GeeCON Prague 2014*
The moose likes Security and the fly likes ESAPI validation of an html content Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Engineering » Security
Bookmark "ESAPI validation of an html content" Watch "ESAPI validation of an html content" New topic
Author

ESAPI validation of an html content

Dmitry Kudelko
Greenhorn

Joined: Dec 26, 2012
Posts: 1
Hi, we are using ESAPI for validating a user input in a web-based application. Currently we have troubles with validating content of an html editor (such as CK or TinyMCE): we get an exception that says that there are mixed encoding detected. It is thrown by a method called "canonicalize".

An the reason for it is that any html content can potentially contain two encodings: url encoding (whch for example %20) and html encoding (various html entities like &,   etc.). Which from the html point of view this is completely valid.
Of course there is an option to switch off the detection of mixed encoding in ESAPI. However ESAPI says that it is more prefferable to keep it switched on to prevent XSS attacs.

So the question is what is the correct way of validating such a content?
 
GeeCON Prague 2014
 
subject: ESAPI validation of an html content