[OWASP-ESAPI] 2.0 ESAPI Encoder Change Suggestions

Jim Manico jim.manico at owasp.org
Thu Dec 17 21:14:17 EST 2009


We were talking about adding the following to the encoder class:
*
    String encodeURI(String input) throws EncodingException; (ADD) does
NOT encode & = and +.  Useful for URI paths.
    String encodeURIComponent(String input) (ADD) => does encode & = and
+.  Useful for parameters.*

But I'm running into a need to encode an entire URL, which makes me want
to take a second pass at this, which looks like:

*    String encodeURI(String input) throws EncodingException; (ADD) does
NOT encode ://& = and +.  Useful for complete URI's such as
http://www.somesite.com?data=1&data2=3.
**    String encodeURIPath(String input) throws EncodingException; (ADD)
does NOT encode & = and +.  Useful for URI paths such as
/SomeCoolServlet?**data=1&data2=3**.*
*    String encodeURIComponent(String input) (ADD) => URL encodes all
non-alphanumerics.  Useful for parameters.*
*
*(plus the three equivalent decode functions)*
*
Now this is a little out of alignment with how JavaScript does it - any
thoughts?

- Jim*
*



-- 

- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091217/a77441f8/attachment.html 


More information about the OWASP-ESAPI mailing list