esapi

问题 I am planing to develop a web application using Spring MVC and trying to figure out which is the best library to use to over come Top 10 OWASP issue. I came to see two HDIV and ESAPI, can any one please help me to understand the difference between them. Thank you for your help. 回答1: First of all I think the approach and scope of both web application security frameworks is different. In some of the aspects they can be also complementary solutions that can be used together. Regarding the

问题 In an earlier question encodeForHtml() vs htmlEditFormat(), how are they different, it seems like the new encodeForHtml() & encodeForURL() functions are superior to htmlEditFormat() & urlFormat() respectively. Should the esapi-based encodeForXXX functions be used in favor of the existing ones? Should the 2 older functions be deprecated? Thank you. 回答1: I have no idea if the two older functions would be deprecated. But I would say that using the new functions would be a good idea, unless you

问题 I've seen reference to using String.replaceAll("",""); as some means for eliminating "blank" or "nonprinting chars" from a string in Java. This is false as the answer will demonstrate. value = value.replaceAll("", ""); 回答1: Using Junit, I test every single Unicode character, from \u0000 to \uffff. @Test public void testReplaceBlanks(){ char input = 0; char escape = '\u0000'; for(char i = 0; i <= 65535; ++i){ input = (char) (escape + i); System.out.print(input); System.out.print(" "); if( i %

问题 How can we implement ESAPI output encoding in an application using java and spring-mvc. Read many posts and saw this: <%@ page import="org.owasp.esapi.*" %> <input type="hidden" name="hidden" value="<%out.print(ESAPI.encoder().encodeForHTML(content));%>"/> But, in my application all the jsps use spring form tags like the following, <td>Number: <form:input path="someNo" size="20" maxlength="18" id="firstfield" onkeypress="return PressAButton('submithidden');"/></td> How can I have ESAPI

问题 I am trying to use OWASP ESAPI library in my Maven Web Project.The problem i am facing is that the controllers are not able to find the ESAPI properties file. I tried putting them in the resources folder ,but it does not work.I can't seem to get it working. Can someone help me with the correct location of ESAPI resources in a Maven Project. 回答1: The class Javadoc for the implementation class, [DefaultSecurityConfiguration] (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp

问题 One of my REST APIs have a query parameter named "partners" which is an List of Integers, so you can specify multiple values in the URL. As a prevention for XSS attacks, I am stripping out malicious content in the input using ESAPI. Here is the problem: I noticed that the ESAPI encoder cannonicalize method (which uses the default codecs: HTMLEntityCodec,PercentCodec,JavaScriptCodec), changes the query parameter values, because it thinks that &p or &pa is some kind of encoding. See examples

问题 Getting the following error when trying to do encoding for HTML in java 1.8, for java 1.6 it is working fine. Please help in resolving the same. Thanks in advance. hQuery.setParameter(ServiceConstants.PROX_DESC, ESAPI.encoder().decodeForHTML(object.getMethodName())); org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception. 12:43:21,842 ERROR [com.ge.trans.pp.services.manageGeofence

问题 I am new to ESAPI and I have added esapi-2.0.1 jar to my Android app,was able to call any of the ESAPI methods.However, I am getting Caused by: java.lang.IllegalArgumentException: Failed to load ESAPI.properties as a classloader resource Error.My concern is it possible to use ESAPI for any android apps and if Yes then where to locate ESAPI.properties in an App. Any help would be appreciated. PS:This is my first question on stackoverflow.com pardon me if I did not follow any of the rules .

问题 I am using ESAPI logger in my application. Logger logger= ESAPI.getLogger(ABC.class) In class ABC.java, we are using INFO level to print logs. By definition we know, Info accepts: Two args: info(Logger.EventType type, java.lang.String message) Three args: info(Logger.EventType type, java.lang.String message, java.lang.Throwable throwable) I have provided two arguments in my application: logger.info(EVENT_TYPE,msg); Logs are generating in the format: [EVENT SUCCESS Anonymus:null@unknown-> /com

问题 I have been playing around with the OWASP ESAPI utilities that are included with ColdFusion 9. ColdFusion's Builtin Enterprise Security API. The encoder utilities are pretty straight forward and I believe I have them working fine. My problem is with the validator utilities. I can get them to work singly . That is, if I call the validator.getValidInput() method with "invalid" data it will throw an error that I can catch. However, when I try to call the validator method in batch I get a null