Comments on: The OWASP Top Ten and ESAPI – Part 2 – Cross Site Scripting (XSS) http://www.jtmelton.com/2009/01/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/ Java, Security and Technology Mon, 04 Jan 2010 09:04:37 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: john http://www.jtmelton.com/2009/01/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/comment-page-1/#comment-10 john Wed, 18 Nov 2009 14:24:51 +0000 http://www.jtmelton.com/2009/11/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/#comment-10 Thanks Jim, updated post per your suggestions. Thanks Jim, updated post per your suggestions.

]]> By: Jim Manico http://www.jtmelton.com/2009/01/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/comment-page-1/#comment-9 Jim Manico Wed, 18 Nov 2009 10:09:02 +0000 http://www.jtmelton.com/2009/11/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/#comment-9 String safeOutput = ESAPI.encoder().encodeForURL( "/admin/findUser.do?name=" + request.getParameter( "dangerousInput" ) ); is a little off. The URL would actually "break" since ? would get encoded. I'd go this route: String safeURlToDisplay= "/admin/findUser.do?name=" + ESAPI.encoder().encodeForURL(request.getParameter( "dangerousInput")); Of course, I'd also do input validation (at least) as well. - Jim Manico ESAPI Project Manager String safeOutput = ESAPI.encoder().encodeForURL( “/admin/findUser.do?name=” + request.getParameter( “dangerousInput” ) );

is a little off. The URL would actually “break” since ? would get encoded. I’d go this route:

String safeURlToDisplay= “/admin/findUser.do?name=” + ESAPI.encoder().encodeForURL(request.getParameter( “dangerousInput”));

Of course, I’d also do input validation (at least) as well.

- Jim Manico
ESAPI Project Manager

]]> By: uberVU - social comments http://www.jtmelton.com/2009/01/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/comment-page-1/#comment-8 uberVU - social comments Tue, 17 Nov 2009 13:20:52 +0000 http://www.jtmelton.com/2009/11/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/#comment-8 <strong>Social comments and analytics for this post</strong> This post was mentioned on Twitter by securityshell: The OWASP Top Ten and ESAPI - Part 2 - Cross Site Scripting (XSS) http://tinyurl.com/yfkgs6m Social comments and analytics for this post

This post was mentioned on Twitter by securityshell: The OWASP Top Ten and ESAPI – Part 2 – Cross Site Scripting (XSS) http://tinyurl.com/yfkgs6m

]]>