jeff.williams at owasp.org
Wed Apr 1 21:30:05 EDT 2009
onmouseover=[user input here]
I wrote these escaping routines before I wrote
heet (which a senior architect at a financial firm recently called "the best
actionable write up on XSS prevention that I've ever read. This paper, in
combination with ESAPI filters, gives people a real path to follow, rather
than just vague mumbling about how hard it is.").
Anyway, we need to update the ESAPI escaping routines to match. I think a
Anybody interested in dancing with the devil?
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Wednesday, April 01, 2009 7:53 PM
To: owasp-esapi at lists.owasp.org
It does not seem necessary in any modern browser, as long as your data is
properly quoted during assignment.
I would love a configurable version that lets me turn off space encoding for
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI