[Esapi-user] [Esapi-dev] encodeForHTMLAttribute the value of an <input>

Chris Schmidt chris.schmidt at owasp.org
Fri Mar 23 17:42:50 UTC 2012

It most definitely needs to be configurable ­ not doing so breaks situations
where multiple encoding is necessary (which admittedly is very infrequently,
but it is a functional requirement)

In jQuery-Encoder ­ I simply document that users should canonicalize prior
to encoding

$.encoder.encodeForHTML( $.encoder.canonicalize( $input ) );


$(Œelement¹).encode(ŒHTML¹, $.encoder.canonicalize($input));

On 3/23/12 7:49 AM, "Jim Manico" <jim.manico at owasp.org> wrote:

>    First of all you are not allowed to apologize, these are important
> conversations. :)
>  Second, the I feel that a good encoder should canonicalize before encoding to
> avoid the double-encoding problem that you faced.
>  .NET already done this. We may want to add this feature to ESAPI, albeit in a
> configurable way, since it is a performance hit.
>  Aloha Rod,

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120323/4ce75dc9/attachment.html>

More information about the Esapi-user mailing list