[OWASP-ESAPI] Encoding implementation issue...

Jim Manico jim.manico at owasp.org
Wed Dec 9 15:29:50 EST 2009

... and these characters are used rarely, so I feel that encoding them,
anyhow, will have minimal performance impact. I say we go for it. I'd
rather someone complain about performance (Like Knuth said, get it right
first, optimize later), than under-aggressive encoding.

- Jim

>> Hang on here...  I'm fairly sure that there's no reason to escape characters
>> above 0xFF for XSS purposes. The various parsers and interpreters in the
>> browser don't seem to recognize those characters as anything other than
>> normal text characters - not used for parsing or syntax.
> Currently I know of no XSS or other attacks that are using characters
> above 0xFF. The same could be said about characters above 0x7F or
> characters not listed on the XSS cheat sheet. The principle however
> is white listing vs. black listing. Just because we don't know about
> issues with these characters does not mean that there aren't issues with
> them. There are 1113856 code points above 0xFF. Additionally, even if
> these characters aren't normal syntax characters doesn't mean that some
> poorly implemented parser doesn't mess them up.
>>>> ------>
>>>> ------------------------------------------------------------------------
>>>> _______________________________________________
>>>> OWASP-ESAPI mailing list
>>>> OWASP-ESAPI at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-esapi


- Jim Manico
OWASP ESAPI Project Manager

OWASP Podcast Host/Producer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091209/c4e10e27/attachment.html 

More information about the OWASP-ESAPI mailing list