Add an XML 1.1 encoder - Githubissues

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

https://owasp.org/www-project-java-encoder/

BSD 3-Clause "New" or "Revised" License

493 stars 111 forks source link

Add an XML 1.1 encoder #73

Open paul-redwood opened 5 months ago

paul-redwood commented 5 months ago

The current toXML method escapes for XML 1.0. Specifically the difference is that XML1.1 allows all characters [#x1-#x1F], whereas XML 1.0 only allows some of these.

As an aside, the current XML encoder has a comment that these invalid characters should be replaced with a � character, however the escaper actually replaces these all with a space character. I was under the impression that these methods didn't do sanitisation, they only did escaping?

jmanico commented 5 months ago

Are you available to send us a PR to address this issue? Thank you for your comment!