Hi Everyone,
I'm looking at some code that does this in a *.jsp file (forgive my
typos). Static analysis is triggering findings on it. I believe they
are mostly false positives because they are used in string compares.
if ( "Print".equalsIgnoreCase((String)params.get("ReportDisplayType") ) {
...
}
I have two questions...
(1) Does JavaScript/ECMA-262 ensure (guarantee?) that
'params.get("ReportDisplayType")' will remain inert, and not be
evaluated or become active content?
(2) How does one encode to make it safe for use in a string compare?
Would we use ESAPI.encodeForJavaScript? Or would we do something like
percent encoding since it is a string compare? Maybe something like:
String reportType =
ESAPI.encoder.encodeForURL((String)params.get("ReportDisplayType"))
if ( "Print".equalsIgnoreCase( reportType ) {
...
}
On May 26, 2023, at 20:40, Kevin W. Wall <kevin....@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAOPE6PipV5e0A5Rx4uiFnxoPt5F-m8tzj0dMUFqdsbhDAVzn0g%40mail.gmail.com.