How to use Encode.forHtml() in a javascript file?

javascript xss owasp esapi cross-site

13,678

If you are not planning on using any other server-side ESAPI features, you may be better off using ESAPI for JavaScript rather than ESAPI for Java, which is what it sounds like you are trying to use.

13,678

Author by

daniel

Updated on June 25, 2022

Comments

daniel almost 2 years
I need to use the Encode.forHtml() in a js file. i'm using the jar Recommended by OWASP - encoder-1.2.jar i'm following the details given in this page https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project

Here all the examples are shown with Scriptlets. I know scriptlets can be used only in jsp. But i want to use the Encode.forHtml() in a js file. so can someone please help me and explain how i can use it a js file.

i tried the following but it didnt work
```
sample.js
function test1_outsidejsp()
{
 var test = "testforEncode";
 var msg = Encode.forJavaScriptBlock(test);
 alert(msg);
}
```
PS: There is no problem with the jar. i used the Encode.forHtml() from a script written inside the JSP and it works fine. i have also imported the jar to the jsp
```
<%@page import="org.owasp.encoder.Encode" %>
```
This is the script inside the jsp (this is working fine)
```
<%String test="testing"; %>
<script type="text/javascript">
function testfn_insidejsp()
{
 var msg = "<%= Encode.forJavaScriptBlock(test) %>";
 alert(msg);
}
</script>
```
I need to know how to write that without the scriptlet in a js file.
Kevin W. Wall over 7 years

There is also a port of ESAPI4JS that was done explicity for Node.js that you can find at github.com/ESAPI/node-esapi