I am using the OWASP ESAPI encodeForHTMLAttribute however symbols are displaying as their html entity number instead of symbol
I am just learning about the OWASP ESAPI for XSS prevention and I am using the Javascipt version within my app
According to Rule #2 in the XSS prevention cheat sheet you should "Attribute Escape" before inserting untrusted data into attribute values like "width, name or value" and I am working on this at the moment.
However when using encodeForHTMLAttribute() before inserting an email address as a value of an input field in a contact form, the @ symbol is displaying as it's corresponding html entity #&x40; as you can see in this screenshot image:
Am I missing something?
I have made sure the charset of the document is set to utf-8 as follows:
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
I have also added in the accept-charset="UTF-8" Attribute to the form in question.
HTML form:
<form id="contact_form" name="contact_form" method="post" action="" accept-charset="UTF-8">
<div class="form_divider">
<label for="contact_form_email"><span class="asterisk">*</span>E-mail</label>
<input id="contact_form_email" tabindex="1" name="contact_form_email" type="email" data-role="none" maxlength="254" placeholder="E-mail" required/>
</div><!--/form_divider-->
</form>
Data flow of my app:
Within my app, an ajax request is performed to submit the login details and after successful authentication, I retrieve their details from the database and send back to the client side in json format. I then insert these details to the html where applicable
Javascript:
$.ajax({
url: app_root_url + 'login_registration/user_processing.php',
data: JSON.stringify(params),
type: "POST",
dataType: "json",
contentType: "application/json;charset=utf-8",
success: function(data){
//data will be the user details such as userID, display name, email
var result = data;
prepareAppAfterLogin(result);
}
});//end ajax
function prepareAppAfterLogin(result){
var userDetails = result.userDetails;
generateUserProfilePage(userDetails);
}
function generateUserProfilePage(userDetails){
var userID = userDetails.userID;
var display_name = userDetails.display_name;
var email_address = userDetails.email_address;
var profile_image = userDetails.profile_image;
$("#profile_pic").attr('src', profile_image);
var safe_email_address_for_html = $ESAPI.encoder().encodeForHTML(email_address);
$("#profile_email_address").html(safe_email_address_for_html);
var safe_email_for_attribute = $ESAPI.encoder().encodeForHTMLAttribute(email_address);
$("#hidden_input_for_email").val(safe_email_for_attribute);
$("#contact_form_email").val(safe_email_for_attribute);
}
Edit: I have just found documentation that supports what @Cheran Shunmugavel said in his comment below: Rule #2 here: https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet "It is important to note that when setting an HTML attribute which does not execute code, the value is set directly within the object attribute of the HTML element so there is no concerns with injecting up."... "The appropriate encoding to use would be only JavaScript encoding to disallow an attacker from closing out the single quotes and in-lining code, or escaping to HTML and opening a new script tag."
following this rule I have just tried to encode the email address for Javascript instead of encoding for html attribute as follows:
function generateUserProfilePage(userDetails){
var safe_email_address = $ESAPI.encoder().encodeForJavaScript(userDetails.email_address);
$("#contact_form_email").val(safe_email_address);
}
However it seems doing this also creates display problems:
Can you confirm do I need to javascript encode here? thanks
The encodeForHTML and encodeForHTMLAttribute functions are not necessary if you are using the jQuery val method to insert the data in the document. I can't find anything in the official documentation, but there is a good explanation on this StackOverflow question: Do jQuery's val() and prop() methods html-escape values?. The important takeaway is that val sets the DOM value property internally, and that property will never attempt to interpret text as HTML markup, so escaping is not necessary.
- Convert 64 bit Steam ID to 32 bit account ID
- Error: Absolute route path "/" nested under path "/app" is not valid
- How to search all JavaScript sources in Chrome Developer Tools?
- How to send a property from an array of object from a child component to the parent component?
- Toggle grid on draggable
- Supabase and Google Apps Script
- create a web app that sends a standard text message to a user submitted phone number
- Puppeteer , bringing back blank array
- fabric.js limit rotation to x degrees with rotation handle
- How do I recognize swipe events in React?
- How does jQuery make it so that its array-like collection objects are displayed like arrays in the browser console?
- Running a similar App Scripts code on Multiple Sheets
- Creating object with dynamic keys
- Sequentially Numbering Footnotes with React
- Shortens the data back to 5 characters if you put more that 5 in
- Reference to "this" is null in function called by redux-saga call
- Automatically Delete Files from Google Drive Older than 3 Days
- Html and css to add colorful codes
- Filter/Remove array object based on value, from nested JSON array object in JavaScript
- Argument of type 'string' is not assignable to parameter of type 'Auth'
- Algorithm to convert semi-transparent to solid color
- Format JavaScript date as yyyy-mm-dd
- How can I add an event for a one time click to a function?
- how can I disable everything inside a form using javascript/jquery?
- How to change screen and setState at the same time on first click in React Native
- Is there a way to tell if ReactElement renders "null"?
- Trigger Firebase Cloud Function on linkWithCredential()
- Event triggered when changing a user Firebase Authentication
- fabric.js-adding an event handler to an object doesn't work
- browser sessionStorage. share between tabs?