Open GoogleCodeExporter opened 8 years ago
Yes.. I too found the same difference between('space' whitelisted in
encodeForHTML) the two (Or am I missing something ?) ..
If that is the case , why not use encodeForHTMLAttribute in all the places
replacing encodeForHTML.. ?
will this cause some other problem?
Please throw us some light .
Awaiting your help.
Thanks in Advance,
Dinesh
Original comment by asdinesh...@gmail.com
on 16 Aug 2012 at 4:00
I had the same question and it looks like the only different is in
org/owasp/esapi/reference/DefaultEncoder.java:
private final static char[] IMMUNE_HTML = { ',', '.', '-', '_', ' ' };
private final static char[] IMMUNE_HTMLATTR = { ',', '.', '-', '_' };
However, I wasn't able to find the UNENCODE_SET in HTMLEntityCodec like
mentioned above. So it does seem like this is performing two separate functions.
Also, I'm curious how the attack vector works. I found this:
<img src= onerror=alert("XSS");>
Does anybody know what browsers this fires on? Does anybody have a different
vector?
Original comment by abashkin...@gmail.com
on 24 Sep 2012 at 7:29
Also, is there a big impact if we decide to encode the space for both HTML and
HTMLAttr?
Original comment by abashkin...@gmail.com
on 24 Sep 2012 at 7:31
Original issue reported on code.google.com by
wettstei...@gmail.com
on 18 Jul 2012 at 10:31