[Owasp-esapi-c++] Logger (C++ XML Library)

Kevin W. Wall kevin.w.wall at gmail.com
Tue Aug 16 14:11:58 EDT 2011

Adding Chris Schmidt onto this thread. (Chris: Note this is also posted
to the ESAPI C++ mailing list, which requires you to sign up to post.)

On Tue, Aug 16, 2011 at 1:54 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Tue, Aug 16, 2011 at 1:33 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> What do you plan on using it [XML parser] for? Some of the encoders?
> Reading properties.

The ESAPI 2.0 Java version uses Java properties files for it's properties.
I know there was discussion on the ESAPI-Dev list about switching to
an XML format, but there was a bit of resistance associated with that.
I personally have mixed feelings about it.

Perhaps Chris can share his vision for the format of ESAPI properties
for future releases of ESAPI for Java. Chris, do you see us sticking with
Java properties format or moving to an XML format, and if the later, how
soon (e.g., 2.1, later?) ???

I think if ESAPI for Java plans on sticking with a Java properties format for
ESAPI configurable properties, then we ought to use the same thing in
ESAPI C++. If they plan on moving to XML in the next release, well, I'm
open to be convinced that we should do the same. Personally, I think that
implementing a Java properties format would be much easier than implementing
an XML format even if we had an XML parser selected. And using a Java
properties format would do so w/out pulling in a dependency on an XML
library. (For ESAPI for Java, IIRC, there were other places XML was used;
for example, I think it was required by AntiSamy which ESAPI 2.0 used.)

Anyhow, that's my $.02 on the matter.
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Owasp-esapi-c++ mailing list