search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
483 stars 112 forks source link

Encoding Supplementary character creates an issue #34

Closed sudarshannavada closed 4 years ago

sudarshannavada commented 4 years ago

encoder.encodeForHtml of Japanese character “𠮷”( \𠮷 ) resulting in \�\� and these code points are not identified by HTML document. The browser doesn't understands the surrogate pairs. We are using org.owasp.esapi esapi2.1.0.1 and ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

Any leads will be appreciated.

jmanico commented 4 years ago

You referenced the ESAPI encoder but listed a bug in the OWASP Java Encoder. These are separate projects. Can you try this in the OWASP Java encoder?

-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Jan 13, 2020, at 3:54 AM, sudarshannavada notifications@github.com wrote:

 encoder.encodeForHtml of Japanese character “𠮷”( 𠮷 ) resulting in �� and these code points are not identified by HTML document. The browser doesn't understands the surrogate pairs. We are using org.owasp.esapi esapi2.1.0.1 and ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

Any leads will be appreciated.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

sudarshannavada commented 4 years ago

Sorry for the mistake, I have tried org.owasp.encoder.Encode.forHtmlContent(String input) as Javadoc says Surrogate pairs are passed through if valid. Anyway I got the solution.. ! Thank You.