Merge pull request OWASP#203 from lirantal/fix/xss-context

fix: example of xss in bad context using a dedicated profile field

app/routes/profile.js

@@ -20,10 +20,10 @@ function ProfileHandler (db) {
             // while the developer intentions were correct in encoding the user supplied input so it
             // doesn't end up as an XSS attack, the context is incorrect as it is encoding the firstname for HTML
             // while this same variable is also used in the context of a URL link element
-            doc.firstNameSafeString = ESAPI.encoder().encodeForHTML(doc.firstName)
+            doc.website = ESAPI.encoder().encodeForHTML(doc.website)
             // fix it by replacing the above with another template variable that is used for 
             // the context of a URL in a link header
-            // doc.doc.firstNameSafeURLString = ESAPI.encoder().encodeForURL(urlInput)
+            // doc.website = ESAPI.encoder().encodeForURL(doc.website)
 
             return res.render("profile", doc);
         });

app/views/profile.html

@@ -65,6 +65,11 @@ <h3 class="panel-title">Edit Profile</h3>
                         <label for="address">Address</label>
                         <input type="text" class="form-control" id="address" name="address" value="{{address}}" placeholder="Enter address">
                     </div>
+                    <div class="form-group">
+                        <label for="website">Website</label>
+                        <input type="text" class="form-control" id="website" name="website" value="{{website}}"
+                            placeholder="https://">
+                    </div>
                     <input type="hidden" name="_csrf" value="{{csrftoken}}" />
                     <button type="submit" class="btn btn-default" name="submit">Submit</button>