will result in 404, even if you have an index.cfm file. Note that the path separator is "/", the query string separator is "?" and the name / value separator "=" is encoded, which makes the entire string a single unit.

 <a href="#encodeForURL("/index.cfm?x=y")#">here</a>

What needs to be done is:

 <cfset pathURIEncoded = "/index.cfm?#encodeForURL("x")#=#encodeForURL("y")#"> <a href="#encodeForHTMLAttribute(Variables.pathURIEncoded)#">here</a>

Replacing x and y with variables rather than static strings, of course.

+1
source

In this example, I would use the encodeForHTMLAttribute method, since this is a static path. The only exception would be if the value of the src attribute itself was created from a public domain (sent via URL, FORM, etc.) and contains dynamic data. If that were the case, I would use the encodeForURL () method.

0
source

Source: https://habr.com/ru/post/1440150/

More articles:


All Articles