[Esapi-user] Esapi-user Digest, Vol 27, Issue 3

Jeff Williams jeff.williams at aspectsecurity.com
Mon Jan 30 20:57:44 UTC 2012


Right.  From a security perspective, it's very difficult to imagine
injection through a decent parser/generator as the encoding is
automatic.  Whereas when you build up XML in strings, there are many
many places in the code where a mistake might get made.  Also, if
someone uncovers a vulnerability with your parser/generator, you just
have to fix it in one place to get it right everywhere.

 

--Jeff

 

 

From: Rama Krishna Pathangi [mailto:rpathangi at hotmail.com] 
Sent: Monday, January 30, 2012 3:55 PM
To: Jeff Williams; ESAPI User Group
Subject: RE: [Esapi-user] Esapi-user Digest, Vol 27, Issue 3

 


Thanks Jeff.

 

Are you suggesting that if we build XML as a DOM rather than as a
string, the process (while slower ) would automatically perform encoding
of the characters as required?

 

--
Ram




________________________________

Subject: RE: [Esapi-user] Esapi-user Digest, Vol 27, Issue 3
Date: Mon, 30 Jan 2012 15:04:51 -0500
From: jeff.williams at aspectsecurity.com
To: rpathangi at hotmail.com; esapi-user at lists.owasp.org

Hi Ram,

 

In general, it's not a good idea to concatenate together strings to
build an XML document. It's better practice to use an XML
parser/generator to safely generate XML.  This is similar to the advice
to use PreparedStatements to access SQL databases safely.  Or the advice
to use HTML templating systems to generate HTML safely.

 

In the rare case when you can't use a real XML parser/generator, the
"encodeForXML" method is available to prevent XML injection.  It encodes
the "big 5" characters significant to XML:  " ' < > and & into HTML
entities.

 

--Jeff

 

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Rama Krishna
Pathangi
Sent: Monday, January 30, 2012 2:21 PM
To: ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 27, Issue 3

 

Hi,
 
I want to use encodeForXML method mentioned here
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/es
api/Encoder.html#encodeForXML(java.lang.String
<http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/e
sapi/Encoder.html#encodeForXML%28java.lang.String> ).
 
I found the details confusing -"The use of a real XML parser is strongly
encouraged. However, in the hopefully rare case that you need to make
sure that data is safe for inclusion in an XML document and cannot use a
parse, this method provides a safe mechanism to do so."
 
Could you explain what is being referred to here?
 
Thanks in advance.
Ram.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120130/2fd37ee5/attachment.html>


More information about the Esapi-user mailing list