[Esapi-user] ESAPI encoding issue (was "Re: Esau encoding issue")

Kevin W. Wall kevin.w.wall at gmail.com
Tue Nov 7 03:41:00 UTC 2017


[Posting this to the ESAPI-User mailing list.]

On Wed, Nov 1, 2017 at 2:40 PM, vasu.devbala2 <vasu.devbala2 at gmail.com> wrote:
> Hello,
> I found your contact details from
> https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API. I am
> using ESAPI in my application for encoding and decoding but I am getting
> error with particular string only.

<...moved chunk...>

> If you are right person to contact could you please tell me how to resolve
> this issue or guide me if you know someone who can resolve this issue.

Sorry this got lost. I didn't pick up immediately on the 'Esau' part
and recognize it was a typo of ESAPI. I've since changed the Subject
line. Your best bet is to post questions like this to the ESAPI-User's
mailing list.

> I am building html table in struts action class and sending it to client.
> Before sending I am encoding html table with
> ESAPI.encoder().encodeForJavaScript(html) and in javascript I am decoding
> with $ESAPI.encoder().cananicalize(html) but whenever I have \ft string in
> my html I am getting input is undefined error at line number
> 817(input.pushback(c);) in esapi.js. With other strings I am not facing any
> issue.

Am I correct in assuming that you are using "ESAPI for JavaScript"
rather than "ESAPI for Java" here. (That's what it looks like based on
the '$ESAPI.encoder()'.) That seems a bit odd if you are placing this
in a Struts Action class, but what do I know. Maybe it really does
make sense.

I'm not too familiar with the ESAPI for JavaScript, but I think you
probably do not want to call the 'canonicalize() method, at least
where you are calling it.

If you could provide a bit more context--maybe a specific example of
what you are doing and how it is being called and how it fails.

Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the Esapi-user mailing list