search

batchu / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

DefaultEncoder.encodeHTMLForAttribute() doesn't escape spaces #111

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Execute ESAPI.encoder().encodeForHTMLAttribute(" ")

What is the expected output? What do you see instead?
You would expect to see the ' ' character escaped since it is not included
in the IMMUNE_HTMLATTR character set (and this is allegedly one of the
differentiators between this method and the encodeForHTML() method).
However, you get an unencoded space because the underlying HTMLEntityCodec
makes exceptions for the values in UNENCODED_SET, which contains both the
space and the \t character.

What version of the product are you using? On what operating system?
1.4.4

Please provide any additional information below.

Original issue reported on code.google.com by fiddlerpianist@gmail.com on 25 Feb 2010 at 10:28

GoogleCodeExporter commented 8 years ago

Original comment by schal...@darkmist.net on 27 Feb 2010 at 12:13

GoogleCodeExporter commented 8 years ago 
Fixed for 1.4 in revision 1194.

The 2.0 branch is currently replacing illegal characters with a space so what 
to do
there needs to be decided before forward porting.

Original comment by schal...@darkmist.net on 27 Feb 2010 at 12:53

GoogleCodeExporter commented 8 years ago

Original comment by schal...@darkmist.net on 16 May 2010 at 1:56

GoogleCodeExporter commented 8 years ago 
Fixed in rev 1545

Original comment by schal...@darkmist.net on 23 Sep 2010 at 3:12