[OWASP-ESAPI] Encoder feedback
Greg Rubin
grrubin at gmail.com
Wed Jul 9 04:13:12 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We definitely don't want a black-list. My only recommendations are to
use a slightly broader white-list (to keep strings from bloating too
much, [-0-9a-zA-Z .,_]) and to special case the most common escapes (to
keep down bloat and produce more legible output, \t \n \\ \' and \")
Greg
|
| This sounds like a blacklist to me :-)
|
| How about:
|
| Encode characters > 7f with \uhhhh
| Don't encode characters in '[A-Za-z ]'
| Otherwise encode everything with \xhh
|
| ??
|
| Rogan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIdHMW5KDU23nQpRcRAvoKAKDzgcRiKEDKI0N/B8Xg3vjN3a1PxQCgjwri
xgkGZjUnx/Vp9S5wYhyUnM4=
=gPbt
-----END PGP SIGNATURE-----
More information about the OWASP-ESAPI
mailing list