[Esapi-user] Difference between different encoding methods!
Shar Lwin Khin
sharlwinkhin at gmail.com
Sun Sep 19 11:17:09 EDT 2010
Thanks Jeremy. That explains exactly my confusion :D.
But I am afraid i have another question as i m not at all familiar with
those character encodings. My next question is:
Are there possible values > 256 according to those XSS prevention rules?? If
yes, what kind of escaping/encoding should be used for such values to
Thanks again & regards,
On Sun, Sep 19, 2010 at 9:33 PM, <jeremy.long at gmail.com> wrote:
> They are using different encoding (well it is all hex encoding, but there
> are different control characters around the hex encoded data). For instance,
> following Rule #2 the < would be encoded as <. Rule #3 would encode the < as
> \x60, and rule #4 would be encoded as \60. The reason for the different
> formats is that the browser interprets data differently depending on which
> context it is in.
> On Sep 19, 2010 1:15am, Shar Lwin Khin <sharlwinkhin at gmail.com> wrote:
> > Dear all,
> > I understand that for the user inputs referenced in different HTML
> ESAPI.encoder().encoderForCSS(); has to be used appropriately.
> > But my question is What is the major difference between these three
> encoding methods? Because XSS prevention Rule#2, #3, #4 of OWASP states
> > Rule2: Except for alphanumeric characters, escape all characters with
> ASCII values less than 256 with the &#xHH; format
> > Rule3: Except for alphanumeric characters, escape all characters less
> than 256 with the \xHH format
> > Rule4: Except for alphanumeric characters, escape all characters with
> ASCII values less than 256 with the \HH escaping format
> > Are they encoding different special characters or are they using
> different character encoding format??
> > Thanks & regards,
> > shar
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user