Search code examples
javascriptjspxssowaspcross-site

Cross-Site Scripting: encodeForHTML for HTML content (The OWASP Enterprise Security API)

I have a HTML select Tag in my JSP

<%@ taglib prefix="esapi"   uri="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API"%>

    <select>
       ...
      <option value="volvo">${device.name}</option>
      ....
    </select>

I set this as device name in the DB

"><script>alert(1)</script>2d65

I've tried to get rid of the alert when I load the page using

<esapi:encodeForHTMLAttribute>${device.name}</esapi:encodeForHTMLAttribute>

or

<esapi:encodeForHTML>${device.name}</esapi:encodeForHTML>

or

<c : out value="${device.name}"/>

or

 <esapi:encodeForJavaScript>${device.name}</esapi:encodeForJavaScript>

But there is no way ! The alert message always appears when loading the page !

In fact, I see that the characters are escaped, but even that an alert appears in the JSP

enter image description here

Solution

  • Try without the taglib:

     <%@ page import="org.owasp.esapi.*" %>

 ...
 <select>
   ...
  <option value="volvo"><%out.print(ESAPI.encoder().encodeForHTML(device.name));%></option>
  ....
 </select>