OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
493 stars 111 forks source link

I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". #68

Closed ricardonostrum closed 3 months ago

ricardonostrum commented 1 year ago

Hi Jim Manico!

I couldn't sanitize the vector "<%", using the methods available in "encoder-1.2.3.jar", I would like some help to be able to identify if using the "ESAPI" this would be solved or if a correction in the library would be necessary.

Thanks.

kwwall commented 1 year ago

The Java Encoder project doesn't do sanitization. It does output encoding. Same if you are using ESAPI's Encoder methods. If you want sanitization, use the OWASP HTML Sanitizer project or OWASP AntiSamy project or ESAPI's Validator.getValidSafeHTML https://javadoc.io/static/org.owasp.esapi/esapi/2.5.2.0/org/owasp/esapi/Validator.html#getValidSafeHTML-java.lang.String-java.lang.String-int-boolean-org.owasp.esapi.ValidationErrorList- methods.

I'm sure Jim can provide additional guidance. But sanitization and encoding have different use cases and do not act the same.

-kevin

On Tue, Jun 6, 2023 at 1:54 PM ricardonostrum @.***> wrote:

Hi Jim Manico!

I couldn't sanitize the vector "<%", using the methods available in "encoder-1.2.3.jar", I would like some help to be able to identify if using the "ESAPI" this would be solved or if a correction in the library would be necessary.

Thanks.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-java-encoder/issues/68, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PGY4YNQ4QU7Z6TDFUDTXJ5VFJANCNFSM6AAAAAAY4YIVR4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead NSA: All your crypto bit are belong to us.

ricardonostrum commented 1 year ago

Hi kwwall.

So you're telling me that I can use "Validator.getValidSafeHTML" to treat the vector mentioned in the title, so that it is no longer interpretable by the browser and does not break the url?

kwwall commented 1 year ago

@ricardonostrum - I'm not saying that. I merely was trying to point out that you used the word 'sanitize' (implying HTML sanitization) and that's not what the Java Encoder Project does and not what ESAPI's Encoders do either.

However, I do think that we are missing a lot of context here. For starters, what Encode method were you using and what were your assumptions and your expectations? And what URL? I don't see a URL here. Other than preventing XSS with the tainted string you show in the title, I'm not even sure of what you are trying to accomplish because we are all completely missing any context.

Show us an example code snippet so we're all working off the same page. Maybe something a small JUnit test. But right now, we don't have enough information to provide much more guidance than I've already provided.

Finally, if you have not already done so, I would highly encourage you to read through the OWASP Cross-Site Scripting Prevention Cheat Sheet.

jeremylong commented 3 months ago

@ricardonostrum sorry for the extremely late reply to this. As Kevin indicated, this is not a sanitization library - rather an encoding library. To make the given output safe for display in HTML you would need to use the appropriate forHtml, forjavaScript, etc. function in order to encode the tainted data.