[Esapi-user] Difference between different encoding methods!

Shar Lwin Khin sharlwinkhin at gmail.com
Sun Sep 19 11:17:09 EDT 2010


Thanks Jeremy. That explains exactly my confusion :D.

But I am afraid i have another question as i m not at all familiar with
those character encodings. My next question is:

Are there possible values > 256 according to those XSS prevention rules?? If
yes, what kind of escaping/encoding should be used for such values to
prevent XSS???

Thanks again & regards,
shar

On Sun, Sep 19, 2010 at 9:33 PM, <jeremy.long at gmail.com> wrote:

> They are using different encoding (well it is all hex encoding, but there
> are different control characters around the hex encoded data). For instance,
> following Rule #2 the < would be encoded as <. Rule #3 would encode the < as
> \x60, and rule #4 would be encoded as \60. The reason for the different
> formats is that the browser interprets data differently depending on which
> context it is in.
>
> --Jeremy
>
>
> On Sep 19, 2010 1:15am, Shar Lwin Khin <sharlwinkhin at gmail.com> wrote:
> > Dear all,
> >
> > I understand that for the user inputs referenced in different HTML
> contexts; e.g, HTML attribute, CSS, and JavaScript, different encoder
> methods; e.g, ESAPI.encoder().encodeForJavaScript(),
> ESAPI.encoder().encoderForCSS(); has to be used appropriately.
> >
> >
> >
> > But my question is What is the major difference between these three
> encoding methods? Because XSS prevention Rule#2, #3, #4 of OWASP states
> that:
> > Rule2: Except for alphanumeric characters, escape all characters with
> ASCII values less than 256 with the &#xHH; format
> >
> > Rule3: Except for alphanumeric characters, escape all characters less
> than 256 with the \xHH format
> >
> > Rule4: Except for alphanumeric characters, escape all characters with
> ASCII values less than 256 with the \HH escaping format
> >
> >
> >
> > Are they encoding different special characters or are they using
> different character encoding format??
> >
> >
> >
> >
> > Thanks & regards,
> >
> > shar
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100919/2130ca9f/attachment.html 


More information about the Esapi-user mailing list