Comments (2)
Hi,
I found one issue with decodeForHTML function. I tried below steps
org.owasp.esapi.ESAPI.initialize();
$ESAPI.encoder().encodeForHTML("<script>alert('123');</script>");
"<script>alert('123');</script>"
$ESAPI.encoder().decodeForHTML("<script>alert('123');</script>");
"<script>alert4039123394159<47script>"
Issue:- decodeForHTML is not giving me the actual data which i had encoded.
Solution:- In org.owasp.esapi.codecs.HTMLEntityCodec, the function parseNumber
and parseHex returning number directly(return parseInt(out);). it should return
char code(return String.fromCharCode(parseInt(out));).
Below are the function i have modified
var parseNumber = function(input) {
var out = '';
while (input.hasNext()) {
var c = input.peek();
if (c.match(/[0-9]/)) {
out += c;
input.next();
} else if (c == ';') {
input.next();
break;
} else {
break;
}
}
try {
return String.fromCharCode(parseInt(out));
//Commented to fix esapi bug
//return parseInt(out);
} catch (e) {
return null;
}
};
var parseHex = function(input) {
var out = '';
while (input.hasNext()) {
var c = input.peek();
if (c.match(/[0-9A-Fa-f]/)) {
out += c;
input.next();
} else if (c == ';') {
input.next();
break;
} else {
break;
}
}
try {
return String.fromCharCode(parseInt(out, 16));
//Commented to fix esapi bug
//return parseInt(out, 16);
} catch (e) {
return null;
}
};
I have fixed this issue in esapi.js and using it for my project.
Thanks
Bikesh Kumar
Original comment by [email protected]
on 19 Mar 2013 at 8:22
from owasp-esapi-js.
I think all we did was change in HTMLEntityCodec.js
return String.fromCharCode(entityToCharacterMap.getCaseInsensitive('&' +
entity));
to
return String.fromCharCode(entityToCharacterMap['&' + entity]);
Original comment by [email protected]
on 19 Mar 2013 at 10:58
from owasp-esapi-js.
Related Issues (20)
- typo in esapi.js
- esapi js validation not working
- encodeForURL doesn't URL encode certain special characters HOT 1
- Canonicalize ("cananicalize") is spelled wrong in DefaultEncoder.js
- decodeForHTML does not give the desire output.
- Unresponsive script issue in firefox browser upon referencing esapi related libraries
- Getting started guide JS sample doesn't work HOT 1
- getValidInput always throwing an exception
- Having issues with URL validation
- esapi.js encodeForHTML then decodeForHTML does not give the original input for ( ) ; / HOT 1
- ESAPI quick start instructions incorrect HOT 1
- "with" statement compatibility issues on ESAPI.js
- isValidInteger validator always return true
- for...in function not working when i include the esapi.js file HOT 1
- Getting input is undefined error at 797( input.pushback(c);) line in esapi.js
- Variable conflict
- hey guys , how to use this js api solve the problem "Insecure Randomness"
- owasp-esapi-js needs dependency update HOT 1
- Extend XMLHttpRequest API to turn off HTML5 Cross Origin Request by default HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-esapi-js.