[OWASP-ESAPI] Encoder feedback

[Ivan Ristic]

Hi,

I've been looking at the reference implementation of the ESAPI Encoder
interface, but I am having trouble understanding what this interface
is aiming to accomplish. Here are my questions and comments:

1. What is the escapeForJavaScript method supposed to do? The name
implies it will convert my data into a form that can be safely passed
into JavaScript (e.g. into a string), but in my tests the method
encodes data using HTML entities. I was expecting my data to be
encoded using the JavaScript encoding syntax (e.g. \uHHHH).

2. For cases where nested encoding is required, are you expecting
users to manually chain method invocations, or is the plan to provide
helper methods where commonly required (e.g. encode for JavaScript
then encode for HTML attribute).

3. I don't understand this business of detecting double encodings:
firstly because that should not be a concern of an encoding library
and, secondly, because what you consider doubly encoded is entirely
legitimate: what is a developer supposed to do when his program gets
" " in input, but you respond with an exception when asked to
encode for HTML? How is ESAPI going to handle CMS applications?

Maybe I just don't understand what the method is doing? For example,
when I pass "&" to it, I get "&" back. I was expecting to get
"&".

4. I think encodeForCSS should be added.

5. encodeForSQL looks dangerous in principle: different SQL dialects
use different meta-characters so it's not possible to handle all
dialects with only one function. Something like encodeForMySQL would
be better.

-- 
Ivan Ristic