[Esapi-user] ESAPI Validation Problem
barlock at us.ibm.com
Fri Mar 22 18:08:19 UTC 2013
I recently added the ESAPI code for HTTP parameter validation in our
JSPs. Our vulnerability scans now report zero cross-site scripting
vulnerabilities, which is very good. Unfortunately, it causes a couple of
other problems for use because sometimes we pass parameters that contain a
colon on an HTTP GET request. A colon is, apparently, not a valid
character in an HTTP parameter, so the validator throws an exception on
such strings. One person on our team suggested URL encoding the
change the %3A (colon) to something that would pass through the validator,
say __3A. The string could be unstuffed, I think, either in the JSP
Thoughts on this from a secure computing perspective? Other suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user