ESAPI#304 encodeForCSS breaks color values (ESAPI#453)

Author: jackycct

src/main/java/org/owasp/esapi/reference/DefaultEncoder.java

@@ -88,7 +88,7 @@ public static Encoder getInstance() {
 	 */
 	private final static char[]     IMMUNE_HTML = { ',', '.', '-', '_', ' ' };
 	private final static char[] IMMUNE_HTMLATTR = { ',', '.', '-', '_' };
-	private final static char[] IMMUNE_CSS = {};
+	private final static char[] IMMUNE_CSS = { '#' };
 	private final static char[] IMMUNE_JAVASCRIPT = { ',', '.', '_' };
 	private final static char[] IMMUNE_VBSCRIPT = { ',', '.', '_' };
 	private final static char[] IMMUNE_XML = { ',', '.', '-', '_', ' ' };

src/test/java/org/owasp/esapi/reference/EncoderTest.java

@@ -382,10 +382,14 @@ public void testEncodeForCSS() {
         assertEquals(null, instance.encodeForCSS(null));
         assertEquals("\\3c script\\3e ", instance.encodeForCSS("<script>"));
         assertEquals("\\21 \\40 \\24 \\25 \\28 \\29 \\3d \\2b \\7b \\7d \\5b \\5d ", instance.encodeForCSS("!@$%()=+{}[]"));
+        assertEquals("#f00", instance.encodeForCSS("#f00"));
+        assertEquals("#123456", instance.encodeForCSS("#123456"));
+        assertEquals("#abcdef", instance.encodeForCSS("#abcdef"));
+        assertEquals("red", instance.encodeForCSS("red"));
     }
-    
 
-    
+
+
     /**
 	 * Test of encodeForJavaScript method, of class org.owasp.esapi.Encoder.
 	 */