[Esapi-user] ESAPI development process

Kevin W. Wall kevin.w.wall at gmail.com
Wed Aug 25 22:22:26 EDT 2010


Patrick Higgins wrote:

> I'm not comfortable with the 2.0 upgrade right now given some
> differences in encoding. I've attached a table with all the
> differences I found when encoding all characters from 0 to
> Character.MAX_VALUE. The ones that concern me are the unprintable
> characters that have been replaced with spaces. I am not certain that
> some of our users aren't using those values--they have some unusual
> data at times. Is there an explanation of that change somewhere? Are
> there security concerns with allowing those characters through as
> entity-encoded values rather than replacing them with space
> characters?

Whatever it is that we figure out what we want the output to be,
this (table) would make a really great JUnit test for someone to add. It
would really be useful as a regression test. I'm too busy at the moment,
but perhaps Patrick already has something in that area since I'm
pretty sure he did not calculate that table by walking the the code
doing a mental simulation. (But if he did, I'm impressed!)

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list