[Esapi-dev] Validate cannonicalization options
Jeff Williams
jeff.williams at aspectsecurity.com
Fri Sep 3 22:09:22 EDT 2010
I took a look and I *guess* I can live with the new signatures. I hope
developers don't disable canonicalization after their first error.
What does the javadoc comment "Only URL encoding is supported" mean? I
think the default encoder supports html encoding, URL encoding, and
javascript escaping.
--Jeff
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, September 03, 2010 7:30 PM
To: esapi-user at lists.owasp.org; 'ESAPI-Developers'
Subject: [Esapi-dev] Validate cannonicalization options
Hello Folks,
I added 3 new functions to the ESAPI 2.0 Validator interface adding the
ability to disable canonicalization - these are implemented in the
reference implementation as well. (svn checkin 1512 and 1513)
boolean isValidInput(String context, String input, String type, int
maxLength, boolean allowNull, boolean canonicalize) throws
IntrusionException;
String getValidInput(String context, String input, String type, int
maxLength, boolean allowNull, boolean canonicalize) throws
ValidationException, IntrusionException;
String getValidInput(String context, String input, String type, int
maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList
errorList) throws IntrusionException;
I also *disabled* canonicalization for getSafeHTML by default, since it
breaks HTML. (svn checkin 1514)
Acceptable? I'd like to push this for 2.0 rc8
- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100903/00634edc/attachment.html
More information about the Esapi-dev
mailing list