org.owasp.esapi.codecs
Class JavaScriptCodec
java.lang.Object
org.owasp.esapi.codecs.Codec
org.owasp.esapi.codecs.JavaScriptCodec
public class JavaScriptCodec
- extends Codec
Implementation of the Codec interface for backslash encoding in JavaScript.
- Since:
- June 1, 2007
- Author:
- Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
- See Also:
Encoder
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
JavaScriptCodec
public JavaScriptCodec()
encodeCharacter
public String encodeCharacter(char[] immune,
Character c)
- Default implementation that should be overridden in specific codecs.
Returns backslash encoded numeric format. Does not use backslash character escapes
such as, \" or \' as these may cause parsing problems. For example, if a javascript
attribute, such as onmouseover, contains a \" that will close the entire attribute and
allow an attacker to inject another script attribute.
- Overrides:
encodeCharacter
in class Codec
- Parameters:
immune
- c
- the Character to encode
- Returns:
- the encoded Character
decodeCharacter
public Character decodeCharacter(PushbackString input)
- Returns the decoded version of the next character from the input string and advances the
current character in the PushbackString. If the current character is not encoded, this
method MUST reset the PushbackString.
Returns the decoded version of the character starting at index, or
null if no decoding is possible.
See http://www.planetpdf.com/codecuts/pdfs/tutorial/jsspec.pdf
Formats all are legal both upper/lower case:
\\a - special characters
\\xHH
\\uHHHH
\\OOO (1, 2, or 3 digits)
- Overrides:
decodeCharacter
in class Codec
- Parameters:
input
- the Character to decode
- Returns:
- the decoded Character
Copyright © 2013 The Open Web Application Security Project (OWASP). All Rights Reserved.