esapi

问题 I'm using ESAPI encryption in Tomcat war application. I want to load the ESAPI.properties file from a directory outside of the war, in order to have a different key and salt to each environment. I also wish that each war will have a different ESAPI.properties file so each application will be individuality configured. According to the documentation of org.owasp.esapi.reference.DefaultSecurityConfiguration there are few ways to achive that. 1) SecurityConfiguration.setResourceDirectory( "C:

问题 I was not able to use the of method present under ESAPI class' java.lang.String getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull) throws ValidationException, IntrusionException Parameters: type - The regular expression name that maps to the actual regular expression from "ESAPI.properties". How to pass parameter type from ESAPI.properties file? Any example to use properties file value from which I can refer? 回答1: Here's an

问题 I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input. The patterns I am using are as given below, // Script fragments Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE), // src='...' Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // lonely

问题 One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with

问题 One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with

问题 how could I use ESAPI to check for unsafe input texts in web forms ? My application is built using struts 1.X, so I assume the validations should be added to Actions classes. Any samples / tutorials you recommend ? Thanks. 回答1: For something as specific as that there is not usually going to be great tutorials out. Hopefully I am wrong about this, but I would have to suggest their wiki due to lack of good resources. I was looking to find input validation for you... seems they don't even have

问题 I am trying to populate name text field with already saved value. Now the value can contain apostrophe. But text fields is converting apostrophe to " &#39 ; ". Eg. sdsd'sds ==> sdsd&#39 ;sds escape property for textfield is not working. What should I do? 回答1: You are getting this because of Encoding feature. To avoid this and get exactly same as you want, you have to use HtmlDecode which is available in util package of java. 回答2: You are probably escaping it server-side. Don't. Struts will

问题 I'm having what appears to be a weird class loading issue using ESAPI inside a WAR file deployed to WildFly.8.2.0.Final. Here's the error I'm getting: 09:35:47,383 ERROR [stderr] (default task-12) Caused by: java.lang.reflect.InvocationTargetException 09:35:47,383 ERROR [stderr] (default task-12) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 09:35:47,383 ERROR [stderr] (default task-12) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 09:35:47

问题 We have an application that accepts URLs from users. This data needs validation, and we're using ESAPI for this purpose. However, we're struggling with URLs containing ampersands. The problem appears when ESAPI canonicalizes the data before validation. &pid=123 in the URL turns into πd=123 for example. Since π is not whitelisted, the validation fails. I've tried encoding it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a bit stumped

问题 There is an Spring global @ExceptionHandler(Exception.class) method which logs exception like that: @ExceptionHandler(Exception.class) void handleException(Exception ex) { logger.error("Simple error message", ex); ... Veracode scan says that this logging has Improper Output Neutralization for Logs and suggest to use ESAPI logger. Is there any way how to fix this vulnerability without changing logger to ESAPI? This is the only place in code where I faced this issue and I try to figure out how