[Esapi-user] ESAPI development process

Patrick Higgins patrick.allen.higgins at gmail.com
Wed Aug 25 14:55:33 EDT 2010


My company has been using ESAPI 1.4 for a few months now for output
encoding and have encountered a few issues with thread safety. While
trying to investigate these, a few questions came up:

1. Is there any documentation on the ESAPI development process? A "how
to contribute/get involved" guide?

2. From the Google Code people page, I see 18 people that have SVN
commit access. What controls are there to prevent
unreviewed/unapproved changes from being made?

3. How can I reproduce one of the release builds? It looks to me like
sometimes only a jar is released, sometimes there is also source but
without a build or project file to compile it with, but I do an SVN
checkout I get the source and build files. Unfortunately, it doesn't
look like SVN tags are being used and I didn't see an easy way to tie
a revision number to a release. I'd like to be able to make small
patches to the release we use in production until we can complete
testing of a newer version, but this is difficult without knowing how
to repeat the build process of a particular ESAPI release.

4. Is the 2.0-rcX series recommended for production? We'll only be
using the output encoding parts. It seems to have resolved the problem
we hit (multiple threads deadlocking in
HTMLEntityCodec.initializeMaps() resulting from multiple threads
inserting into a HashMap without synchronization).

5. If 2.0-rcX

More information about the Esapi-user mailing list