[Esapi-user] Difference between different encoding methods!

Shar Lwin Khin sharlwinkhin at gmail.com
Sun Sep 19 01:15:33 EDT 2010


Dear all,

I understand that for the user inputs referenced in different HTML contexts;
e.g, HTML attribute, CSS, and JavaScript, different encoder methods; e.g,
ESAPI.encoder().encodeForJavaScript(), ESAPI.encoder().encoderForCSS(); has
to be used appropriately.

But my question is What is the major difference between these three encoding
methods? Because XSS prevention Rule#2, #3, #4 of OWASP states that:
*Rule2: Except for alphanumeric characters, escape all characters with ASCII
values less than 256 with the &#xHH; format*
*Rule3: Except for alphanumeric characters, escape all characters less than
256 with the \xHH format*
*Rule4: Except for alphanumeric characters, escape all characters with ASCII
values less than 256 with the \HH escaping format*
*
*
Are they encoding different special characters or are they using different
character encoding format??

Thanks & regards,
shar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100919/6d4a99d2/attachment.html 


More information about the Esapi-user mailing list