[Esapi-user] encoded html not rendered correctly by browser

Rajbir Chahal rajbir.chahal at oracle.com
Thu Apr 22 12:11:05 EDT 2010


Data returned by Encoder apis e.g. encodeForHTML, encodeForHTMLAttribute
is not being rendered correctly by the browser. For example a small
table is to be displayed in the browser -
<table border="1"> <tr> <td>r1, c1</td> <td>r1, c2</td> </tr> <tr> 
<td>r2, c1</td> <td>r2, c2</td> </tr> </table>

Both the unencoded html and encoded html (returned by
ESAPI.encoder().encodeForHTML()) for the table is sent to the browser.
The unencoded html is rendered correctly by the browser but the
encoded html is displayed as "<table border="1"> <tr> <td>r1, c1</td> 
<td>r1, c2</td> </tr> <tr> <td>r2, c1</td> <td>r2, c2</td> </tr> 
</table>" and a table is not rendered.

The browser 'view page source' shows -
<p> encodeForHTML=<table border="1"> <tr> <td>r1, c1</td> <td>r1, 
c2</td> </tr> <tr> <td>r2, c1</td> <td>r2, c2</td> </tr> </table></p>

<p> encodeForHTML=&lt;table border&#x3d;&quot;1&quot;&gt; &lt;tr&gt; 
&lt;td&gt;r1, c1&lt;&#x2f;td&gt; &lt;td&gt;r1, c2&lt;&#x2f;td&gt; 
&lt;&#x2f;tr&gt; &lt;tr&gt; &lt;td&gt;r2, c1&lt;&#x2f;td&gt; 
&lt;td&gt;r2, c2&lt;&#x2f;td&gt; &lt;&#x2f;tr&gt; &lt;&#x2f;table&gt;</p>

Any suggestions why the encoded html is not rendered as expected.


More information about the Esapi-user mailing list