Giters

ESAPI / owasp-esapi-js

An UNMAINTAINTED project originally exported from code.google.com/p/owasp-esapi-js. This project is deprecated. See the README.md for further details and possible alternatives.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

esapi.js encodeForHTML then decodeForHTML does not give the original input for ( ) ; /

gsmetcalf opened this issue · comments

commented

Hi All,

I must be doing something wrong ? I am using esapi.js to encode and then decode a strong containing a piece of script that could be used in a primitive XSS attack. e.g.

Code Snippet:
name = $ESAPI.encoder().encodeForHTML( name );
$ESAPI.encoder().decodeForHTML(name);

Input: Message <script>alert("JS XSS ARRRHHH")</script> 1
Encoded: Message &lt;script&gt;alert("JS XSS ARRRHHH")&lt;/script&gt; 1
Decoded: Message <script>alert40"JS XSS ARRRHHH"41<47script> 1

Any ideas - this seems very basic to be broken, so im assuming user error ?

Thanks in advance,

Gareth

commented

@gsmetcalf did you find any solution for this.