I need to use the Encode.forHtml() in a js file. i'm using the jar Remended by OWASP - encoder-1.2.jar i'm following the details given in this page .php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

Here all the examples are shown with Scriptlets. I know scriptlets can be used only in jsp. But i want to use the Encode.forHtml() in a js file. so can someone please help me and explain how i can use it a js file.

i tried the following but it didnt work

sample.js
function test1_outsidejsp()
{
 var test = "testforEncode";
 var msg = Encode.forJavaScriptBlock(test);
 alert(msg);
}

PS: There is no problem with the jar. i used the Encode.forHtml() from a script written inside the JSP and it works fine. i have also imported the jar to the jsp

<%@page import="org.owasp.encoder.Encode" %>

This is the script inside the jsp (this is working fine)

<%String test="testing"; %>
<script type="text/javascript">
function testfn_insidejsp()
{
 var msg = "<%= Encode.forJavaScriptBlock(test) %>";
 alert(msg);
}
</script>

I need to know how to write that without the scriptlet in a js file.

I need to use the Encode.forHtml() in a js file. i'm using the jar Remended by OWASP - encoder-1.2.jar i'm following the details given in this page https://www.owasp/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

Here all the examples are shown with Scriptlets. I know scriptlets can be used only in jsp. But i want to use the Encode.forHtml() in a js file. so can someone please help me and explain how i can use it a js file.

i tried the following but it didnt work

sample.js
function test1_outsidejsp()
{
 var test = "testforEncode";
 var msg = Encode.forJavaScriptBlock(test);
 alert(msg);
}

PS: There is no problem with the jar. i used the Encode.forHtml() from a script written inside the JSP and it works fine. i have also imported the jar to the jsp

<%@page import="org.owasp.encoder.Encode" %>

This is the script inside the jsp (this is working fine)

<%String test="testing"; %>
<script type="text/javascript">
function testfn_insidejsp()
{
 var msg = "<%= Encode.forJavaScriptBlock(test) %>";
 alert(msg);
}
</script>

I need to know how to write that without the scriptlet in a js file.

• javascript
• xss
• owasp
• esapi
• cross-site

• It's kind of hard to understand what you are trying to do. A .jsp file executes on the server (and encodes the data on the server) before sending the JavaScript with the encoded value to the browser, where the JavaScript will run. A .js file on the server is static, and runs only in the client browser, and there the .jar file is not available and is not JavaScript. – Erlend Commented Aug 25, 2016 at 18:27
• Ya... thanks...So.. how can i fix that issue... i'm having code in js , that is being shown as a vulnerability. I need to fix it.. its a Dom based cross site scripting. Its because of this line : document.getElementById(<someid>)=response; (the response is a http response , so its shown as a vulnerability) – daniel Commented Aug 26, 2016 at 15:21

2 Answers 2

If you are not planning on using any other server-side ESAPI features, you may be better off using ESAPI for JavaScript rather than ESAPI for Java, which is what it sounds like you are trying to use.

If you want to insert untrusted data into an HTML element, you can assign it to .innerText or .textContent (depending on browser).

document.getElementById(<someid>).textContent = response

However if you want to support HTML in the response, but you don't want it to be able to run code, you can use DOMPurify to sanitize the response and make static HTML out of it.