[Esapi-user] ESAPI encoding support for other languages

Jeff Williams jeff.williams at aspectsecurity.com
Fri Aug 20 13:24:58 EDT 2010


Hi Abhishek,

 

ESAPI is escaping those characters because there’s no way to know that they are not part of some attack.  I checked and those are the right HTML encodings for the input string you sent.  So I suspect that your application or framework is *ALSO* escaping.

 

1.      Your code tries to write привет мир 

 

2.      ESAPI escapes to привет мир 

 

3.      Your framework escapes to п р и в е т м и р   

 

Which would render in your browser as you indicated.  Try doing a view source on the generated HTML to see if I’m right.

 

If I am right, then you have to figure out how to resolve the double-escaping.  Let us know what you’re using and maybe we can help.

 

--Jeff

 

 

From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Abhishek Kaul
Sent: Friday, August 20, 2010 5:05 AM
To: esapi-user at lists.owasp.org
Subject: [Esapi-user] ESAPI encoding support for other languages

 

Hi all,

ESAPI is a great tool. I am very impressed with it. 

While using it i am facing a problem. Maybe you guys can help me with it. 

When i am encoding a user input which contains latin characters the encoding(tried with HTML encoding) works fine. But when i put in other characters such as french. I get junk values for non latin characters.

For eg. if input string is :  привет мир  (in russian)
         Output looks like   :  привет мир    (it is showing the encoded values literally)


 How to fix this problem ? Any ideas ?

Thanks a lot,
Abhishek

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100820/d06641d2/attachment.html 


More information about the Esapi-user mailing list