[Esapi-user] CSRF +Character Reference Set + Linux

Craig Younkins craig.younkins at owasp.org
Tue Jul 27 14:15:51 EDT 2010


If the application just renders static files on the system, then you aren't
calling any ESAPI methods. If you are calling ESAPI methods, please show us
the relevant code.

Also, please be sure to reply to the list.

Craig Younkins

On Tue, Jul 27, 2010 at 10:42 AM, Kesavanarayanan, Ramesh <
Ramesh.Kesavanarayanan at pearson.com> wrote:

>  These HTML files are static and reside on the file system. The
> application renders them by reading them. When CSRF is enabled, and if the
> file contains TAB / SPACE, on windows it displays correctly but when the
> same application is deployed in Linux, then they display as junk characters.
>
>
>
>
>
> But if I disable CSRF then it is displaying correctly.
>
>
>
> Appreciate any help  on this.
>
>
>
> *Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
> (O) **|  /* * **319-621-7641 (M) *  | *ramesh.kesavanarayanan at pearson.com*
>   ------------------------------
>
> *From:* Craig Younkins [mailto:craig.younkins at owasp.org]
> *Sent:* Tuesday, July 27, 2010 8:57 AM
> *To:* Kesavanarayanan, Ramesh
> *Cc:* esapi-user at lists.owasp.org
> *Subject:* Re: [Esapi-user] CSRF +Character Reference Set + Linux
>
>
>
> CSRF has nothing to do with character encodings, so I think you're talking
> about the XSS codecs.
>
>
>
> What text are you sending through the encoder to get the referenced output?
> Where is &#160; coming from?
>
>
>
> If you are outputting HTML you should not have "<?xml version="1.0"
> encoding="UTF-8"?>" but rather a doctype. See [1].
>
>
>
> Craig Younkins
>
>
>
> [1] http://www.w3schools.com/tags/tag_DOCTYPE.asp
>
> On Mon, Jul 26, 2010 at 6:40 PM, Kesavanarayanan, Ramesh <
> Ramesh.Kesavanarayanan at pearson.com> wrote:
>
> The issue seems to happen only on Linux boxes
>
> Sample HTML
>
> *<b>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;The bread-slicing
> machine has been celebrated as a great invention.</b>*
>
> Needs to display the character set* **&#160;*  AS tab (SPACE) but it
> displays as JUNK characters.
>
> I indeed have <?xml version="1.0" encoding="UTF-8"?> in the HTML files.
>
> Is there a reason why CSRF does display as junk characters when we have
> character entry set more than 100
>
> *Regards |  **Ramesh Kesavanarayanan**  |    319-354-9200 ext 215785 /
> 215972 (O) **|  /* * **319-621-7641 (M) *  | *
> ramesh.kesavanarayanan at pearson.com*
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100727/3a487c6b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 6409 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100727/3a487c6b/attachment.jpe 


More information about the Esapi-user mailing list