I've a question regarding owasp ESAPI interface for xss protection.To keep it simple short and straight I'm doing a source code review using fortify. The application implement ESAPI and make call to ESAPI.encoder().canonicalize(user input) and does not do any further validation and prints the output. Is this still vulnerable to xss PS: The reflection point is inside a html element. I've gone through all the posts regarding ESAPI interface in stack overflow, but couldn't quite get it Any help would be appreciated
canonicalize alone doesn't prevent xss at all. It decodes data, but you want the opposite, to encode the data.
Not only does it allow content like <script>alert(1)</script> straight-through, but it also decodes <script>alert(1)</script> from a non-executable script to a executable one.
The method you want instead is encodeForHTML. This will encode the data so it can be inserted safely into an HTML context, so < will become < and so on.
Also, check if you're already doing HTML encoding by checking whether these characters are accepted. Some templating languages and tags do encoding automatically.