Brian McGinity Brian McGinity - 2 months ago 9x
Javascript Question

Which XSS OWASP Rule

Using the OWASP checklist, which is the correct way protect this situation? This is url inside of a javascript string where a url parameter needs to have xss protection.


var u = 'xyz.html?x=<% url.baddata %>'

Possible solution 1:

var u = 'xyz.html?x=<% encodeForURL(url.baddata) %>'

Possible solution 2:

var u = 'xyz.html?x=<% encodeForJavaScript(url.baddata) %>'

Possible solution 3:

var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>'


Solution 3 should be used:

//solution 3:
var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>';

It is easier to see that this is correct if we rewrite the expression as:

var u = '<% encodeForJavaScript("xyz.html?x=" + encodeForURL(url.baddata)) %>';

First, we are creating a safe URL by appending baddata to a string constant, using the appropriate escape function. Then we are taking that safe URL and placing it in a JavaScript string, so we have to call the JavaScript escape function.