search

fusioncop / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

encodeForCSS brakes color values #298

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. String color = "#FF00FF";
2. <style> h1{ background-color: <%=Encoder.encodeForCSS(color)%> } </style>

What is the expected output? What do you see instead?
<style> h1{ background-color: #FF00FF } </style>

What version of the product are you using? On what operating system?
ESAPI-1.4.4

Does this issue affect only a specified browser or set of browsers?
All browsers. 

Please provide any additional information below.

encodeForCSS is will change # to \23. So user input color is not set to my h1 
tag.

Original issue reported on code.google.com by sendtom...@gmail.com on 20 Apr 2013 at 3:33