esapi.js encodeForHTML then decodeForHTML does not give the original input for ( ) ; /
gsmetcalf opened this issue · comments
Hi All,
I must be doing something wrong ? I am using esapi.js to encode and then decode a strong containing a piece of script that could be used in a primitive XSS attack. e.g.
Code Snippet:
name = $ESAPI.encoder().encodeForHTML( name );
$ESAPI.encoder().decodeForHTML(name);
Input: Message <script>alert("JS XSS ARRRHHH")</script> 1
Encoded: Message <script>alert("JS XSS ARRRHHH")</script> 1
Decoded: Message <script>alert40"JS XSS ARRRHHH"41<47script> 1
Any ideas - this seems very basic to be broken, so im assuming user error ?
Thanks in advance,
Gareth
@gsmetcalf did you find any solution for this.