[Owasp-leaders] Encoding projects at OWASP

Michael Eddington meddington at gmail.com
Wed Apr 13 14:44:01 EDT 2011


This seems like a typical OWASP issue, lots of projects each doing
things there own way :)

OWASP should have a single recommendation on how encoders should work, a
good standalone library and all owasp projects should follow those
requirements.  If possible the projects should build off of existing
reference code, but as long as we have a single voice of reason it's
okay to have different projects expose it there own way.  We can then
provide a comparison of 3rd party encoders vs. the owasp standard.

How Reform works:

Reform takes the conservative approach and encodes all characters except
for a short white list (0-9a-zA-Z,. ).  This includes *all* unicode
characters.  Over the last 6 years I have not seen a new XSS attack that
was not blocked by this style of encoding.  This include all unicode
attacks.  I also wrote Microsoft's internal library which became
AntiXss, so they work about the same.

Proposed changes:

Rewrite the OWASP Encoding Project page to be more about how to
implement proper encoding functions, requirements, comparison with other
OWASP projects and 3rd party projects, link to Reform as reference
implementation.

mike


On 4/12/2011 8:06 AM, Jim Manico wrote:
> OWASP Leaders,
>
> At this point have at least 3 different output encoding projects at OWASP all meant to stop XSS.
>
> The OWASP REFORM project led the charge. It's actually an incredibly powerful project with encoding support for a wide variety of languages!
>
> The ESAPI project has its own series of encoders in various states of completion. Overall, the Reform projects looks more complete from a language point of view, while ESAPI supports a few more contexts that REFORM does not.
>
> I also started a new Java project intended to be a more high performance encoder for SaaS applications.
>
> There are also several encoders at Apache and other open source projects. 
>
> This is completely maddening for a developer. Where to go? What to use?
>
> So I'm wondering if there would be a way to bring these projects together somehow.
>
> John Steven and Dinis recommended we set up unit tests that all other encoder projects could use to verify their completeness. I'm a few years late, but I finally see the wisdom in this.
>
> Aloha from Paris,
> - Jim


More information about the OWASP-Leaders mailing list