[Esapi-user] INVALID_CHARACTER_ERR in style tag

Blanca Hernandez blanca.hernandez at willhaben.at
Tue Jun 25 12:53:12 UTC 2013



Thanks for your fast answer and the information. I am trying to avoid potential security attacks (like XSS) in the HTML code, but if the HTML code is valid or not is not a big deal. Is there some kind of configuration possibility to skip the validation of the HTML content and only check the potential security attacks?


Thanks in advance!


Kind regards, 




Von: Chris Schmidt [mailto:chrisisbeef at gmail.com] 
Gesendet: Montag, 24. Juni 2013 18:47
An: Blanca Hernandez; esapi-user at lists.owasp.org
Betreff: Re: [Esapi-user] INVALID_CHARACTER_ERR in style tag


Bianca - 


The chunk is indeed invalid XML, the =3D is what is throwing off the parser. While I agree this isn't a security issue in itself, the reason ESAPI is reporting it as such is because it is not able to validate the data due to being unable to parse it. I don't believe this is valid HTML either, is this a real use-case (in other words, this is something you expect to pass validation because you are considering it to be "valid" HTML)?


As far as development, the ESAPI 3.0 development sprint is launching soon, with a hackathon in November at AppSecUSA in NYC. There will be announcements on the development list as things progress with the ESAPI 3.0 Roadmap and development effort.




Chris Schmidt


From: Blanca Hernandez <blanca.hernandez at willhaben.at>
Date: Monday, June 24, 2013 9:40 AM
To: ESAPI Users <esapi-user at lists.owasp.org>
Subject: [Esapi-user] INVALID_CHARACTER_ERR in style tag




Analyzing this piece of code:


<div style=3D"padding:20px 20px;">


Owasp return: Invalid HTML input org.owasp.validator.html.ScanException: org.w3c.dom.DOMException: INVALID_CHARACTER_ERR: An invalid or illegal XML character is specified.


The only mistake ist that it shoud be: <div style=3D"padding:20px;">


There are many cases like this one and it makes invalid a whole HTML. In my point of view, this is not a security issue, and it shouldn´t be reported, am I right? 

The last commited OWASP version is from 2011, is there a later one? In that case, how could I update my dependencies? (I haven´t found something actual). Is the development of this library going ahead at all?


Any advice or idea would be really appreciated. Thanks in advance!




_______________________________________________ Esapi-user mailing list Esapi-user at lists.owasp.org https://lists.owasp.org/mailman/listinfo/esapi-user 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130625/cd62dbcb/attachment.html>

More information about the Esapi-user mailing list