esapi

I'm having what appears to be a weird class loading issue using ESAPI inside a WAR file deployed to WildFly.8.2.0.Final. Here's the error I'm getting: 09:35:47,383 ERROR [stderr] (default task-12) Caused by: java.lang.reflect.InvocationTargetException 09:35:47,383 ERROR [stderr] (default task-12) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 09:35:47,383 ERROR [stderr] (default task-12) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 09:35:47,383 ERROR [stderr] (default task-12) at sun.reflect.DelegatingMethodAccessorImpl.invoke

We have an application that accepts URLs from users. This data needs validation, and we're using ESAPI for this purpose. However, we're struggling with URLs containing ampersands. The problem appears when ESAPI canonicalizes the data before validation. &pid=123 in the URL turns into πd=123 for example. Since π is not whitelisted, the validation fails. I've tried encoding it, but ESAPI is smarter than that and does canonicalization to avoid double encoding and mixed encoding. I'm a bit stumped here and I'm not sure how to proceed. avgvstvs This problem is a known bug in ESAPI. I started working

I hope someone could help me with some issue. I'm using OWASP ESAPI 2.1.0 with JavaEE, to help me to validate some entries in a web application. At some point I needed to validate a Windows file path, so I added a new property entry in the 'validation.properties' like this one: Validator.PathFile=^([a-zA-Z]:)?(\\\\[\\w. -]+)+$ When I try to validate, for example, a string like "C:\TEMP\file.txt" via ESAPI, I get a ValidationException: ESAPI.validator().getValidInput("PathFile", "C:\\TEMP\\file.txt", "PathFile", 100, false); Alternatively, I also tried the java.util.regex.Pattern class to test

可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试): 问题: I was not able to use the of method present under ESAPI class' java.lang.String getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull) throws ValidationException, IntrusionException Parameters: type - The regular expression name that maps to the actual regular expression from "ESAPI.properties". How to pass parameter type from ESAPI.properties file? Any example to use properties file value from which I can refer? 回答1: Here's an example call where I'm validating the "to"

I am implementing an XSS filter for my web application and also using the ESAPI encoder to sanitise the input. The patterns I am using are as given below, // Script fragments Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE), // src='...' Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // lonely script tags Pattern.compile("</script>", Pattern.CASE_INSENSITIVE), Pattern.compile("<script(.*?)>",

One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj The cannonicalize method from the ESAPI encoder throws intrusion exception here claiming that the input has mixed encoding, since it is url encoded and the piece '&phi' is treated as HTML encoded and thus the exception. I had a similar problem with sanitizing one of my application urls where the second query parameter started with 'pa' or 'pi' and

I am working on fixing Cross site scripting issues in our code mainly in JSPS. Below is the original code //scriplet code <% String userId = request.getParameter("sid"); ...%> and in the same Jsp they have <input type = hidden name = "userID" value = "<%= userId %>" /> I have made changes to include esapi-2.1.0.jar in lib and ESAPI.properties, validation.properties in classpath. Then made below changes to scriplet code to fix the above code //scriplet code <% String userId = ESAPI.encoder().encodeForHTML(request.getParameter("sid")); ...%> I thought this would fix the issue but when I scan my