[Esapi-user] Using ESAPI.encoder's canonicalization & encoder methods

Jim Manico jim.manico at owasp.org
Sun Jul 11 21:35:28 EDT 2010


You only need to cannonicalize on input, IMO.

Keep in mind that cannonicalization can break data in some cases. Since 
you are just trying to stop XSS here without output encoding, I suggest 
you ONLY encode like so:

out.print("<input value='\""+ 
ESAPI.encoder().encodeForHTMLAttribute(request.getParameter("input"))  + 
"\">");

- Jim
> Dear all,
>
> I am a web security researcher who wants to secure the user inputs 
> using ESAPI's encoding methods such as encodeForHTML, 
> encodeForJavaScript. But I am confused on how to use canonicalization 
> method correctly in the presence of some custom encoding schemes that 
> i can't analyze. Say for example, if an application has code:
>
> out.print("<input ... value=' "+ 
> customEncode(request.getParameter("input")) );
>
> In the above code, customEncode is the custom encoding method used by 
> the application which can be any Encoding scheme. So the question is: 
> Is it ok to use ESAPI's encoder to secure the input in the following way:
>
> out.print("<input ... value=' "+ 
> ESAPI.encoder().encodeForHTMLAttribute(customEncode(request.getParameter("input"))) 
> );
>
> OR is the following way, which canonicalize first and then ESAPI 
> encode, correct:
>
> out.print("<input ... value=' "+ 
> ESAPI.encoder().encodeForHTMLAttribute(ESAPI.encoder().canonicalize(customEncode(request.getParameter("input")))) 
> );
>
> OR both way is incorrect and in fact requires to know what is the 
> customEncode() doing???
>
> I'd also like to know the solutions for the similar cases that 
> requires encodeForHTML,  encodeForCSS, and encodeForJavaScript.
>
> best regards,
> shar
> ------------------------------------------------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>   


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100711/db836345/attachment.html 


More information about the Esapi-user mailing list