Details
Major Description
1. When i develop the JSP page, for the reason of security, i use the "?html" to encode the attribute "onclick" in the button.ftl as below:
<span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class=" ${(css!'')?html}" <@htmc.disabled /> <#if btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
<#if btnOnClick??> onclick="${btnOnClick?html}"</#if> > <#lt>
2. in the jsp b.jsp, i write as this: <powercom: button id="game" onclick="submit('${name}')" />;
3. The varaible name comes from another page a.jsp,user can input the value for the parameter: name,then user can jump to b.jsp;
4. if i input the value for name is "');console.log(1)//" or "');alert(1)//" in a.jsp, attention, it simulates an attack, it will be executed when i jump to the b.jsp,the varaiable "btnOnClick" will be assigned with the value "submit('${name}')", then the attack statement is spliced as this: onclick="submit('');alert(1)//')"; and the page pop up a msgbox,shows "1".
5.because the build-in construct: "?html" does not escape the left and right parentheses: "( " and ")", the attack statements can be executed. I think the left and right parentheses: "( " and ")" should be escaped for the "?html" build-in construct because of security. Thanks
