[OWASP-ESAPI] Encoder feedback
ivan.ristic at gmail.com
Tue Jul 8 20:30:44 EDT 2008
I've been looking at the reference implementation of the ESAPI Encoder
interface, but I am having trouble understanding what this interface
is aiming to accomplish. Here are my questions and comments:
implies it will convert my data into a form that can be safely passed
encodes data using HTML entities. I was expecting my data to be
2. For cases where nested encoding is required, are you expecting
users to manually chain method invocations, or is the plan to provide
then encode for HTML attribute).
3. I don't understand this business of detecting double encodings:
firstly because that should not be a concern of an encoding library
and, secondly, because what you consider doubly encoded is entirely
legitimate: what is a developer supposed to do when his program gets
"&nbsp;" in input, but you respond with an exception when asked to
encode for HTML? How is ESAPI going to handle CMS applications?
Maybe I just don't understand what the method is doing? For example,
when I pass "&" to it, I get "&" back. I was expecting to get
4. I think encodeForCSS should be added.
5. encodeForSQL looks dangerous in principle: different SQL dialects
use different meta-characters so it's not possible to handle all
dialects with only one function. Something like encodeForMySQL would
More information about the OWASP-ESAPI