I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar".
ricardonostrum opened this issue · 4 comments
Hi Jim Manico!
I couldn't sanitize the vector "<%", using the methods available in "encoder-1.2.3.jar", I would like some help to be able to identify if using the "ESAPI" this would be solved or if a correction in the library would be necessary.
Thanks.
Hi kwwall.
So you're telling me that I can use "Validator.getValidSafeHTML" to treat the vector mentioned in the title, so that it is no longer interpretable by the browser and does not break the url?
@ricardonostrum - I'm not saying that. I merely was trying to point out that you used the word 'sanitize' (implying HTML sanitization) and that's not what the Java Encoder Project does and not what ESAPI's Encoders do either.
However, I do think that we are missing a lot of context here. For starters, what Encode method were you using and what were your assumptions and your expectations? And what URL? I don't see a URL here. Other than preventing XSS with the tainted string you show in the title, I'm not even sure of what you are trying to accomplish because we are all completely missing any context.
Show us an example code snippet so we're all working off the same page. Maybe something a small JUnit test. But right now, we don't have enough information to provide much more guidance than I've already provided.
Finally, if you have not already done so, I would highly encourage you to read through the OWASP Cross-Site Scripting Prevention Cheat Sheet.
@ricardonostrum sorry for the extremely late reply to this. As Kevin indicated, this is not a sanitization library - rather an encoding library. To make the given output safe for display in HTML you would need to use the appropriate forHtml, forjavaScript, etc. function in order to encode the tainted data.