Backslash inserted when using Encode#forJavaScript to encode a String with a hyphen in it
InfiniteLoop90 opened this issue · comments
When encoding Strings that have hyphens in them using the Encode#forJavaScript method, a backslash is prepended before the hyphen in the output of the encoded String.
For example,
Encode.forJavaScript(String.valueOf(-1));
produces \-1
These causes illegal character errors on resulting HTML and JavaScript files if you try to use the result as a JavaScript Number type.
Encoding values with hyphens in them for all of the other contexts (e.g., forHtml, forCssString, forXml, forCDATA, forJava, etc.) produces the expected values without the backslashes (-1) .
Verified this is how it behaves in all versions of the OWASP Encoder library published to Maven Central (1.1 - 1.2.1).
Can you give us a little code sample to explain your issue? We'll take a
close look a this - this is the second time I got this report and I hear
you now.
Aloha,
…--
Jim Manico
Manicode Security
https://www.manicode.com
On 9/22/17 8:02 PM, Clayton Bodendein wrote:
When encoding Strings that have hyphens in them using the
|Encode#forJavaScript| method, a backslash is put before the hyphen in
the output of the encoded String.
For example,
|Encode.forJavaScript("-1"); |
produces |\-1|
These causes illegal character errors on resulting HTML and JavaScript
files if you try to use the result as a JavaScript Number type.
Encoding values with hyphens in them for all of the other contexts
(e.g., forHtml, forCssString, forXml, forCDATA, forJava, etc.)
produces the expected values without the backslashes (|-1|) .
Verified this is how it behaves in all versions of the OWASP Encoder
library published to Maven Central (1.1 - 1.2.1).
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AAgcCYmB_rLW3zcVtl1rALIfcxx_kErEks5slEqtgaJpZM4PhXgd>.
Sure
For example, on some JSP file we could have something like this:
<%
Number someNumberValue = (Number)request.getAttribute("someNumberFromRequest");
%>
<script type="text/javascript">
$(document).ready(function() {
var someJavaScriptNumber = <%= Encode.forJavaScript(String.valueOf(someNumberValue)) %>;
});
</script>
That would be a syntax error.
I see that issue #6 is what you're referring to. Is the assumption that you'd always quote your values and use the JavaScript functions parseInt() and parseFloat() in these scenarios to put Numbers onto the page?
I talked to the lib author, Dr. Icknowski.
You should not need to use parseInt(). The quotes alone will solve the problem.
Give it a try and send us a code sample if you're still having problems.
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Sep 22, 2017, at 9:04 PM, Clayton Bodendein ***@***.***> wrote:
I see that issue #6 is what you're referring to. Is the assumption that you'd always quote your values and use parseInt() and parseFloat() in these scenarios to put Numbers onto the page?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
Indeed. Looking at your code sample. Quote that number and you should be all set!
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Sep 22, 2017, at 9:04 PM, Clayton Bodendein ***@***.***> wrote:
I see that issue #6 is what you're referring to. Is the assumption that you'd always quote your values and use parseInt() and parseFloat() in these scenarios to put Numbers onto the page?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
It looks like this is a resolved issue. If you have any more questions either contact us directly or open a new bug. Thanks for using the OWASP Java Encoder and we're always eager to hear other feedback. Aloha!
@jmanico Well, putting quotes around it would mean that I'd be putting it on the page as a JavaScript String and not as a JavaScript Number. My intent was to put it on the page as a number.
For example:
<body>
<%
Number someNumberValue = Integer.valueOf(-1);
// In reality this value would have come off of some request attribute but here it's hardcoded for example purposes
%>
<script type="application/javascript">
document.addEventListener("DOMContentLoaded", function(event) {
var someJavaScriptNumber = '<%= Encode.forJavaScript(String.valueOf(someNumberValue)) %>';
var test1ValueNode = document.getElementById('test1-value');
var test1TypeNode = document.getElementById('test1-type');
var test1EqualityTestNode = document.getElementById('test1-equality-test');
test1ValueNode.textContent = test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof someJavaScriptNumber);
test1EqualityTestNode.textContent = test1EqualityTestNode.textContent.concat((-1 === someJavaScriptNumber).toString());
});
</script>
<h1 id="test1-value">The value is </h1>
<h2 id="test1-type">The type is </h2>
<h3 id="test1-equality-test">When comparing -1 === someJavaScriptNumber, the returned value is </h3>
</body>
produces the following HTML source (note the escaped hyphen):
<body>
<script type="application/javascript">
document.addEventListener("DOMContentLoaded", function(event) {
var someJavaScriptNumber = '\-1';
var test1ValueNode = document.getElementById('test1-value');
var test1TypeNode = document.getElementById('test1-type');
var test1EqualityTestNode = document.getElementById('test1-equality-test');
test1ValueNode.textContent = test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof someJavaScriptNumber);
test1EqualityTestNode.textContent = test1EqualityTestNode.textContent.concat((-1 === someJavaScriptNumber).toString());
});
</script>
<h1 id="test1-value">The value is </h1>
<h2 id="test1-type">The type is </h2>
<h3 id="test1-equality-test">When comparing -1 === someJavaScriptNumber, the returned value is </h3>
</body>
and the output of the page is shown here:
It's JavaScript, there is no number. There are only variables. Give it a try, it will not effect your code for numeric computation.
