[OWASP-ESAPI] Encoding implementation issue...

Jeff Williams jeff.williams at owasp.org
Wed Dec 9 02:23:41 EST 2009


Hang on here...  I'm fairly sure that there's no reason to escape characters
above 0xFF for XSS purposes. The various parsers and interpreters in the
browser don't seem to recognize those characters as anything other than
normal text characters - not used for parsing or syntax.

I suspect that other parsers/interpreters follow this pattern as well, but I
could be proven wrong. Does anyone know of a parser that uses anything other
than ASCII for its control characters?

--Jeff


-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Ed Schaller
Sent: Tuesday, December 08, 2009 11:47 PM
To: OWASP-ESAPI; esapi-dev at lists.owasp.org
Subject: Re: [OWASP-ESAPI] Encoding implementation issue...

OK. I just committed unit tests for this. I know that we all agreed that we
wouldn't commit code that had failing unit tests but these are failing tests
exhibiting a rather serious current issue. Please forgive me.

The following codecs do not handle encoding of characters above 0xFF:

CSSCodec
HTMLEntityCodec
JavaScriptCodec
MySQLCodec (in standard mode as ANSI mode only escapes ') PercentCodec
UnixCodec VBScriptCodec WindowsCodec

All of these codecs pass characters with values above 0xFF through totally
unencoded. I have opened issue 75 for this. I need to get some sleep but
I'll try to look at it more in the morning.

>>>------>



More information about the OWASP-ESAPI mailing list