[Esapi-user] encoded html not rendered correctly by browser

Jim Manico jim.manico at owasp.org
Thu Apr 22 12:22:42 EDT 2010

The whole point of the encoding functions is so that markup does NOT 
execute or render in the browser so XSS ( Cross Site Scripting ) does 
not occur.

If your user data is HTML and you want to make it "safe" then you should 
use the AntiSamy Library.

The ESAPI validation library has "safeHTML" functions that give you easy 
hooks into AntiSamy.

Rajbir - this is a very critical concept - would you like me to elaborate?

Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager

> Hi,
> Data returned by Encoder apis e.g. encodeForHTML, encodeForHTMLAttribute
> is not being rendered correctly by the browser. For example a small
> table is to be displayed in the browser -
> <table border="1">  <tr>  <td>r1, c1</td>  <td>r1, c2</td>  </tr>  <tr>
> <td>r2, c1</td>  <td>r2, c2</td>  </tr>  </table>
> Both the unencoded html and encoded html (returned by
> ESAPI.encoder().encodeForHTML()) for the table is sent to the browser.
> The unencoded html is rendered correctly by the browser but the
> encoded html is displayed as "<table border="1">  <tr>  <td>r1, c1</td>
> <td>r1, c2</td>  </tr>  <tr>  <td>r2, c1</td>  <td>r2, c2</td>  </tr>
> </table>" and a table is not rendered.
> The browser 'view page source' shows -
> <p>  encodeForHTML=<table border="1">  <tr>  <td>r1, c1</td>  <td>r1,
> c2</td>  </tr>  <tr>  <td>r2, c1</td>  <td>r2, c2</td>  </tr>  </table></p>
> <p>  encodeForHTML=&lt;table border&#x3d;&quot;1&quot;&gt;&lt;tr&gt;
> &lt;td&gt;r1, c1&lt;&#x2f;td&gt;&lt;td&gt;r1, c2&lt;&#x2f;td&gt;
> &lt;&#x2f;tr&gt;&lt;tr&gt;&lt;td&gt;r2, c1&lt;&#x2f;td&gt;
> &lt;td&gt;r2, c2&lt;&#x2f;td&gt;&lt;&#x2f;tr&gt;&lt;&#x2f;table&gt;</p>
> Any suggestions why the encoded html is not rendered as expected.
> thanks,
> Rajbir
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

More information about the Esapi-user mailing list