Skip to content
This repository has been archived by the owner on Apr 6, 2021. It is now read-only.

decodeForHTML does not give the desire output. #15

Open
GoogleCodeExporter opened this issue May 24, 2015 · 0 comments
Open

decodeForHTML does not give the desire output. #15

GoogleCodeExporter opened this issue May 24, 2015 · 0 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. Initialize org.owasp.esapi.ESAPI.initialize();
2. see the out put of 
$ESAPI.encoder().encodeForHTML("<script>alert('123');</script>");
output:- 
"&lt;script&gt;alert&#x28;&#x27;123&#x27;&#x29;&#x3b;&lt;&#x2f;script&gt;"
3. See the out of decodeForHTML 
$ESAPI.encoder().decodeForHTML("&lt;script&gt;alert&#x28;&#x27;123&#x27;&#x29;&#
x3b;&lt;&#x2f;script&gt;");
output:- "<script>alert4039123394159<47script>"

What is the expected output? What do you see instead?
Actual output:- "<script>alert4039123394159<47script>"
Expected :- "<script>alert('123');</script>"

What version of the product are you using? On what operating system?
Version:- esapi4js-0.1.3
OS:- Mac

Please provide any additional information below.
I have fix this issue, 
Solution:- In org.owasp.esapi.codecs.HTMLEntityCodec, the function parseNumber 
and parseHex returning number directly(return parseInt(out);). it should return 
char code(return String.fromCharCode(parseInt(out));).
Below are the function i have modified (see //Commented to fix esapi bug)

var parseNumber = function(input) {
        var out = '';
        while (input.hasNext()) {
            var c = input.peek();
            if (c.match(/[0-9]/)) {
                out += c;
                input.next();
            } else if (c == ';') {
                input.next();
                break;
            } else {
                break;
            }
        }

        try {
            return String.fromCharCode(parseInt(out));
            //Commented to fix esapi bug
            //return parseInt(out);
        } catch (e) {
            return null;
        }
    };

    var parseHex = function(input) {
        var out = '';
        while (input.hasNext()) {
            var c = input.peek();
            if (c.match(/[0-9A-Fa-f]/)) {
                out += c;
                input.next();
            } else if (c == ';') {
                input.next();
                break;
            } else {
                break;
            }
        }
        try {
            return String.fromCharCode(parseInt(out, 16));
            //Commented to fix esapi bug
            //return parseInt(out, 16);
        } catch (e) {
            return null;
        }
    };

I have fixed this issue in esapi.js and using it for my project.

Thanks
Bikesh Kumar

Original issue reported on code.google.com by [email protected] on 19 Mar 2013 at 9:35
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter