Grave accent issue

Question

Grave accent issue

fraenku opened this issue 5 years ago · 3 comments

In regards to the issue with the grave accent issue described here https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Grave_Accent_Issue
I found out that ESAPI.encoder.encodeForHTMLAttribute() is converting the ` in its hexadecimal-form:

`
Why owasp-java-encoder is not doing the same? Wouldn't this prevent the possible xss-attack in IE?

Answer 1 · 2019-06-19T15:33:40.000Z

Our solution in the cited doc does not require a change in the encoder. We aim to encode •minimally• and the grave accent encoding is not at all necessary if your UI is coded correctly. The ESAPI encoder chooses to encode very aggressively in situations that are not necessary. No one has ever reported a bypass against the encoder when used properly as documented. Respectfully, -- Jim Manico @manicode

…

On Jun 19, 2019, at 8:28 AM, fraenku ***@***.***> wrote: In regards to the issue with the grave accent issue described here https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Grave_Accent_Issue I found out that ESAPI.encoder.encodeForHTMLAttribute() is converting the ` in its hexadecimal-form: ` Why owasp-java-encoder is not doing the same? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

Answer 2 · 2019-06-20T06:30:05.000Z

Thanks for the quick answer, I understand the point :-)

What is your opinon in regards to the widely used
<c:out value="${bean.userControlledValue}"/>-tag included in JSTL?

Is it save enough since it does not offer any context-sensitive encoding? At least according to
https://www.cvedetails.com/product/31268/Apache-Standard-Taglibs.html?vendor_id=45
no issue has been reported so far (which surprises me...)

Answer 3 · 2019-06-20T14:44:38.000Z

It’s safe for HTML body locations, but not for CSS or JavaScript code locations...

…

-- Jim Manico @manicode Secure Coding Education +1 (808) 652-3805

On Jun 19, 2019, at 11:30 PM, fraenku ***@***.***> wrote: Thanks for the quick answer, I understand the point :-) What is your opinon in regards to the widely used <c:out value="${bean.userControlledValue}"/>-tag included in JSTL? Is it save enough since it does not offer any context-sensitive encoding? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.