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Sep 23, 2017, at 10:29 AM, Clayton Bodendein ***@***.***> wrote:
For example:
<body>
<%
Number someNumberValue = Integer.valueOf(-1);
// In reality this value would have come off of some request attribute but here it's hardcoded for example purposes
%>
<script type="application/javascript">
document.addEventListener("DOMContentLoaded", function(event) {
var someJavaScriptNumber = '<%= Encode.forJavaScript(String.valueOf(someNumberValue)) %>';
var test1ValueNode = document.getElementById('test1-value');
var test1TypeNode = document.getElementById('test1-type');
var test1EqualityTestNode = document.getElementById('test1-equality-test');
test1ValueNode.textContent = test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof someJavaScriptNumber);
test1EqualityTestNode.textContent = test1EqualityTestNode.textContent.concat((-1 === someJavaScriptNumber).toString());
});
</script>
<h1 id="test1-value">The value is </h1>
<h2 id="test1-type">The type is </h2>
<h3 id="test1-equality-test">When comparing -1 === someJavaScriptNumber, the returned value is </h3>
</body>
produces the following HTML source:
<body>
<script type="application/javascript">
document.addEventListener("DOMContentLoaded", function(event) {
var someJavaScriptNumber = '\-1';
var test1ValueNode = document.getElementById('test1-value');
var test1TypeNode = document.getElementById('test1-type');
var test1EqualityTestNode = document.getElementById('test1-equality-test');
test1ValueNode.textContent = test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof someJavaScriptNumber);
test1EqualityTestNode.textContent = test1EqualityTestNode.textContent.concat((-1 === someJavaScriptNumber).toString());
});
</script>
<h1 id="test1-value">The value is </h1>
<h2 id="test1-type">The type is </h2>
<h3 id="test1-equality-test">When comparing -1 === someJavaScriptNumber, the returned value is </h3>
</body>
and the output of the page is shown here:
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
Hi Clayton,
The encoder's JavaScript contexts are for strings, since they can cause XSS vulnerabilities. Numbers don’t need encoding since they cannot cause XSS. There are no numbers that will break out of a javascript context. If (and only if) ‘javaNumber’ is a numeric type (primitive or box wrapper), just use:
var javaScriptNumber = <%= javaNumber %>;
This is true even for the special cases of java.lang.Double.POSITIVE_INFINITY, NEGATIVE_INFINITY, NaN, and java.lang.Float equivalents.
On the other hand, if ‘javaNumber’ is some user provided data that is NOT a numeric type, then you should either (1) convert it to a number on the java side, or (2) encode it to a string and handle it on the javascript side. E.g.
<% // option (1)
String javaNumber = (untrusted data);
Double actualNumber = Double.parseDouble(javaNumber); // don’t forget to catch NumberFormatException
%>
<script>
var jsNumber = <%= actualNumber %>;
</script>
— or —
<% // option (2)
String javaNumber = (untrusted data);
%>
<script>
var jsNumber = parseInt("<%=Encode.forJavaScript(javaNumber)%>");
</script>
Thanks,
-Jeff
… On Sep 23, 2017, at 10:29 AM, Clayton Bodendein ***@***.***> wrote:
For example:
<body>
<%
Number someNumberValue = Integer.valueOf(-1);
// In reality this value would have come off of some request attribute but here it's hardcoded for example purposes
%>
<script type="application/javascript">
document.addEventListener("DOMContentLoaded", function(event) {
var someJavaScriptNumber = '<%= Encode.forJavaScript(String.valueOf(someNumberValue)) %>';
var test1ValueNode = document.getElementById('test1-value');
var test1TypeNode = document.getElementById('test1-type');
var test1EqualityTestNode = document.getElementById('test1-equality-test');
test1ValueNode.textContent = test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof someJavaScriptNumber);
test1EqualityTestNode.textContent = test1EqualityTestNode.textContent.concat((-1 === someJavaScriptNumber).toString());
});
</script>
<h1 id="test1-value">The value is </h1>
<h2 id="test1-type">The type is </h2>
<h3 id="test1-equality-test">When comparing -1 === someJavaScriptNumber, the returned value is </h3>
</body>
produces the following HTML source:
<body>
<script type="application/javascript">
document.addEventListener("DOMContentLoaded", function(event) {
var someJavaScriptNumber = '\-1';
var test1ValueNode = document.getElementById('test1-value');
var test1TypeNode = document.getElementById('test1-type');
var test1EqualityTestNode = document.getElementById('test1-equality-test');
test1ValueNode.textContent = test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof someJavaScriptNumber);
test1EqualityTestNode.textContent = test1EqualityTestNode.textContent.concat((-1 === someJavaScriptNumber).toString());
});
</script>
<h1 id="test1-value">The value is </h1>
<h2 id="test1-type">The type is </h2>
<h3 id="test1-equality-test">When comparing -1 === someJavaScriptNumber, the returned value is </h3>
</body>
and the output of the page is shown here:
<https://user-images.githubusercontent.com/20246655/30773988-7be669e6-a041-11e7-80f8-fe8fabfc1f35.png>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABI-Y_k_MuJmS17azryf2Sf95Pjwqxylks5slRWvgaJpZM4PhXgd>.
