[OWASP-ESAPI] Encoding implementation issue...

Jim Manico jim.manico at owasp.org
Wed Dec 9 15:29:50 EST 2009


... and these characters are used rarely, so I feel that encoding them,
anyhow, will have minimal performance impact. I say we go for it. I'd
rather someone complain about performance (Like Knuth said, get it right
first, optimize later), than under-aggressive encoding.

- Jim


>> Hang on here...  I'm fairly sure that there's no reason to escape characters
>> above 0xFF for XSS purposes. The various parsers and interpreters in the
>> browser don't seem to recognize those characters as anything other than
>> normal text characters - not used for parsing or syntax.
>>     
>
> Currently I know of no XSS or other attacks that are using characters
> above 0xFF. The same could be said about characters above 0x7F or
> characters not listed on the XSS cheat sheet. The principle however
> is white listing vs. black listing. Just because we don't know about
> issues with these characters does not mean that there aren't issues with
> them. There are 1113856 code points above 0xFF. Additionally, even if
> these characters aren't normal syntax characters doesn't mean that some
> poorly implemented parser doesn't mess them up.
>
>   
>>>> ------>
>>>>         
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> OWASP-ESAPI mailing list
>>>> OWASP-ESAPI at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>>>         


-- 

- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091209/c4e10e27/attachment.html 


More information about the OWASP-ESAPI mailing list