[OWASP-ESAPI] Encoder feedback
Jeff Williams
jeff.williams at owasp.org
Thu Jul 10 19:45:52 EDT 2008
Thanks Greg - this is awesome. Rough consensus and running code -- I love
it. I'll get this into the Encoder with some good test cases right away.
Thanks,
--Jeff
-----Original Message-----
From: Gregory Rubin [mailto:grrubin at gmail.com]
Sent: Wednesday, July 09, 2008 7:09 PM
To: Rogan Dawes
Cc: jeff.williams at owasp.org; owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] Encoder feedback
I knew that I had this rattling around somewhere. It needs to be
checked and all that stuff (I had to extract it from some more domain
specific code).
public static String escapeForJavaScript(String input) {
if(null == input) {
return null;
}
StringBuffer buf = new StringBuffer(input.length() + 2);
int len = input.length();
for(int x = 0; x < len; x++) {
int value = input.codePointAt(x);
if(isJavaScriptStringSafe(value)) {
buf.append(Character.toChars(value));
} else {
switch (value) {
case 0x0A: // newline
buf.append("\\n");
break;
case 0x09: // tab
buf.append("\\t");
break;
case 0x22: // Double-quote
buf.append("\\\"");
break;
case 0x27: // single-quote
buf.append("\\'");
break;
case 0x5C: // backslash
buf.append("\\\\");
break;
default:
buf.append(String.format("\\u%1$04X", value));
}
}
}
return buf.toString();
}
private static final String javaScriptStringSafeOther = ".,;:
()?!_-+*&{}[]@#";
private static boolean isJavaScriptStringSafe(int codepoint) {
if(Character.isLetterOrDigit(codepoint))
return true;
int len = javaScriptStringSafeOther.length();
// Check the whitelisted special characters
for(int x = 0; x < len; x++)
if(codepoint == javaScriptStringSafeOther.codePointAt(x))
return true;
return false;
}
More information about the OWASP-ESAPI
mailing list