Crossite scripting: encodeForHTML for HTML content (OWASP Enterprise Security API)

Question

Crossite scripting: encodeForHTML for HTML content (OWASP Enterprise Security API)

I have an HTML select tag in my JSP

<%@ taglib prefix="esapi"   uri="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API"%>

    <select>
       ...
      <option value="volvo">${device.name}</option>
      ....
    </select>

I set this as the device name in the db

"><script>alert(1)</script>2d65

I tried to get rid of the warning when loading the page with

<esapi:encodeForHTMLAttribute>${device.name}</esapi:encodeForHTMLAttribute>

or

<esapi:encodeForHTML>${device.name}</esapi:encodeForHTML>

or

<c : out value="${device.name}"/>

or

 <esapi:encodeForJavaScript>${device.name}</esapi:encodeForJavaScript>

But there is no way! A warning message always appears when the page loads!

In fact, I see that the characters are escaped, but even if a warning appears in the JSP,

+4

javascript jsp xss owasp cross-site

En NuNYet de Can CalÇadA Nov 20 '15 at 14:41

source share

1 answer

Sam nunnally · Accepted Answer · 2015-11-28T21:02:40+0000

Try without taglib:

 <%@ page import="org.owasp.esapi.*" %>

 ...
 <select>
   ...
  <option value="volvo"><%out.print(ESAPI.encoder().encodeForHTML(device.name));%></option>
  ....
 </select>

Crossite scripting: encodeForHTML for HTML content (OWASP Enterprise Security API)

More articles: