0

I have a input tag like this

<input class="textBox" type="text" value="<%=ESAPI.encoder().canonicalize(query) %>" autocomplete="off" />

I tried using the ESAPI canonicalize function for query like "><script>alert(1);</script> But it doesnt work and i get alert in my browser. Am i doing it right?

coderslay
  • 13,960
  • 31
  • 73
  • 121

1 Answers1

1

You are using the wrong encoding for the context. You are in regular attribute context, so you should use encodeForHTMLAttribute.

Btw, for Java there is a templating language that has context-sensitive autoescaping https://code.google.com/p/hapax2/ so you don't have to

  1. Manually determine what context you are in
  2. Choose the correct encoding manually for that context
  3. Write the code to escape manually, which in this case is a mouthful and makes the template harder to read

Which is error-prone and comparable to escaping SQL manually except much harder.

Esailija
  • 138,174
  • 23
  • 272
  • 326
  • I tried using ESAPI.encoder().encodeForHTMLAttribute(query) but still i am getting the alert in the browser. – coderslay Apr 16 '13 at 08:06
  • @Coder_sLaY can you look at the output from browser's view source? – Esailija Apr 16 '13 at 08:07
  • Hey sorry was a cache issue. Its working. Thanks a ton. Btw would you suggest me using hapax2? – coderslay Apr 16 '13 at 08:09
  • @Coder_sLaY Actually looking at the source code, I don't think they faithfully reimplement Google Ctemplate's context-sensitive autoescaping so no. There are very few templating engines that have context-sensitive autoescaping. Some have autoescaping but it's not context sensitive and gives false sense of security. You can try the hapax and see if it autoescapes but at a quick glance at source I couldn't find it. – Esailija Apr 16 '13 at 08:12
  • Thanks a ton for the suggestions. Its Appreciated – coderslay Apr 16 '13 at 08:14