[Esapi-user] Difference between different encoding methods!

Jeff Williams jeff.williams at aspectsecurity.com
Mon Sep 20 01:01:01 EDT 2010


The only difference is that they use a different escape sequence and
they should only be used in the appropriate context.

 

--Jeff

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Shar Lwin Khin
Sent: Sunday, September 19, 2010 1:16 AM
To: Esapi-user at lists.owasp.org
Subject: [Esapi-user] Difference between different encoding methods!

 

Dear all,

 

I understand that for the user inputs referenced in different HTML
contexts; e.g, HTML attribute, CSS, and JavaScript, different encoder
methods; e.g, ESAPI.encoder().encodeForJavaScript(),
ESAPI.encoder().encoderForCSS(); has to be used appropriately.

 

But my question is What is the major difference between these three
encoding methods? Because XSS prevention Rule#2, #3, #4 of OWASP states
that:

Rule2: Except for alphanumeric characters, escape all characters with
ASCII values less than 256 with the &#xHH; format

Rule3: Except for alphanumeric characters, escape all characters less
than 256 with the \xHH format

Rule4: Except for alphanumeric characters, escape all characters with
ASCII values less than 256 with the \HH escaping format

 

Are they encoding different special characters or are they using
different character encoding format?? 

 

Thanks & regards,

shar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100920/510f87b0/attachment.html 


More information about the Esapi-user mailing list