esapi: for src attribute, shall we use encodeForHTMLAttribute? encodeForURL? or both?

Question

Which one's correct?

<img src="#encodeForHTMLAttribute(FORM.path)#">

or

<img src="#encodeForURL(FORM.path)#">

or

<img src="#encodeForHTMLAttribute(encodeForURL(FORM.path))#">

?

Answer 1

Use the method(s) which match the context of where you are inserting the text that needs encoding.

encodeForUrl is for placing dynamic text into a URL - so it will replace / with %2F (and so on), and if you apply it to an entire URL, you will have an encoded URL (which is therefore broken for use in a src attribute).

If you are allowing users to supply a partial URL, you would need to split on / (and any other relevant delimiters), apply encodeForUrl on each part, then join back together again.

Note: encodeForUrl appears to pass its string straight to Java, which means backslashes are treated as escape characters - \b\n encodes to %08%0A instead of %5Cb%5Cn - this behaviour is not part of standard URL encoding (nor CF strings in general). To avoid this use the function UrlEncodedFormat instead.

encodeForHTMLAttribute is for placing dynamic text into a HTML attribute - it's purpose is to ensure the contents are treated as text (not parsed as HTML) - it doesn't know/care whether its contents is a URL or something else.

In summary, you probably want encodeForHtmlAttribute( UrlEncodedFormat( Form.Path ) ) for this situation.