AnsweredAssumed Answered

Escaping Query Parameter values in ESI tag to avoid cross site scripting

Question asked by Chandran Nagarajan on Apr 15, 2016
Latest reply on May 16, 2016 by Akshay Ranganath

All,

We are trying to find a way to escape the query parameter values which is used directly in the ESI tag . This for preventing Cross Site Scripting(XSS). Any help is appreciated. Below is the ESI code .

 

writer.print("<esi:assign
name=\"storecookie\" value=\"'" + retailDirectCookieName + "='                +"$(QUERY_STRING{'storeid'}) + '|' + $(QUERY_STRING{'rcode'}) + '|' "+ "+ $(QUERY_STRING{'retailcat'}) " + orderChannelString                    + "\"/>");

Outcomes