Coder Social home page Coder Social logo

Comments (8)

jeffi avatar jeffi commented on May 31, 2024 1

The above use case would be better handled by using strings instead of template literals. But I assume this is just mentioned as a demonstration, and that there is a valid use case for embedding server side data in a template literal. An easy way to do it right now would be to embed the server-side string in the template literal by surrounding it with ${" and "} and escaping it. Hopefully this can provide a useful crutch for now:

<!DOCTYPE html>
<html>
  <body>
  <script>
  // var data = `${"<%=Encode.forJavaScript(input)%>"}`;
  var data = `${"hell`;alert(1);`o"}`;  // does not pop alert
  </script>
  </body>
</html>

My recommendation, however, would be to instead escape the content to a JavaScript variable, and then use a template literal that references the variable, e.g.:

    var input = "<$= Encode.forJavaScript(input) $>";
    var data = `Here's your input: ${ input }, hope it's not XSS!`;

from owasp-java-encoder.

veita avatar veita commented on May 31, 2024

I think RULE #3 of the original OWASP XSS Prevention Cheat Sheet

Except for alphanumeric characters, escape all characters less than 256 with the \xHH format [...]

would handle this case correctly.

from owasp-java-encoder.

veita avatar veita commented on May 31, 2024

Template literals are in the JavaScript standard since ECMAScript 2015 Language Specification 6th Edition, June 2015. See the link I've posted in my first comment above.

from owasp-java-encoder.

jmanico avatar jmanico commented on May 31, 2024

from owasp-java-encoder.

veita avatar veita commented on May 31, 2024

Jim, thank you very much.
-Alex

from owasp-java-encoder.

jmanico avatar jmanico commented on May 31, 2024

After talking with @jeffi we decided to politely close this out and not add a new encoding method. I'll update the wiki to address this issue per Jeff's comments.

from owasp-java-encoder.

jmanico avatar jmanico commented on May 31, 2024

Wiki text added https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Encoding_and_Template_Literals

from owasp-java-encoder.

veita avatar veita commented on May 31, 2024

Would there really be the need to create a new encoding method?

From my naive point of view template literals are just a third kind of string literals delimited by backticks instead of single or double quotes.

So my guess is that it would suffice to let the existing Encode.forJavaScript output \x60 for any occurrence of the backtick.

from owasp-java-encoder.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.