[OWASP-ESAPI] .NET ESAPI Synchronization Effort

Jeff Williams jeff.williams at owasp.org
Wed Jul 23 14:39:09 EDT 2008 

Hi Alex,

I think those are the major changes, although there have been some minor
tweaks here and there.  The Encoder definitely has the biggest changes.  The
new architecture allows us to add new encoding schemes easily, canonicalize
with different sets of codecs, and simplifies the parsing significantly.

There is one outstanding problem with the Encoder - it does not handle
"nested encoding", such as < or %%33c - both of which decode to less
than.  As far as I know, there is no other canonicalization library that
handles common HTML encoding formats. And you can't effectively validate
without canonicalizing!  ESAPI can canonicalize normal encodings as well as
double encoding, multiple encoding schemes, AND double-encoding with
multiple schemes.  We'll be adding nested encoding soon.

We've been focused on getting to a release quality library. It will be easy
to update the test application once we get there.

Also, Jerry has voiced an interest in helping out with the .NET ESAPI
project. This sounds like a great opportunity to get him involved.  Can you
all work out the best things to work on?

Thanks,

--Jeff

-----Original Message-----
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Alex Smolen
Sent: Wednesday, July 23, 2008 1:46 PM
To: owasp-esapi
Subject: [OWASP-ESAPI] .NET ESAPI Synchronization Effort

I'm looking to update the .NET ESAPI and was taking a look at the  
ESAPI changes in the last month or so.

I've noticed a few sweeping changes

-The interfaces have been renamed and moved to the base package.

-The reference implementation has been renamed and moved a reference  
package. Some significant changes to logging functionality, encoding.

-There is a new codes package

-There is a new tags package

Is there anything major I'm missing? I'm planning on synching the  
architectural changes and then going through file by file and diff'ing  
the Java source for updates since May 1 to see what could be updated  
in .NET.

Also, the testapp hasn't been updated. Is this part of the project  
being left out intentionally?


_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

More information about the OWASP-ESAPI mailing list