[Esapi-dev] I have a problem in using ESAPI for JAVA

Kevin W. Wall kevin.w.wall at gmail.com
Wed Feb 22 05:48:04 UTC 2017


Gary,

I concur with Dave about using the Java Encoder Project, especially if all
you intend to use are ESAPI's Encoder. I've give advice about that here:
<
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Should_I_use_ESAPI_3F
>
Given that I'm the ESAPI project co-lead, you might think I'd be more
inclined to recommend ESAPI, but I don't except in rare cases. As a believe
in AppSec, I think it's more important for you to pick the right framework
for the job rather than just grabbing ESAPI which is what most people
expect me to recommend.

However, having said that, the most important part about preventing XSS is
using the _proper_ output encoders required for your specific context,
which of course is likely to vary depending on where in the code you need
to do output encoding.

I do secure code reviews for a living and one of the most common mistakes I
see developers making is that they try to use a single encoding mechanism
(say Encoder.encodeForHTML() or JSTL's <c:out> tag for example) for all
cases. That's one reason that I also refer those developers to the OWASP
XSS Prevention Cheat Sheet <
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>.
I highly recommend that your developers read and understand that first,
before just grabbing some output encoder.

Best regards,
-kevin

On Tue, Feb 21, 2017 at 3:21 PM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> Totally agree with this response, especially if all you need is the
> encoder from ESAPI. The OWASP Java encoder is much lighter weight (no
> dependencies) AND fixes the issue you are concerned about.
>
> -Dave
>
>
> On Tue, Feb 21, 2017 at 3:47 AM, Olivier Jaquemet <
> olivier.jaquemet at jalios.com> wrote:
>
>> Hi Gary,
>>
>> This is bug (limitation...) of ESAPI HTML/XML encoder which do not
>> properly handle unicode character using surrogate pair.
>> I had previously reported this issue in this thread :
>> https://lists.owasp.org/pipermail/esapi-dev/2015-May/002549.html
>>
>> Solution : ditch OWASP  ESAPI for this encoding purpose and instead use
>> OWASP Encoder which is working perfectly :
>> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
>> Olivier
>>
>>
>> On 21/02/2017 09:34, Gary wrote:
>>
>>    Hi, I am a security engineer in an IT company of China . Recently we
>> are trying to use ESAPI for java in our java web project to prevent XSS
>> attack. But we met a problem when using it . We use the method
>> "encodeforHTML" in the filter to encode all the inputs from the web page,
>> and it will also encode Chinese which is legal input . It really makes us
>> confused. Is there any solution for this situation ?
>> I am looking forward to hearing your reply. Thank you .
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Esapi-dev mailing listEsapi-dev at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>>
>>
>> _______________________________________________
>> Esapi-dev mailing list
>> Esapi-dev at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>
>>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>


-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20170222/9639256a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 11363 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20170222/9639256a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 23913 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20170222/9639256a/attachment-0003.png>


More information about the Esapi-dev mailing list