[Esapi-user] Esapi-user Digest, Vol 27, Issue 3

Rama Krishna Pathangi rpathangi at hotmail.com
Mon Jan 30 20:55:02 UTC 2012


Thanks Jeff.
Are you suggesting that if we build XML as a DOM rather than as a string, the
process (while slower ) would automatically perform encoding of the characters
as required?
--

Ram



Subject: RE: [Esapi-user] Esapi-user Digest, Vol 27, Issue 3
Date: Mon, 30 Jan 2012 15:04:51 -0500
From: jeff.williams at aspectsecurity.com
To: rpathangi at hotmail.com; esapi-user at lists.owasp.org



Hi Ram, In general, it’s not a good idea to concatenate together strings to build an XML document. It’s better practice to use an XML parser/generator to safely generate XML.  This is similar to the advice to use PreparedStatements to access SQL databases safely.  Or the advice to use HTML templating systems to generate HTML safely. In the rare case when you can’t use a real XML parser/generator, the “encodeForXML” method is available to prevent XML injection.  It encodes the “big 5” characters significant to XML:  “ ‘ < > and & into HTML entities. --Jeff  From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Rama Krishna Pathangi
Sent: Monday, January 30, 2012 2:21 PM
To: ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 27, Issue 3 Hi,
 
I want to use encodeForXML method mentioned here http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForXML(java.lang.String).
 
I found the details confusing -"The use of a real XML parser is strongly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so."
 
Could you explain what is being referred to here?
 
Thanks in advance.
Ram.  		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120130/fb610ee9/attachment.html>


More information about the Esapi-user mailing list