[Esapi-user] Esapi-user Digest, Vol 27, Issue 3

Jeff Williams jeff.williams at aspectsecurity.com
Mon Jan 30 20:04:51 UTC 2012


Hi Ram,

 

In general, it's not a good idea to concatenate together strings to
build an XML document. It's better practice to use an XML
parser/generator to safely generate XML.  This is similar to the advice
to use PreparedStatements to access SQL databases safely.  Or the advice
to use HTML templating systems to generate HTML safely.

 

In the rare case when you can't use a real XML parser/generator, the
"encodeForXML" method is available to prevent XML injection.  It encodes
the "big 5" characters significant to XML:  " ' < > and & into HTML
entities.

 

--Jeff

 

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Rama Krishna
Pathangi
Sent: Monday, January 30, 2012 2:21 PM
To: ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 27, Issue 3

 

Hi,
 
I want to use encodeForXML method mentioned here
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/es
api/Encoder.html#encodeForXML(java.lang.String).
 
I found the details confusing -"The use of a real XML parser is strongly
encouraged. However, in the hopefully rare case that you need to make
sure that data is safe for inclusion in an XML document and cannot use a
parse, this method provides a safe mechanism to do so."
 
Could you explain what is being referred to here?
 
Thanks in advance.
Ram.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120130/8408c930/attachment.html>


More information about the Esapi-user mailing list