my dog learned polymorphism*
The moose likes Security and the fly likes ESAPI validation of an html content Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "ESAPI validation of an html content" Watch "ESAPI validation of an html content" New topic
Author

ESAPI validation of an html content

Dmitry Kudelko
Greenhorn

Joined: Dec 26, 2012
Posts: 1
Hi, we are using ESAPI for validating a user input in a web-based application. Currently we have troubles with validating content of an html editor (such as CK or TinyMCE): we get an exception that says that there are mixed encoding detected. It is thrown by a method called "canonicalize".

An the reason for it is that any html content can potentially contain two encodings: url encoding (whch for example %20) and html encoding (various html entities like &,   etc.). Which from the html point of view this is completely valid.
Of course there is an option to switch off the detection of mixed encoding in ESAPI. However ESAPI says that it is more prefferable to keep it switched on to prevent XSS attacs.

So the question is what is the correct way of validating such a content?
 
Don't get me started about those stupid light bulbs.
 
subject: ESAPI validation of an html content