[Esapi-user] sanitiseAlpha20, sanitiseDate, sanitiseNo

Jim Manico jim.manico at owasp.org
Thu Aug 12 18:30:46 EDT 2010


This is very easy to fix/add...

-Jim
http://manico.net

On Aug 12, 2010, at 3:12 PM, Chris Schmidt <chrisisbeef at gmail.com> wrote:

> I also had to bypass esapi to use antisamy directly with a custom policy. It would be nice if there was an API to strictly sanitize input based on a specified antisamy policy. I already have an API for this in the works so I will shoot out details a little later
> 
> Sent from my iPwn
> 
> On Aug 12, 2010, at 3:36 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
> 
>> This is on our immediate roadmap. 
>> 
>> As soon as 2.0 is final (if not sooner), we are going to start breaking
>> ESAPI into smaller pieces (how is still being debated) as well as attempt to
>> reduce 3rd party dependencies. I'll keep the lists posted on this next wave
>> of effort.
>> 
>> - Jim
>> 
>> -----Original Message-----
>> From: esapi-user-bounces at lists.owasp.org
>> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Yiannis Pavlosoglou
>> Sent: Monday, August 09, 2010 5:32 AM
>> To: ESAPI-Developers; ESAPI-Users
>> Subject: [Esapi-user] sanitiseAlpha20, sanitiseDate, sanitiseNo
>> 
>> Hi all,
>> 
>> Without wanting to steal Kevin's previous thread, on what ESAPI can do
>> going forward, I have been getting some feedback on a thread posted
>> not too long ago. The feedback comes from folks in the trenches, so to
>> speak i.e. "Yiannis, I need 50 lines of code that drop what should not
>> be there". The original thread:
>> 
>> http://www.webappsec.org/lists/websecurity/archive/2010-05/msg00003.html
>> 
>> The above has a .NET & Java methods implemented. Now, I am a newcomer
>> to ESAPI, in that I have only used specific subcomponents of it (e.g.
>> preventing oracle sql injection) so what I am about to request is
>> probably already somewhere in the APIs.
>> 
>> Is it trivial enough to put together a set of no more than a handful
>> strict, static methods of the type seen in the post above and flag
>> them as that, i.e. sanitisation routines, for people that would like
>> to simply not worry about logging, etc. but all-in-all just dropping
>> characters they are not expecting as input?
>> 
>> My apologies in advance if they are already in place; perhaps document
>> them and group them in something straight-forward of the type
>> org.owasp.security.simple?
>> 
>> This idea evolves around simplifying the process of calling esapi,
>> perhaps putting together an esapi-light that I would be more than
>> happy to help code, need be.
>> 
>> Thank you and.. keep up the good work!
>> 
>> Yiannis
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user
>> 
>> _______________________________________________
>> Esapi-user mailing list
>> Esapi-user at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list