feat(xss-context): add example for context sensitive XSS encoding issues#115
Conversation
|
Just looking at the file changes alone, I don't see any issues. |
|
Cool, will go ahead and merge. |
ckarande
left a comment
ckarande
left a comment
There was a problem hiding this comment.
Minor suggestions about FIXME instructions
| doc.firstNameSafeString = ESAPI.encoder().encodeForHTML(doc.firstName) | ||
| // fix it by replacing the above with another template variable that is used for | ||
| // the context of a URL in a link header | ||
| // doc.firstNameSafeString = ESAPI.encoder().encodeForURL(urlInput) |
There was a problem hiding this comment.
It is explained in the comment lines above, but to be clear about steps to fix, could line 26 use a different variable name, doc.firstNameSafeURLString, for example.
| </div> | ||
| <input type="hidden" name="_csrf" value="{{csrftoken}}" /> | ||
| <button type="submit" class="btn btn-default" name="submit">Submit</button> | ||
|
|
There was a problem hiding this comment.
Can we add a comment showing the fix in the template to use the different variable that is escaped for the URL context.
|
@lirantal Thanks for this addition. It highlights the importance of context sensitive encoding. I liked your creativity to come up with a way to demonstrate it on the profile page. If you have a few minutes, can you also add a few lines explaining this issue in the Tutorial as well; otherwise it may go unnoticed by the users. |
|
@ckarande yes of course, I'll open a follow-up PR with all the suggested improvements. |
3 participants
Adding a case where we use the same variable as a URL for a hyperlink. While the variable is encoded for HTML for the input element, it isn't suitable for the URL entry.