double encoded payloads and getsafehtml

Nov 11, 2010 at 9:46 PM

I was wondering what is the opinion about decoding payloads prior to passing them over to the getsafehtml/fragment. 

In some cases, when one or more encoding is applied to a payload all getsafehtml does is leave it encoded. it still make me nervous to not see some of it stripped. 

What y'all think ? 


example: <SCRIPT SRC=></SCRIPT>