[Esapi-user] [Esapi-dev] encodeForHTMLAttribute the value of an <input>
chris.schmidt at owasp.org
Fri Mar 23 17:42:50 UTC 2012
It most definitely needs to be configurable not doing so breaks situations
where multiple encoding is necessary (which admittedly is very infrequently,
but it is a functional requirement)
In jQuery-Encoder I simply document that users should canonicalize prior
$.encoder.encodeForHTML( $.encoder.canonicalize( $input ) );
On 3/23/12 7:49 AM, "Jim Manico" <jim.manico at owasp.org> wrote:
> First of all you are not allowed to apologize, these are important
> conversations. :)
> Second, the I feel that a good encoder should canonicalize before encoding to
> avoid the double-encoding problem that you faced.
> .NET already done this. We may want to add this feature to ESAPI, albeit in a
> configurable way, since it is a performance hit.
> Aloha Rod,
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user