[Esapi-dev] esapi-2.0.1.jar - incorrect treatement of named html entities?

Jim Manico jim.manico at owasp.org
Wed Jul 25 22:49:11 UTC 2012

Would you mind giving
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project a try? We are
considering replacing the current encoder impl with the Java Encoder
project. I'd love to hear your feedback...

Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On Jul 25, 2012, at 10:25 AM, "Günther Zwetti" <guenther.zwetti at unycom.com>

  Hi Chris,

thanks for your answer. What do you mean by “should be an option, not

With the current implementation, characters like Ü,Ä,Ö (which are often
used in countries like Austria or Germany) can never be displayed correctly
but only their lower case representations  ü,ä,ö.

And this is definitely wrong and not only a matter of choice, isn’t it?

Could you therefore please make a suggestion what to do? Do you think my
bug fix to be correct without any negative side effects?

And what about the hard coded list and their configuration “double”? Are
there any differences between those two lists and what are they used for?

Thanks for your answers in advance!

Kind regards,


Esapi-dev mailing list
Esapi-dev at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20120725/17e7e262/attachment-0001.html>

More information about the Esapi-dev mailing list