I’m trying to provide a somewhat meaningful example of Why Can’t I Just HTML Entity Encode Untrusted Data?. I’d like the demo to work within a JSP (or other Java Based Templating Technology). Concreely, I’ve currently come up with the following example:
<html>
<head></head>
<body>
<script>
<c:out value="alert(7)"/>
</script>
<p>
<c:out value="alert(7)"/>
</p>
</body>
</html>The example demonstrates how properly HTML encoding an untrusted value alert(7) will be fine in an HTML context, but unsafe in a <script>.
However, it is not very realistic because a user would likely place the untrusted value in quotes:
<html>
<head></head>
<body>
<script>
var v = '<c:out value="alert(7)"/>';
</script>
<p>
<c:out value="alert(7)"/>
</p>
</body>
</html>So I’d like an example that demonstrates Why Can’t I Just HTML Entity Encode Untrusted Data?. I’d like the demo to work within a JSP (or other Java Based Templating Technology] but within a more realistic context. I’m fine if the attack is simply poping up an alert.