ESAPI.encoder().canonicalize(query) is not working properly

I have a input tag like this

<input class="textBox" type="text" value="<%=ESAPI.encoder().canonicalize(query) %>" autocomplete="off" />

I tried using the ESAPI canonicalize function for query like "><script>alert(1);</script> But it doesnt work and i get alert in my browser. Am i doing it right?

Solution

You are using the wrong encoding for the context. You are in regular attribute context, so you should use encodeForHTMLAttribute.

Btw, for Java there is a templating language that has context-sensitive autoescaping https://code.google.com/p/hapax2/ so you don't have to

Manually determine what context you are in
Choose the correct encoding manually for that context
Write the code to escape manually, which in this case is a mouthful and makes the template harder to read

Which is error-prone and comparable to escaping SQL manually except much harder.

UTF8 MySQL problems on Rails - encoding issues with utf8_general_ci
How can I transfer text in Ukrainian to microdata?
Python - Decode UTF-16 file with BOM
Issues printing emojis and symbols on Windows Terminal using Java
What is the format or encoding of a file with data like this?
What is the encoding used by `String.fromCharCode`?
How to convert a file to utf-8 in Python?
How do you troubleshoot character encoding problems?
How to convert \uXXXX unicode to UTF-8 using console tools in *nix
Encoding all the special characters in Javascript
Encoding/Decoding Emojis in JS/TS
FITS file is not getting encoded properly
How can I detect a malformed UTF-8 string in PHP?
Send-MailMessage in Scheduled Task has wrong encoding
How to achieve Base64 URL safe encoding in C#?
How can I configure encoding in Maven?
Listings in Latex with UTF-8 (or at least german umlauts)
How to get the value of a key which contains unicode code point in a JSON?
Android Studio SDK path contains accents
Remove BOM from UTF 8 using cmd
Using PowerShell to write a file in UTF-8 without the BOM
Any caveats when searching for a UTF-8 code point in a string?
koi8-r text is shown incorrectly
Convert Unicode char to closest (most similar) char in ASCII
Is there an easy way to represent the base64 alphabet in a Python list?
How many bytes does one Unicode character take?
How to setup Visual Studio Code to detect and set the correct encoding on file open
What character encoding is c3 82 c2 bf?
Removing non Printable values aftert Encoding.ASCII.GetString()
Does OS chooses the encoding for keyboard inputs and decoding for screen output?