[Esapi-user] ESAPI development process

Patrick Higgins patrick.allen.higgins at gmail.com
Wed Aug 25 15:31:11 EDT 2010


On Wed, Aug 25, 2010 at 1:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> 1. Is there any documentation on the ESAPI development process? A "how to
> contribute/get involved" guide?
>
> There are only 4 active committers right now. I manage the project over
> email. We do not have project documentation around out process (Agile/Small
> Team), but I do code review (as does Jeff) on all diff's.

So should I submit patches to the -dev mailing list or just create
issues in the issue tracker and attach patches there?

> 2. From the Google Code people page, I see 18 people that have SVN
> commit access. What controls are there to prevent
> unreviewed/unapproved changes from being made?
>
> See above. I also just pruned this list down to just the 4 active folks and
> moved others to "contributor" status. I'll prune this list on a regular
> basis.

Thanks for pruning the list. That made me a little nervous!

> I do not use formal tagging, but I add a checkin note saying "Version X
> final".
>
> I only release JAR's when I want the dev community to review. I now release
> all *real* released as a complete zip. (This is why you see ESAPI 2.0 rc6 as
> a zip, and ESAPI rc7 (early release) as a jar. ESAPI rc7 is not ready for
> release, but will be in a few days. At that time I will deprecate the ESAPI
> 2.0 rc6 zip and the rc7 jar - and upload the rc7 zip.

The ESAPI-2.0-rc6.zip doesn't appear to have any build scripts. Was
that an oversight?

> For output encoding, yes. I fixed the thread-safely issue in ESAPI 2.0 rc7
> jar - I'd love your help in backporting that to 1.4.

I'm working on some 1.4 fixes now.

I'm not comfortable with the 2.0 upgrade right now given some
differences in encoding. I've attached a table with all the
differences I found when encoding all characters from 0 to
Character.MAX_VALUE. The ones that concern me are the unprintable
characters that have been replaced with spaces. I am not certain that
some of our users aren't using those values--they have some unusual
data at times. Is there an explanation of that change somewhere? Are
there security concerns with allowing those characters through as
entity-encoded values rather than replacing them with space
characters?

--Patrick
-------------- next part --------------
                   Method Char          1.4      2.0
   encodeForHTMLAttribute    0         &#0;  <space>
      encodeForJavaScript    0           \0     \x00
   encodeForHTMLAttribute    1         &#1;  <space>
   encodeForHTMLAttribute    2         &#2;  <space>
   encodeForHTMLAttribute    3         &#3;  <space>
   encodeForHTMLAttribute    4         &#4;  <space>
   encodeForHTMLAttribute    5         &#5;  <space>
   encodeForHTMLAttribute    6         &#6;  <space>
   encodeForHTMLAttribute    7         &#7;  <space>
   encodeForHTMLAttribute    8         &#8;  <space>
      encodeForJavaScript    8           \b     \x08
            encodeForHTML    9        <tab>    &#x9;
      encodeForJavaScript    9           \t     \x09
            encodeForHTML   10    <newline>    &#xa;
      encodeForJavaScript   10           \n     \x0A
   encodeForHTMLAttribute   11        &#11;  <space>
      encodeForJavaScript   11           \v     \x0B
   encodeForHTMLAttribute   12        &#12;  <space>
      encodeForJavaScript   12           \f     \x0C
            encodeForHTML   13         <cr>    &#xd;
      encodeForJavaScript   13           \r     \x0D
   encodeForHTMLAttribute   14        &#14;  <space>
   encodeForHTMLAttribute   15        &#15;  <space>
   encodeForHTMLAttribute   16        &#16;  <space>
   encodeForHTMLAttribute   17        &#17;  <space>
   encodeForHTMLAttribute   18        &#18;  <space>
   encodeForHTMLAttribute   19        &#19;  <space>
   encodeForHTMLAttribute   20        &#20;  <space>
   encodeForHTMLAttribute   21        &#21;  <space>
   encodeForHTMLAttribute   22        &#22;  <space>
   encodeForHTMLAttribute   23        &#23;  <space>
   encodeForHTMLAttribute   24        &#24;  <space>
   encodeForHTMLAttribute   25        &#25;  <space>
   encodeForHTMLAttribute   26        &#26;  <space>
   encodeForHTMLAttribute   27        &#27;  <space>
   encodeForHTMLAttribute   28        &#28;  <space>
   encodeForHTMLAttribute   29        &#29;  <space>
   encodeForHTMLAttribute   30        &#30;  <space>
   encodeForHTMLAttribute   31        &#31;  <space>
      encodeForJavaScript   32      <space>     \x20
      encodeForJavaScript   34           \"     \x22
      encodeForJavaScript   39           \'     \x27
      encodeForJavaScript   45            -     \x2D
      encodeForJavaScript   92           \\     \x5C
   encodeForHTMLAttribute  127       &#127;  <space>
   encodeForHTMLAttribute  128       &#128;  <space>
   encodeForHTMLAttribute  129       &#129;  <space>
   encodeForHTMLAttribute  130       &#130;  <space>
   encodeForHTMLAttribute  131       &#131;  <space>
   encodeForHTMLAttribute  132       &#132;  <space>
   encodeForHTMLAttribute  133       &#133;  <space>
   encodeForHTMLAttribute  134       &#134;  <space>
   encodeForHTMLAttribute  135       &#135;  <space>
   encodeForHTMLAttribute  136       &#136;  <space>
   encodeForHTMLAttribute  137       &#137;  <space>
   encodeForHTMLAttribute  138       &#138;  <space>
   encodeForHTMLAttribute  139       &#139;  <space>
   encodeForHTMLAttribute  140       &#140;  <space>
   encodeForHTMLAttribute  141       &#141;  <space>
   encodeForHTMLAttribute  142       &#142;  <space>
   encodeForHTMLAttribute  143       &#143;  <space>
   encodeForHTMLAttribute  144       &#144;  <space>
   encodeForHTMLAttribute  145       &#145;  <space>
   encodeForHTMLAttribute  146       &#146;  <space>
   encodeForHTMLAttribute  147       &#147;  <space>
   encodeForHTMLAttribute  148       &#148;  <space>
   encodeForHTMLAttribute  149       &#149;  <space>
   encodeForHTMLAttribute  150       &#150;  <space>
   encodeForHTMLAttribute  151       &#151;  <space>
   encodeForHTMLAttribute  152       &#152;  <space>
   encodeForHTMLAttribute  153       &#153;  <space>
   encodeForHTMLAttribute  154       &#154;  <space>
   encodeForHTMLAttribute  155       &#155;  <space>
   encodeForHTMLAttribute  156       &#156;  <space>
   encodeForHTMLAttribute  157       &#157;  <space>
   encodeForHTMLAttribute  158       &#158;  <space>
   encodeForHTMLAttribute  159       &#159;  <space>


More information about the Esapi-user mailing list