[OWASP-ESAPI] .NET ESAPI Synchronization Effort
Andrew van der Stock
vanderaj at owasp.org
Wed Jul 23 17:50:08 EDT 2008
I will re-import the Java and test files for the PHP effort.
Hopefully, the exceptions and interfaces will not have changed too
dramatically.
thanks,
Andrew
On Jul 23, 2008, at 2:39 PM, Jeff Williams wrote:
> Hi Alex,
>
> I think those are the major changes, although there have been some
> minor
> tweaks here and there. The Encoder definitely has the biggest
> changes. The
> new architecture allows us to add new encoding schemes easily,
> canonicalize
> with different sets of codecs, and simplifies the parsing
> significantly.
>
> There is one outstanding problem with the Encoder - it does not handle
> "nested encoding", such as < or %%33c - both of which decode
> to less
> than. As far as I know, there is no other canonicalization library
> that
> handles common HTML encoding formats. And you can't effectively
> validate
> without canonicalizing! ESAPI can canonicalize normal encodings as
> well as
> double encoding, multiple encoding schemes, AND double-encoding with
> multiple schemes. We'll be adding nested encoding soon.
>
> We've been focused on getting to a release quality library. It will
> be easy
> to update the test application once we get there.
>
> Also, Jerry has voiced an interest in helping out with the .NET ESAPI
> project. This sounds like a great opportunity to get him involved.
> Can you
> all work out the best things to work on?
>
> Thanks,
>
> --Jeff
>
> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Alex Smolen
> Sent: Wednesday, July 23, 2008 1:46 PM
> To: owasp-esapi
> Subject: [OWASP-ESAPI] .NET ESAPI Synchronization Effort
>
> I'm looking to update the .NET ESAPI and was taking a look at the
> ESAPI changes in the last month or so.
>
> I've noticed a few sweeping changes
>
> -The interfaces have been renamed and moved to the base package.
>
> -The reference implementation has been renamed and moved a reference
> package. Some significant changes to logging functionality, encoding.
>
> -There is a new codes package
>
> -There is a new tags package
>
> Is there anything major I'm missing? I'm planning on synching the
> architectural changes and then going through file by file and diff'ing
> the Java source for updates since May 1 to see what could be updated
> in .NET.
>
> Also, the testapp hasn't been updated. Is this part of the project
> being left out intentionally?
>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
thanks,
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2458 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-esapi/attachments/20080723/87b9902d/attachment.bin
More information about the OWASP-ESAPI
mailing list