[Esapi-user] ESAPI encoding support for other languages

Abhishek Kaul kaul_abhishek at yahoo.com
Sun Aug 22 14:59:40 EDT 2010


Hey thanks for the reply jeff,

I am sorry. It was a problem on my part. Data was coming in ISO-8859-1 encoding instead of UTF-8 encoding. Anyway its resolved now. Everything is working fine.


Thanks again,
Cheers
-- Abhishek



--- On Fri, 20/8/10, Jeff Williams <jeff.williams at aspectsecurity.com> wrote:

From: Jeff Williams <jeff.williams at aspectsecurity.com>
Subject: RE: [Esapi-user] ESAPI encoding support for other languages
To: "Abhishek Kaul" <kaul_abhishek at yahoo.com>, esapi-user at lists.owasp.org
Date: Friday, 20 August, 2010, 5:24 PM




 
 






Hi Abhishek, 

   

ESAPI is escaping those characters because there’s no way to
know that they are not part of some attack.  I checked and those are the right
HTML encodings for the input string you sent.  So I suspect that your
application or framework is *ALSO* escaping. 

   

1.     
Your code tries to write привет мир  

   

2.     
ESAPI
escapes to &#1087;&#1088;&#1080;&#1074;&#1077;&#1090;
&#1084;&#1080;&#1088;  

   

3.     
Your framework escapes to &amp;&#35;1087; &amp;&#35;1088;
&amp;&#35;1080; &amp;&#35;1074; &amp;&#35;1077; &amp;&#35;1090;
&amp;&#35;1084; &amp;&#35;1080; &amp;&#35;1088;    

   

Which would render in your browser as you indicated.  Try doing
a view source on the generated HTML to see if I’m right. 

   

If I am right, then you have to figure out how to resolve the
double-escaping.  Let us know what you’re using and maybe we can help. 

   

--Jeff 

   

   



From:
esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On
Behalf Of Abhishek Kaul

Sent: Friday, August 20, 2010 5:05 AM

To: esapi-user at lists.owasp.org

Subject: [Esapi-user] ESAPI encoding support for other languages 



   


 
  
  
  
   
    
    Hi all,

    

    ESAPI is a great tool. I am very impressed with it. 

    

    While using it i am facing a problem. Maybe you guys can help me with it. 

    

    When i am encoding a user input which contains latin characters the
    encoding(tried with HTML encoding) works fine. But when i put in other
    characters such as french. I get junk values for non latin characters.

    

    For eg. if input string is :  привет мир  (in russian)

             Output looks
    like   : 
    &#1087;&#1088;&#1080;&#1074;&#1077;&#1090;
    &#1084;&#1080;&#1088;    (it is showing the
    encoded values literally)

    

    

     How to fix this problem ? Any ideas ?

    

    Thanks a lot,

    Abhishek 
    
   
  
  
  
 


   



 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100823/21d2cc88/attachment.html 


More information about the Esapi-user mailing list