Brian McGinity Brian McGinity - 4 months ago 17
Javascript Question

Which XSS OWASP Rule

Using the OWASP checklist, which is the correct way protect this situation? This is url inside of a javascript string where a url parameter needs to have xss protection.

Problem:

<script>
var u = 'xyz.html?x=<% url.baddata %>'
dosomeAjax(u);
</script>


Possible solution 1:

var u = 'xyz.html?x=<% encodeForURL(url.baddata) %>'


Possible solution 2:

var u = 'xyz.html?x=<% encodeForJavaScript(url.baddata) %>'


Possible solution 3:

var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>'

Answer

Solution 3 should be used:

//solution 3:
var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>';

It is easier to see that this is correct if we rewrite the expression as:

var u = '<% encodeForJavaScript("xyz.html?x=" + encodeForURL(url.baddata)) %>';

First, we are creating a safe URL by appending baddata to a string constant, using the appropriate escape function. Then we are taking that safe URL and placing it in a JavaScript string, so we have to call the JavaScript escape function.