[Esapi-user] INVALID_CHARACTER_ERR in style tag

Chris Schmidt chrisisbeef at gmail.com
Mon Jun 24 16:46:46 UTC 2013

Bianca - 

The chunk is indeed invalid XML, the =3D is what is throwing off the parser.
While I agree this isn't a security issue in itself, the reason ESAPI is
reporting it as such is because it is not able to validate the data due to
being unable to parse it. I don't believe this is valid HTML either, is this
a real use-case (in other words, this is something you expect to pass
validation because you are considering it to be "valid" HTML)?

As far as development, the ESAPI 3.0 development sprint is launching soon,
with a hackathon in November at AppSecUSA in NYC. There will be
announcements on the development list as things progress with the ESAPI 3.0
Roadmap and development effort.


Chris Schmidt

From:  Blanca Hernandez <blanca.hernandez at willhaben.at>
Date:  Monday, June 24, 2013 9:40 AM
To:  ESAPI Users <esapi-user at lists.owasp.org>
Subject:  [Esapi-user] INVALID_CHARACTER_ERR in style tag

Analyzing this piece of code:
<div style=3D"padding:20px 20px;">
Owasp return: Invalid HTML input org.owasp.validator.html.ScanException:
org.w3c.dom.DOMException: INVALID_CHARACTER_ERR: An invalid or illegal XML
character is specified.
The only mistake ist that it shoud be: <div style=3D"padding:20px;">
There are many cases like this one and it makes invalid a whole HTML. In my
point of view, this is not a security issue, and it shouldn´t be reported,
am I right? 
The last commited OWASP version is from 2011, is there a later one? In that
case, how could I update my dependencies? (I haven´t found something
actual). Is the development of this library going ahead at all?
Any advice or idea would be really appreciated. Thanks in advance!
_______________________________________________ Esapi-user mailing list
Esapi-user at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130624/3648a567/attachment.html>

More information about the Esapi-user mailing list