Comments (8)
The above use case would be better handled by using strings instead of template literals. But I assume this is just mentioned as a demonstration, and that there is a valid use case for embedding server side data in a template literal. An easy way to do it right now would be to embed the server-side string in the template literal by surrounding it with ${"
and "}
and escaping it. Hopefully this can provide a useful crutch for now:
<!DOCTYPE html>
<html>
<body>
<script>
// var data = `${"<%=Encode.forJavaScript(input)%>"}`;
var data = `${"hell`;alert(1);`o"}`; // does not pop alert
</script>
</body>
</html>
My recommendation, however, would be to instead escape the content to a JavaScript variable, and then use a template literal that references the variable, e.g.:
var input = "<$= Encode.forJavaScript(input) $>";
var data = `Here's your input: ${ input }, hope it's not XSS!`;
from owasp-java-encoder.
I think RULE #3 of the original OWASP XSS Prevention Cheat Sheet
Except for alphanumeric characters, escape all characters less than 256 with the \xHH format [...]
would handle this case correctly.
from owasp-java-encoder.
Template literals are in the JavaScript standard since ECMAScript 2015 Language Specification 6th Edition, June 2015. See the link I've posted in my first comment above.
from owasp-java-encoder.
from owasp-java-encoder.
Jim, thank you very much.
-Alex
from owasp-java-encoder.
After talking with @jeffi we decided to politely close this out and not add a new encoding method. I'll update the wiki to address this issue per Jeff's comments.
from owasp-java-encoder.
Wiki text added https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Encoding_and_Template_Literals
from owasp-java-encoder.
Would there really be the need to create a new encoding method?
From my naive point of view template literals are just a third kind of string literals delimited by backticks instead of single or double quotes.
So my guess is that it would suffice to let the existing Encode.forJavaScript
output \x60
for any occurrence of the backtick.
from owasp-java-encoder.
Related Issues (20)
- Create a encodeForJSON() function HOT 5
- Configuring exclusions for `Encode.forHtml()` HOT 5
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- Support for input canonicalization HOT 6
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.