Handling of multiple and mixed encoding is incorrect in canoncalization

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Set Encoder.AllowMixedEncoding and Encoder.AllowMultipleEncoding in esapi 
properties to false.
2. Use ESAPI.validator().getValidInput(...) in a test case. Use a double 
encoded value.
3. Currently this will be accepted.

What is the expected output? What do you see instead?
This should throw a IntrusionException.

What version of the product are you using? On what operating system?
ESAPI 2.0GA
org.owasp.esapi.reference.DefaultEncoder.java
Revision:1630

http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/
owasp/esapi/reference/DefaultEncoder.java?spec=svn1853&r=1630

Does this issue affect only a specified browser or set of browsers?
All.

Please provide any additional information below.

The usage of the Encoder.AllowMixedEncoding and Encoder.AllowMultipleEncoding 
parameters is incorrect within the above class.
The AllowMixedEncoding sets a parameter called restrictMixed which then flips 
the usage.
e.g When AllowMultipleEncoding=false, the code will actually allow multiple 
encoding. The reverse of what it should be doing.

Original issue reported on code.google.com by sickska...@gmail.com on 11 Jul 2011 at 11:33

[GoogleCodeExporter]

This is definitely a huge issue, will be included in 2.0.1 Maintenance Release

Original comment by chris.sc...@owasp.org on 12 Jul 2011 at 7:14

• Changed state: Acknowledged
• Added labels: Component-Encoder, Milestone-Release2.0.1, Priority-Critical, Usability
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Fixed with rev 1854

Original comment by chrisisbeef on 23 Jul 2011 at 8:18

• Changed state: Fixed