I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar".

[ricardonostrum]

Hi Jim Manico!

I couldn't sanitize the vector "<%", using the methods available in "encoder-1.2.3.jar", I would like some help to be able to identify if using the "ESAPI" this would be solved or if a correction in the library would be necessary.

Thanks.

[kwwall]

The Java Encoder project doesn't do sanitization. It does output encoding. Same if you are using ESAPI's Encoder methods. If you want sanitization, use the OWASP HTML Sanitizer project or OWASP AntiSamy project or ESAPI's Validator.getValidSafeHTML <https://javadoc.io/static/org.owasp.esapi/esapi/2.5.2.0/org/owasp/esapi/Validator.html#getValidSafeHTML-java.lang.String-java.lang.String-int-boolean-org.owasp.esapi.ValidationErrorList-> methods. I'm sure Jim can provide additional guidance. But sanitization and encoding have different use cases and do not act the same.

…

-kevin

On Tue, Jun 6, 2023 at 1:54 PM ricardonostrum ***@***.***> wrote: Hi Jim Manico! I couldn't sanitize the vector "<%", using the methods available in "encoder-1.2.3.jar", I would like some help to be able to identify if using the "ESAPI" this would be solved or if a correction in the library would be necessary. Thanks. — Reply to this email directly, view it on GitHub <#68>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO6PGY4YNQ4QU7Z6TDFUDTXJ5VFJANCNFSM6AAAAAAY4YIVR4> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead NSA: All your crypto bit are belong to us.

[ricardonostrum]

Hi kwwall.

So you're telling me that I can use "Validator.getValidSafeHTML" to treat the vector mentioned in the title, so that it is no longer interpretable by the browser and does not break the url?

[kwwall]

@ricardonostrum - I'm not saying that. I merely was trying to point out that you used the word 'sanitize' (implying HTML sanitization) and that's not what the Java Encoder Project does and not what ESAPI's Encoders do either.

However, I do think that we are missing a lot of context here. For starters, what Encode method were you using and what were your assumptions and your expectations? And what URL? I don't see a URL here. Other than preventing XSS with the tainted string you show in the title, I'm not even sure of what you are trying to accomplish because we are all completely missing any context.

Show us an example code snippet so we're all working off the same page. Maybe something a small JUnit test. But right now, we don't have enough information to provide much more guidance than I've already provided.

Finally, if you have not already done so, I would highly encourage you to read through the OWASP Cross-Site Scripting Prevention Cheat Sheet.