double encoded payloads and getsafehtml

Nov 11, 2010 at 8:46 PM

I was wondering what is the opinion about decoding payloads prior to passing them over to the getsafehtml/fragment. 

In some cases, when one or more encoding is applied to a payload all getsafehtml does is leave it encoded. it still make me nervous to not see some of it stripped. 

What y'all think ? 

 

example: <SCRIPT SRC=http://testsite.com/xss.js></SCRIPT>