[Esapi-user] ESAPI Validation Problem

• Previous message: [Esapi-user] Is this a safe way to do a .NET Server Redirects? (and deal with A10: Unvalidated Redirects and Forwards)
• Next message: [Esapi-user] ESAPI Validation Problem
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I recently added the ESAPI  code for HTTP parameter validation in our 
JSPs.  Our vulnerability scans now report zero cross-site scripting 
vulnerabilities, which is very good.  Unfortunately, it causes a couple of 
other problems for use because sometimes we pass parameters that contain a 
colon on an HTTP GET request.  A colon is, apparently, not a valid 
character in an HTTP parameter, so the validator throws an exception on 
such strings.  One person on our team suggested URL encoding the 
parameters and then using a form of byte-stuffing in the Javascript to 
change the %3A (colon) to something that would pass through the validator, 
say __3A.  The string could be unstuffed, I think, either in the JSP 
processing or back in the Javascript. 
Thoughts on this from a secure computing perspective?  Other suggestions? 

Thanks,

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130322/3220a7e1/attachment.html>

• Previous message: [Esapi-user] Is this a safe way to do a .NET Server Redirects? (and deal with A10: Unvalidated Redirects and Forwards)
• Next message: [Esapi-user] ESAPI Validation Problem
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]