[OWASP-ESAPI] Encoding implementation issue...

'Ed Schaller' schallee at darkmist.net
Wed Dec 9 09:09:29 EST 2009


> Hang on here...  I'm fairly sure that there's no reason to escape characters
> above 0xFF for XSS purposes. The various parsers and interpreters in the
> browser don't seem to recognize those characters as anything other than
> normal text characters - not used for parsing or syntax.

Currently I know of no XSS or other attacks that are using characters
above 0xFF. The same could be said about characters above 0x7F or
characters not listed on the XSS cheat sheet. The principle however
is white listing vs. black listing. Just because we don't know about
issues with these characters does not mean that there aren't issues with
them. There are 1113856 code points above 0xFF. Additionally, even if
these characters aren't normal syntax characters doesn't mean that some
poorly implemented parser doesn't mess them up.

>>>------>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091209/84687e41/attachment.bin 


More information about the OWASP-ESAPI mailing list