|
94 | 94 | * stores some untrusted data item such as an email address from a user. A |
95 | 95 | * developer thinks "let's output encode this and store the encoded data in |
96 | 96 | * the database, thus making the untrusted data safe to use all the time, thus |
97 | | -* saving all of use developers all the encoding troubles later on". On the surface, |
| 97 | +* saving all of us developers all the encoding troubles later on". On the surface, |
98 | 98 | * that sounds like a reasonable approach. The problem is how to know what |
99 | 99 | * output encoding to use, not only for now, but for all possible <i>future</i> |
100 | 100 | * uses? It might be that the current application code base is only using it in |
101 | | - * an HTML contexxt that is displayed in an HTML report or shown in an HTML |
| 101 | + * an HTML context that is displayed in an HTML report or shown in an HTML |
102 | 102 | * context in the user's profile. But what if it is later used in a {@code mailto:} URL? |
103 | 103 | * Then instead of HTML encoding, it would need to have URL encoding. Similarly, |
104 | 104 | * what if there is a later switch made to use AJAX and the untrusted email |
105 | 105 | * address gets used in a JavaScript context? The complication is that even if |
106 | 106 | * you know with certainty today all the ways that an untrusted data item is |
107 | | - * used in your application, it is genrally impossible to predict all the |
| 107 | + * used in your application, it is generally impossible to predict all the |
108 | 108 | * contexts that it may be used in the future, not only in your application, but |
109 | 109 | * in other applications that could access that data in the database. |
110 | 110 | * </li> |
|
119 | 119 | * URL encoding within JavaScript</a>. Be sure to read the entire thread. |
120 | 120 | * The question itself is too nuanced to be answered in Javadoc, but now, |
121 | 121 | * hopefully you are at least aware of the potential pitfalls. There is little |
122 | | - * avaiable research or examples on how to do output encodeing when multiple |
| 122 | + * available research or examples on how to do output encoding when multiple |
123 | 123 | * mixed encodings are required, although one that you may find useful is |
124 | 124 | * <a href="https://arxiv.org/pdf/1804.01862.pdf" target="_blank" |
125 | 125 | * rel="noopener noreferrer"> |
|
132 | 132 | * <pre> |
133 | 133 | * </script>alert(1)</script> |
134 | 134 | * </pre> |
135 | | - * or similiar simplistic XSS attack payloads and if that is properly encoded |
| 135 | + * or similar simplistic XSS attack payloads and if that is properly encoded |
136 | 136 | * (or, you don't see an alert box popped in your browser), you consider it |
137 | 137 | * "problem fixed", consider the unit testing sufficient. Unfortunately, that |
138 | | - * minimalist testing may not always detect places were you used the wrong decoder. You need to do better. |
| 138 | + * minimalist testing may not always detect places where you used the wrong decoder. You need to do better. |
139 | 139 | * Fortunately, the aforementioned link, |
140 | 140 | * <a href="https://arxiv.org/pdf/1804.01862.pdf" target="_blank" |
141 | 141 | * rel="noopener noreferrer"> |
142 | 142 | * Automated Detecting and Repair of Cross-SiteScripting Vulnerabilities through Unit Testing</a> |
143 | 143 | * provides some insight. You may also wish to look at the |
144 | 144 | * <a href="https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/java/org/owasp/esapi/reference/EncoderTest.java" |
145 | 145 | * target="_blank" rel="noopener noreferrer">ESAPI Encoder JUnittest cases</a>. |
146 | | - * If you are really ambitious, an excellent resource for XSS attack patters is |
| 146 | + * If you are really ambitious, an excellent resource for XSS attack patterns is |
147 | 147 | * <a href="https://beefproject.com/" target="_blank" rel="noopener noreferrer">BeEF - The Browser Exploitation Framework Project</a>. |
148 | 148 | * </li> |
149 | 149 | * </ul> |
|
0 commit comments