[Esapi-user] ESAPI Validation Problem

Chris Barlock barlock at us.ibm.com
Fri Mar 22 18:08:19 UTC 2013


I recently added the ESAPI  code for HTTP parameter validation in our 
JSPs.  Our vulnerability scans now report zero cross-site scripting 
vulnerabilities, which is very good.  Unfortunately, it causes a couple of 
other problems for use because sometimes we pass parameters that contain a 
colon on an HTTP GET request.  A colon is, apparently, not a valid 
character in an HTTP parameter, so the validator throws an exception on 
such strings.  One person on our team suggested URL encoding the 
parameters and then using a form of byte-stuffing in the Javascript to 
change the %3A (colon) to something that would pass through the validator, 
say __3A.  The string could be unstuffed, I think, either in the JSP 
processing or back in the Javascript. 
Thoughts on this from a secure computing perspective?  Other suggestions? 

Thanks,

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130322/3220a7e1/attachment.html>


More information about the Esapi-user mailing list