1

If I JS encode untrusted data, and put it into the eval() function, for example like this:

eval('var a="JS_ENCODED_UNTRUSTED_DATA";alert(a);');

How is XSS still possible in that case?

Edit: To clarify what I meant by "JS encode": In Java, I can use OWASP Java Encoder to encode untrusted data for various contexts. For example Encoder.forHTML(UNTRUSTED_DATA) if I'm inserting untrusted data into HTML or Encoder.forJavaScript(UNTRUSTED_DATA) if I'm inserting untrusted data into JS. It simply encodes or escapes dangerous characters in the input string before inserting it into the HTML page or JavaScript. I'm not exactly sure how the Encoder.forJavaScript function encodes each character, but I know that some characters are simply escaped with '\', and some are converted to the \xHH format.

pineappleman
  • 849
  • 4
  • 8
  • 20
  • JS encode meaning what? – Anonymous Jun 08 '15 at 21:49
  • 1
    I meant output encoding. For example in Java, I can use OWASP Java Encoder to encode untrusted data for various contexts. For example Encoder.forHTML(UNTRUSTED_DATA) or Encoder.forJavaScript(UNTRUSTED_DATA). It simply encodes or escapes dangerous characters in the input string before inserting it into the html page or javascript. – pineappleman Jun 08 '15 at 22:08
  • I meant you would need to say *exactly* which characters are escaped and how. – Anonymous Jun 08 '15 at 22:10
  • I'm not exactly sure how the Encoder.forJavaScript function encodes each character, but I know that some characters are simply escaped with \, and some are converted to the \xHH format. Would this be enough or do I need to define for each character separately how it is encoded? – pineappleman Jun 08 '15 at 22:18
  • No, that should be fine, but if you are using that function to encode the untrusted data, it would be better to say that in the question, showing exactly how it is used to make the question clearer to anyone trying to answer. – Anonymous Jun 08 '15 at 22:20
  • Yes, you are right. I will edit it. Thanks! – pineappleman Jun 08 '15 at 22:20
  • No problem. You can also read the [how to ask guide](http://stackoverflow.com/help/how-to-ask) for more information. – Anonymous Jun 08 '15 at 22:21

1 Answers1

0

It depends on how you have escaped that "data". Your data is located

  1. in a "-delimited JavaScript string
  2. inside a '-delimited JavaScript string
  3. possibly inside an HTML <script> element (if not being loaded as an external script).

So you would need to call up to three different escape functions on your data to make it secure. That said, there are really few cases where you actually need eval.

Community
  • 1
  • 1
Bergi
  • 630,263
  • 148
  • 957
  • 1,375