[OWASP-ESAPI] Comments on ESAPI
Rohit Lists
rklists at gmail.com
Mon Jul 14 19:25:06 EDT 2008
Hello ESAPI developers,
I wanted to thank you for the effort you are putting into this
framework. I think ESAPI is an excellent idea and is very much needed.
After going through code and documentation, I had a few comments that
I think might help
1. Can we update the JavaDoc currently at
http://owasp-esapi-java.googlecode.com/svn/trunk/javadoc/index.html?
If people start using ESAPI as a true API, they'll be relying heavily
on the JavaDoc.
I noticed a few things are out-of-sync, e.g. JavaDoc talks about
Encoder Interface and DefaultEncoder reference implementation, while
the code has IEncoder interface and Encoder reference implementation
2. I imagine many organizations will be using only some rather than
all parts of the ESAPI. To that end, it would make sense to have a
graph or list of dependencies (e.g. EncryptedProperties relies on
Encryptor). I can work on putting this together if you'd like
3. With respect to Encode methods such as encodeForHTML(), instead of
explicitly defining alpha-numeric characters in arrays, I wonder if it
makes more sense to use Character class isLetter(), isDigit(), or
isLetterOrDigit() calls -
http://java.sun.com/j2se/1.4.2/docs/api/java/lang/Character.html#isLetterOrDigit(char)
. The reason I say this is that these methods support several
character sets (not just ISO-LATIN-1), which will help improve
adoption in applications that support other languages. Note that these
methods are already being used in EncodedCharacter.getEncoded()
4. For the encodeForSQL, the parameter string might still be
vulnerable to numeric field injection (1 OR 1=1). While I think the
idea of making RDBMS implementation is a great idea, I wonder if in
the meantime we can provide a encodeForSQLNumeric function that simply
ensures each character is numeric?
5. Are there plans to implement BugZilla or some other bug tracking
mechanisms so that missing/incomplete features can be assigned to
specific owners and tracked? I noticed there are a lot of statements
like "// FIXME: look up rules" which may get lost if people aren't
looking at specific files.
Cheers,
--
Rohit Sethi
Security Compass
http://www.securitycompass.com
More information about the OWASP-ESAPI
mailing list