Calling
ESAPI.validator().getValidSafeHTML();
with
<scr<script>ipt>
returns
ipt>
The problem is "nekohtml.jar". ESAPI 2.0.1 comes with nekohtml-1.9.12.jar and
ESAPI 1.4 used another one which has no version in name so I am not sure which
version it is but it does not matter. 1.4 works correctly but 2.0.1 returns the
above descripted output. I have tried the latest version of nekohtml which is
1.9.15 and this one works fine again ("<scr<script>ipt>" => "").
Original issue reported on code.google.com by Christop...@googlemail.com on 18 Jul 2012 at 4:38
Original issue reported on code.google.com by
Christop...@googlemail.comon 18 Jul 2012 at 4:38