[Esapi-user] Using ESAPI.encoder's canonicalization & encoder methods

Shar Lwin Khin sharlwinkhin at gmail.com
Tue Jul 6 16:25:34 EDT 2010


Dear all,

I am a web security researcher who wants to secure the user inputs using
ESAPI's encoding methods such as encodeForHTML, encodeForJavaScript. But I
am confused on how to use canonicalization method correctly in the presence
of some custom encoding schemes that i can't analyze. Say for example, if an
application has code:

out.print("<input ... value=' "+ customEncode(request.getParameter("input"))
);

In the above code, customEncode is the custom encoding method used by the
application which can be any Encoding scheme. So the question is: Is it ok
to use ESAPI's encoder to secure the input in the following way:

out.print("<input ... value=' "+
ESAPI.encoder().encodeForHTMLAttribute(customEncode(request.getParameter("input")))
);

OR is the following way, which canonicalize first and then ESAPI encode,
correct:

out.print("<input ... value=' "+
ESAPI.encoder().encodeForHTMLAttribute(ESAPI.encoder().canonicalize(customEncode(request.getParameter("input"))))
);

OR both way is incorrect and in fact requires to know what is the
customEncode() doing???

I'd also like to know the solutions for the similar cases that requires
encodeForHTML,  encodeForCSS, and encodeForJavaScript.

best regards,
shar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100707/a09341a3/attachment.html 


More information about the Esapi-user mailing list