[Esapi-user] sanitiseAlpha20, sanitiseDate, sanitiseNo

Chris Schmidt chrisisbeef at gmail.com
Thu Aug 12 18:12:36 EDT 2010


I also had to bypass esapi to use antisamy directly with a custom policy. It would be nice if there was an API to strictly sanitize input based on a specified antisamy policy. I already have an API for this in the works so I will shoot out details a little later

Sent from my iPwn

On Aug 12, 2010, at 3:36 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

> This is on our immediate roadmap. 
> 
> As soon as 2.0 is final (if not sooner), we are going to start breaking
> ESAPI into smaller pieces (how is still being debated) as well as attempt to
> reduce 3rd party dependencies. I'll keep the lists posted on this next wave
> of effort.
> 
> - Jim
> 
> -----Original Message-----
> From: esapi-user-bounces at lists.owasp.org
> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Yiannis Pavlosoglou
> Sent: Monday, August 09, 2010 5:32 AM
> To: ESAPI-Developers; ESAPI-Users
> Subject: [Esapi-user] sanitiseAlpha20, sanitiseDate, sanitiseNo
> 
> Hi all,
> 
> Without wanting to steal Kevin's previous thread, on what ESAPI can do
> going forward, I have been getting some feedback on a thread posted
> not too long ago. The feedback comes from folks in the trenches, so to
> speak i.e. "Yiannis, I need 50 lines of code that drop what should not
> be there". The original thread:
> 
> http://www.webappsec.org/lists/websecurity/archive/2010-05/msg00003.html
> 
> The above has a .NET & Java methods implemented. Now, I am a newcomer
> to ESAPI, in that I have only used specific subcomponents of it (e.g.
> preventing oracle sql injection) so what I am about to request is
> probably already somewhere in the APIs.
> 
> Is it trivial enough to put together a set of no more than a handful
> strict, static methods of the type seen in the post above and flag
> them as that, i.e. sanitisation routines, for people that would like
> to simply not worry about logging, etc. but all-in-all just dropping
> characters they are not expecting as input?
> 
> My apologies in advance if they are already in place; perhaps document
> them and group them in something straight-forward of the type
> org.owasp.security.simple?
> 
> This idea evolves around simplifying the process of calling esapi,
> perhaps putting together an esapi-light that I would be more than
> happy to help code, need be.
> 
> Thank you and.. keep up the good work!
> 
> Yiannis
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
> 
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list