esapi | 易学教程

ESAPI for XSS prevention not working

阅读更多关于 ESAPI for XSS prevention not working

问题 I am working on fixing Cross site scripting issues in our code mainly in JSPS. Below is the original code //scriplet code <% String userId = request.getParameter("sid"); ...%> and in the same Jsp they have <input type = hidden name = "userID" value = "<%= userId %>" /> I have made changes to include esapi-2.1.0.jar in lib and ESAPI.properties, validation.properties in classpath. Then made below changes to scriplet code to fix the above code //scriplet code <% String userId = ESAPI.encoder()

encodeForHtml() vs htmlEditFormat()

阅读更多关于 encodeForHtml() vs htmlEditFormat()

encodeForHtml() (new in CF10) vs htmlEditFormat() , how are they different? I think it is same as encodeForHTML function in java's OWASP ESAPI. More secure to avoid XSS attack to use content in HTML. <cfsavecontent variable="htmlcontent"> <html> <head> <script>function hello() {alert('hello')}</script> </head> <body> <a href="#bookmark">Book Mark & Anchor</a><br/> <div class="xyz">Div contains & here.</div> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&# x27&#x58&#x53&#x53&#x27&#x29> <IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&

Trying to Use ESAPI But getting Error

阅读更多关于 Trying to Use ESAPI But getting Error

I am trying to use ESAPI.jar for providing security to my web application.Basically I have just started using ESAPI.jar. But problem is I am not able to run even a simple program using ESAPI. The small code snippet is: String clean = ESAPI.encoder().canonicalize("someString"); Randomizer r=ESAPI.randomizer(); System.out.println(r); System.out.println(clean); I get this error: Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: D:\Eclipse-Workspace\Test\ESAPI

encodeForHtml() vs htmlEditFormat()

阅读更多关于 encodeForHtml() vs htmlEditFormat()

问题 encodeForHtml() (new in CF10) vs htmlEditFormat() , how are they different? 回答1: I think it is same as encodeForHTML function in java's OWASP ESAPI. More secure to avoid XSS attack to use content in HTML. <cfsavecontent variable="htmlcontent"> <html> <head> <script>function hello() {alert('hello')}</script> </head> <body> <a href="#bookmark">Book Mark & Anchor</a><br/> <div class="xyz">Div contains & here.</div> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&

Trying to Use ESAPI But getting Error

阅读更多关于 Trying to Use ESAPI But getting Error

问题 I am trying to use ESAPI.jar for providing security to my web application.Basically I have just started using ESAPI.jar. But problem is I am not able to run even a simple program using ESAPI. The small code snippet is: String clean = ESAPI.encoder().canonicalize("someString"); Randomizer r=ESAPI.randomizer(); System.out.println(r); System.out.println(clean); I get this error: Attempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via file I/O.