@jeffi Thanks for the explanation! That makes sense.
Jeff,
Thanks X2 for the explanation. I'll add this to the wiki to better explain numeric handling in JS.
PS: Was I wrong to state that you can do numeric computation on quoted numerics?
…--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Sep 23, 2017, at 10:48 AM, Clayton Bodendein ***@***.***> wrote:
@jeffi Thanks for the explanation! That makes sense.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
Yea, I did a little fiddling around and of course you are correct. Adding a number and a string in JS leads to string concatenation.
I'll clarify this in the docs.
Thanks all,
--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
… On Sep 23, 2017, at 10:48 AM, Clayton Bodendein ***@***.***> wrote:
@jeffi Thanks for the explanation! That makes sense.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
Added this documentation to the project.
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=How_To_Handle_Numbers
Aloha, Jim
…On 9/23/17 7:46 AM, Jeff Ichnowski wrote:
Hi Clayton,
The encoder's JavaScript contexts are for strings, since they can
cause XSS vulnerabilities. Numbers don’t need encoding since they
cannot cause XSS. There are no numbers that will break out of a
javascript context. If (and only if) ‘javaNumber’ is a numeric type
(primitive or box wrapper), just use:
var javaScriptNumber = <%= javaNumber %>;
This is true even for the special cases of
java.lang.Double.POSITIVE_INFINITY, NEGATIVE_INFINITY, NaN, and
java.lang.Float equivalents.
On the other hand, if ‘javaNumber’ is some user provided data that is
NOT a numeric type, then you should either (1) convert it to a number
on the java side, or (2) encode it to a string and handle it on the
javascript side. E.g.
<% // option (1)
String javaNumber = (untrusted data);
Double actualNumber = Double.parseDouble(javaNumber); // don’t forget
to catch NumberFormatException
%>
<script>
var jsNumber = <%= actualNumber %>;
</script>
— or —
<% // option (2)
String javaNumber = (untrusted data);
%>
<script>
var jsNumber = parseInt("<%=Encode.forJavaScript(javaNumber)%>");
</script>
Thanks,
-Jeff
> On Sep 23, 2017, at 10:29 AM, Clayton Bodendein
***@***.***> wrote:
>
> For example:
>
> <body>
> <%
> Number someNumberValue = Integer.valueOf(-1);
> // In reality this value would have come off of some request
attribute but here it's hardcoded for example purposes
> %>
> <script type="application/javascript">
> document.addEventListener("DOMContentLoaded", function(event) {
> var someJavaScriptNumber = '<%=
Encode.forJavaScript(String.valueOf(someNumberValue)) %>';
>
> var test1ValueNode = document.getElementById('test1-value');
> var test1TypeNode = document.getElementById('test1-type');
> var test1EqualityTestNode =
document.getElementById('test1-equality-test');
>
> test1ValueNode.textContent =
test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
> test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof
someJavaScriptNumber);
> test1EqualityTestNode.textContent =
test1EqualityTestNode.textContent.concat((-1 ===
someJavaScriptNumber).toString());
> });
> </script>
> <h1 id="test1-value">The value is </h1>
> <h2 id="test1-type">The type is </h2>
> <h3 id="test1-equality-test">When comparing -1 ===
someJavaScriptNumber, the returned value is </h3>
> </body>
> produces the following HTML source:
>
> <body>
>
> <script type="application/javascript">
> document.addEventListener("DOMContentLoaded", function(event) {
> var someJavaScriptNumber = '\-1';
>
> var test1ValueNode = document.getElementById('test1-value');
> var test1TypeNode = document.getElementById('test1-type');
> var test1EqualityTestNode =
document.getElementById('test1-equality-test');
>
> test1ValueNode.textContent =
test1ValueNode.textContent.concat(someJavaScriptNumber.toString());
> test1TypeNode.textContent = test1TypeNode.textContent.concat(typeof
someJavaScriptNumber);
> test1EqualityTestNode.textContent =
test1EqualityTestNode.textContent.concat((-1 ===
someJavaScriptNumber).toString());
> });
> </script>
> <h1 id="test1-value">The value is </h1>
> <h2 id="test1-type">The type is </h2>
> <h3 id="test1-equality-test">When comparing -1 ===
someJavaScriptNumber, the returned value is </h3>
> </body>
> and the output of the page is shown here:
>
<https://user-images.githubusercontent.com/20246655/30773988-7be669e6-a041-11e7-80f8-fe8fabfc1f35.png>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
<#7 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABI-Y_k_MuJmS17azryf2Sf95Pjwqxylks5slRWvgaJpZM4PhXgd>.
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAgcCbb7-cs8CpjcpjrXayKPEctc7u0iks5slRmqgaJpZM4PhXgd>.
--
Jim Manico
Manicode Security
https://www.manicode.com
Thanks @jmanico !