What steps will reproduce the problem?
1. Initialize org.owasp.esapi.ESAPI.initialize();
2. see the out put of
$ESAPI.encoder().encodeForHTML("<script>alert('123');</script>");
output:-
"<script>alert('123');</script>"
3. See the out of decodeForHTML
$ESAPI.encoder().decodeForHTML("<script>alert('123')&#
x3b;</script>");
output:- "<script>alert4039123394159<47script>"
What is the expected output? What do you see instead?
Actual output:- "<script>alert4039123394159<47script>"
Expected :- "<script>alert('123');</script>"
What version of the product are you using? On what operating system?
Version:- esapi4js-0.1.3
OS:- Mac
Please provide any additional information below.
I have fix this issue,
Solution:- In org.owasp.esapi.codecs.HTMLEntityCodec, the function parseNumber
and parseHex returning number directly(return parseInt(out);). it should return
char code(return String.fromCharCode(parseInt(out));).
Below are the function i have modified (see //Commented to fix esapi bug)
var parseNumber = function(input) {
var out = '';
while (input.hasNext()) {
var c = input.peek();
if (c.match(/[0-9]/)) {
out += c;
input.next();
} else if (c == ';') {
input.next();
break;
} else {
break;
}
}
try {
return String.fromCharCode(parseInt(out));
//Commented to fix esapi bug
//return parseInt(out);
} catch (e) {
return null;
}
};
var parseHex = function(input) {
var out = '';
while (input.hasNext()) {
var c = input.peek();
if (c.match(/[0-9A-Fa-f]/)) {
out += c;
input.next();
} else if (c == ';') {
input.next();
break;
} else {
break;
}
}
try {
return String.fromCharCode(parseInt(out, 16));
//Commented to fix esapi bug
//return parseInt(out, 16);
} catch (e) {
return null;
}
};
I have fixed this issue in esapi.js and using it for my project.
Thanks
Bikesh Kumar
Original issue reported on code.google.com by bikesh....@gmail.com on 19 Mar 2013 at 9:35
Original issue reported on code.google.com by
bikesh....@gmail.comon 19 Mar 2013 at 9:35