As the library grows I think we'll start to have a lot of different escapers and subsequently, different method names and tag libraries. This may get confusing and also creates large nesting of methods. E.g. escaperA(escaperB(escaperC(tainted_data))). As an option I'm proposing adding a generic escaping name with a second field (first field is still the input string) that takes a List of Context enums. This would allow the author to declare the intent more succinctly to me. The underlying implementation would then just iterate over the list, calling the respective escaper method. While this adds some overhead, I think there's a benefit for some people.

From Jim Manico via email. (Jim authorized the content of the email to be posted in this bug).

Email:

From: Jim Manico
Subject: Escaper
Date: January 19, 2013 2:36:37 PM PST
To: Andy Chou, Jon Passki, Jeff Ichnowski, Jeremy Long

Andy and Jon,

CSL is remarkable, nice work gentlemen.

I think there are ways to make your JS encoder a bit more efficient (in terms of encoding output containing less characters).

Here is detailed explanation:

"(We think that) '<' is not the dangerous thing in JS, but '</' is.  Of course if you escape '<' then you escape '</', the solution in owasp > encoders is to escape '/' to '/'.  Thus '</script>' is encoded as '</script>' instead of '\x2c/script>' (or as the coverity case '\u002c/sc> ript>'> ).  The net result is saving 4 characters over coverity's unicode and 2 over the shorter hex-encoded alternative to coverity's.  In my experi> ence > though, '<' appears in a lot of JS strings, so it adds up." (from Jeff Ichnowski)>

This is a subtle point, but we wanted to let you know what we see what you are up to, it's awesome, and wanted to throw some feedback your way.

Last note, I really think the universe needs a Encoder test project.

I wanted to use some of your unit tests and Escaper research, and combine that with research from Jeff Williams (ESAPI), Jeff Ichnowski (OWASP > Encoder Project for Java), Mike Samuel (OWASP Java HTML Sanetizer and Google AppSec Lead for CAJA an others), Jeremy Long (Wells Fargo) as well> as > a few others who care about XSS Escaping, and form a working group.>

I am hoping that we can publish a language neutral test suite to check if anyone Escaper/Encoder class has been done in a secure fashion.

I write to you as a non profit board member of OWASP. That hat is 100% on. Please note I compete with you in the business world, and I'm > celebrating your work, providing a potential enhancement to it, and hoping we can all work together to serve the community.>

Aloha,
Jim Manico
OWASP Board Member
@manicode
(808) 652-3805

From some emails and in-person feedback, I've heard about the following requested languages:

• .NET / C#
• python

This is a placeholder issue since these other languages probably should be in a different repository. Or, if they're all going to be here, then we'll need to re-organize this repository. I'm open to either since the end-user consumables probably won't be this source code. E.g., for Java it'll probably be Maven artifacts in Sonatype's Central.

The current implementation does not JS string escape '%' and this can cause issues when the wrong sequence of escapers are used in a javascript: URI.
The recommendation is to JS string escape -> URI encode -> HTML escape, but when adding % to JS string escape, we can factor out the URI encoder.

I hope this is just due to my ignorance, but why is the semi-column (;) not escaped? It seemed open the door for attacks like this,

coverity jsp/el escaping
<!-- Example of usage within a JSP --> 
<!-- http://localhost:8080/HelloJSP/jsp/testcout.jsp?foo=2;alert(1);  -->
<script type="text/javascript">
    // var n1 = <%=Escape.jsString("1.5; alert(1);") %>;
    var n3 = <%=Escape.jsString(request.getParameter("foo")) %>;
</script>

Maybe I'm missing something here. Please advise.

Not available LICENSE file in source directory structure
Please. Added license and copyright notice.
the fedora pakaging guideline is very strictly precise about this problem
https://fedoraproject.org/wiki/Packaging:LicensingGuidelines?rd=Packaging/LicensingGuidelines#License_Text
thanks
regards