[Esapi-user] Difference between different encoding methods!
jeff.williams at aspectsecurity.com
Mon Sep 20 01:01:01 EDT 2010
The only difference is that they use a different escape sequence and
they should only be used in the appropriate context.
From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Shar Lwin Khin
Sent: Sunday, September 19, 2010 1:16 AM
To: Esapi-user at lists.owasp.org
Subject: [Esapi-user] Difference between different encoding methods!
I understand that for the user inputs referenced in different HTML
ESAPI.encoder().encoderForCSS(); has to be used appropriately.
But my question is What is the major difference between these three
encoding methods? Because XSS prevention Rule#2, #3, #4 of OWASP states
Rule2: Except for alphanumeric characters, escape all characters with
ASCII values less than 256 with the &#xHH; format
Rule3: Except for alphanumeric characters, escape all characters less
than 256 with the \xHH format
Rule4: Except for alphanumeric characters, escape all characters with
ASCII values less than 256 with the \HH escaping format
Are they encoding different special characters or are they using
different character encoding format??
Thanks & regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user