Using the OWASP checklist, which is the correct way protect this situation? This is

Question

0

Asked: June 3, 20262026-06-03T09:06:39+00:00 2026-06-03T09:06:39+00:00

Using the OWASP checklist, which is the correct way protect this situation? This is

0

Using the OWASP checklist, which is the correct way protect this situation? This is url inside of a javascript string where a url parameter needs to have xss protection.

Problem:

<script>
    var u = 'xyz.html?x=<% url.baddata %>'  
    dosomeAjax(u);
</script>

Possible solution 1:

var u = 'xyz.html?x=<% encodeForURL(url.baddata) %>'

Possible solution 2:

var u = 'xyz.html?x=<% encodeForJavaScript(url.baddata) %>'

Possible solution 3:

var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>'

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-03T09:06:40+00:00

Solution 3 should be used:

//solution 3:
var u = 'xyz.html?x=<% encodeForJavaScript(encodeForURL(url.baddata)) %>';

It is easier to see that this is correct if we rewrite the expression as:

var u = '<% encodeForJavaScript("xyz.html?x=" + encodeForURL(url.baddata)) %>';

First, we are creating a safe URL by appending baddata to a string constant, using the appropriate escape function. Then we are taking that safe URL and placing it in a JavaScript string, so we have to call the JavaScript escape function.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Using the OWASP checklist, which is the correct way protect this situation? This is

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply