tag:blogger.com,1999:blog-2511631377600597263.post2011450576948610831..comments2023-10-29T14:05:00.630-05:00Comments on Nick Coblentz: Presentation Layer Output Encoding: Apache Commons Lang StringEscapeUtils vs. OWASP ReformNick Coblentzhttp://www.blogger.com/profile/02039723015167872217noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-2511631377600597263.post-31215568283690764872010-09-23T13:06:08.523-05:002010-09-23T13:06:08.523-05:00Hi Nick, we've updated ESAPI to make sure that...Hi Nick, we've updated ESAPI to make sure that illegal characters were replaced with the official u+FFFD character. Replacing with whitespace may allow an attacker more freedom.jwilliamshttps://www.blogger.com/profile/16837701522866491602noreply@blogger.comtag:blogger.com,1999:blog-2511631377600597263.post-71121910370667596512008-08-22T12:07:00.000-05:002008-08-22T12:07:00.000-05:00Thanks Nick! We've studied all the specs to try to...Thanks Nick! We've studied all the specs to try to get these right in ESAPI (they're linked in the javadocs). It's important to note that some characters are illegal in certain encoding schemes. If anyone notices any issues with the ESAPI encodings, please let us know: http://www.owasp.org/index.php/ESAPI.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2511631377600597263.post-67121988807754895982008-08-21T11:02:00.000-05:002008-08-21T11:02:00.000-05:00I am looking into including ESAPI in the tests sho...I am looking into including ESAPI in the tests shortly. I'm not sure how I missed this project. It has a lot of really cool stuff in it beyond output encoding. I may write a post just about ESAPI in general in the near future.Nick Coblentzhttps://www.blogger.com/profile/02039723015167872217noreply@blogger.comtag:blogger.com,1999:blog-2511631377600597263.post-33038452590648974892008-08-21T00:11:00.000-05:002008-08-21T00:11:00.000-05:00Hi - this is great work. It looks like there are s...Hi - this is great work. It looks like there are some serious inconsistencies here in how output encoding is handled. Would you be willing to include OWASP ESAPI in the test? The latest versions has codecs for all of these schemes and more, including CSS, MySQL, Oracle, etc... ESAPI also handles *decoding* (including double-encoding) which is quite complex. Thanks for this work!Anonymousnoreply@blogger.com