Skip to content
This repository was archived by the owner on Apr 6, 2021. It is now read-only.
This repository was archived by the owner on Apr 6, 2021. It is now read-only.

esapi.js encodeForHTML then decodeForHTML does not give the original input for ( ) ; / #20

Open
Open
esapi.js encodeForHTML then decodeForHTML does not give the original input for ( ) ; /#20
@gsmetcalf

Description

@gsmetcalf
gsmetcalf
opened on Jan 22, 2016

Hi All,

I must be doing something wrong ? I am using esapi.js to encode and then decode a strong containing a piece of script that could be used in a primitive XSS attack. e.g.

Code Snippet:
name = $ESAPI.encoder().encodeForHTML( name );
$ESAPI.encoder().decodeForHTML(name);

Input: Message <script>alert("JS XSS ARRRHHH")</script> 1
Encoded: Message &lt;script&gt;alert("JS XSS ARRRHHH")&lt;/script&gt; 1
Decoded: Message <script>alert40"JS XSS ARRRHHH"41<47script> 1

Any ideas - this seems very basic to be broken, so im assuming user error ?

Thanks in advance,

Gareth

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions