[Esapi-user] ESAPI encoding support for other languages

Fri Aug 20 13:24:58 EDT 2010

Hi Abhishek,

ESAPI is escaping those characters because there’s no way to know that they are not part of some attack.  I checked and those are the right HTML encodings for the input string you sent.  So I suspect that your application or framework is *ALSO* escaping.

1.      Your code tries to write привет мир 

2.      ESAPI escapes to &#1087;&#1088;&#1080;&#1074;&#1077;&#1090; &#1084;&#1080;&#1088; 

3.      Your framework escapes to &amp;&#35;1087; &amp;&#35;1088; &amp;&#35;1080; &amp;&#35;1074; &amp;&#35;1077; &amp;&#35;1090; &amp;&#35;1084; &amp;&#35;1080; &amp;&#35;1088;   

Which would render in your browser as you indicated.  Try doing a view source on the generated HTML to see if I’m right.

If I am right, then you have to figure out how to resolve the double-escaping.  Let us know what you’re using and maybe we can help.

--Jeff

From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Abhishek Kaul
Sent: Friday, August 20, 2010 5:05 AM
To: esapi-user at lists.owasp.org
Subject: [Esapi-user] ESAPI encoding support for other languages

Hi all,

ESAPI is a great tool. I am very impressed with it. 

While using it i am facing a problem. Maybe you guys can help me with it. 

When i am encoding a user input which contains latin characters the encoding(tried with HTML encoding) works fine. But when i put in other characters such as french. I get junk values for non latin characters.

For eg. if input string is :  привет мир  (in russian)
         Output looks like   :  &#1087;&#1088;&#1080;&#1074;&#1077;&#1090; &#1084;&#1080;&#1088;    (it is showing the encoded values literally)

 How to fix this problem ? Any ideas ?

Thanks a lot,
Abhishek

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100820/d06641d2/attachment.html 