[Esapi-dev] servlet 2.3 support?
schallee at darkmist.net
Sat Jan 30 15:03:10 EST 2010
Mungo Carstairs is trying to use esapi 1.4 with WAS 5.1. WAS 5.1 uses
java 1.4, servlet 2.3 and JSP 1.2 while esapi 1.4 uses 2.4 with JSP 2.0.
I took a look at what would be needed to support 2.3 and it is
surprisingly minor. There are issues with tag libs, safe request and
For taglibs, exceptions are being thrown with causes in the
constructor. This wasn't available for JSPException previously but is
easily worked around with initCause. The esapi.tld won't work in JSP 1.2
and converting it to 1.2 would require removal of EL methods which I don't
think we should do. That being said, it would be trivial to provide an
extra tld for 1.2 that provides the tags and would require no code change.
There are several methods in SafeRequest that are only part of the 2.3
spec. Currently, none of these do anything but delegate to the wrapped
request. As SafeRequest is now a subclass of HttpServletRequestWrapper,
these could just be removed and handled by the super class.
SafeResponse is similar except for setCharacterEncoding(String)
which overrides the call with the parameter with the value from the
properties. (This seems a bit odd to me as usually folks calling this are
doing it for a reason or trying to protect against UTF-7 auto detection
by IE and such. Even odder is that there is no similar logic to override
someone setting the character encoding in setContentType(String) so
the usefulness of overriding setCharacterEncoding(String) is certainly
lower.) This could be worked around at least for binary compatibility
(source compatibility would require reflection...or a preprocessor...) or
I'm happy to make these changes but I think deciding to support 2.3 is
worth discussing first. Thoughts?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-dev/attachments/20100130/20c3fabf/attachment.bin
More information about the Esapi-dev