[Esapi-user] ESAPI development process
Patrick Higgins
patrick.allen.higgins at gmail.com
Wed Aug 25 15:31:11 EDT 2010
On Wed, Aug 25, 2010 at 1:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> 1. Is there any documentation on the ESAPI development process? A "how to
> contribute/get involved" guide?
>
> There are only 4 active committers right now. I manage the project over
> email. We do not have project documentation around out process (Agile/Small
> Team), but I do code review (as does Jeff) on all diff's.
So should I submit patches to the -dev mailing list or just create
issues in the issue tracker and attach patches there?
> 2. From the Google Code people page, I see 18 people that have SVN
> commit access. What controls are there to prevent
> unreviewed/unapproved changes from being made?
>
> See above. I also just pruned this list down to just the 4 active folks and
> moved others to "contributor" status. I'll prune this list on a regular
> basis.
Thanks for pruning the list. That made me a little nervous!
> I do not use formal tagging, but I add a checkin note saying "Version X
> final".
>
> I only release JAR's when I want the dev community to review. I now release
> all *real* released as a complete zip. (This is why you see ESAPI 2.0 rc6 as
> a zip, and ESAPI rc7 (early release) as a jar. ESAPI rc7 is not ready for
> release, but will be in a few days. At that time I will deprecate the ESAPI
> 2.0 rc6 zip and the rc7 jar - and upload the rc7 zip.
The ESAPI-2.0-rc6.zip doesn't appear to have any build scripts. Was
that an oversight?
> For output encoding, yes. I fixed the thread-safely issue in ESAPI 2.0 rc7
> jar - I'd love your help in backporting that to 1.4.
I'm working on some 1.4 fixes now.
I'm not comfortable with the 2.0 upgrade right now given some
differences in encoding. I've attached a table with all the
differences I found when encoding all characters from 0 to
Character.MAX_VALUE. The ones that concern me are the unprintable
characters that have been replaced with spaces. I am not certain that
some of our users aren't using those values--they have some unusual
data at times. Is there an explanation of that change somewhere? Are
there security concerns with allowing those characters through as
entity-encoded values rather than replacing them with space
characters?
--Patrick
-------------- next part --------------
Method Char 1.4 2.0
encodeForHTMLAttribute 0 � <space>
encodeForJavaScript 0 \0 \x00
encodeForHTMLAttribute 1  <space>
encodeForHTMLAttribute 2  <space>
encodeForHTMLAttribute 3  <space>
encodeForHTMLAttribute 4  <space>
encodeForHTMLAttribute 5  <space>
encodeForHTMLAttribute 6  <space>
encodeForHTMLAttribute 7  <space>
encodeForHTMLAttribute 8  <space>
encodeForJavaScript 8 \b \x08
encodeForHTML 9 <tab> 	
encodeForJavaScript 9 \t \x09
encodeForHTML 10 <newline> 

encodeForJavaScript 10 \n \x0A
encodeForHTMLAttribute 11  <space>
encodeForJavaScript 11 \v \x0B
encodeForHTMLAttribute 12  <space>
encodeForJavaScript 12 \f \x0C
encodeForHTML 13 <cr> 
encodeForJavaScript 13 \r \x0D
encodeForHTMLAttribute 14  <space>
encodeForHTMLAttribute 15  <space>
encodeForHTMLAttribute 16  <space>
encodeForHTMLAttribute 17  <space>
encodeForHTMLAttribute 18  <space>
encodeForHTMLAttribute 19  <space>
encodeForHTMLAttribute 20  <space>
encodeForHTMLAttribute 21  <space>
encodeForHTMLAttribute 22  <space>
encodeForHTMLAttribute 23  <space>
encodeForHTMLAttribute 24  <space>
encodeForHTMLAttribute 25  <space>
encodeForHTMLAttribute 26  <space>
encodeForHTMLAttribute 27  <space>
encodeForHTMLAttribute 28  <space>
encodeForHTMLAttribute 29  <space>
encodeForHTMLAttribute 30  <space>
encodeForHTMLAttribute 31  <space>
encodeForJavaScript 32 <space> \x20
encodeForJavaScript 34 \" \x22
encodeForJavaScript 39 \' \x27
encodeForJavaScript 45 - \x2D
encodeForJavaScript 92 \\ \x5C
encodeForHTMLAttribute 127  <space>
encodeForHTMLAttribute 128 € <space>
encodeForHTMLAttribute 129  <space>
encodeForHTMLAttribute 130 ‚ <space>
encodeForHTMLAttribute 131 ƒ <space>
encodeForHTMLAttribute 132 „ <space>
encodeForHTMLAttribute 133 … <space>
encodeForHTMLAttribute 134 † <space>
encodeForHTMLAttribute 135 ‡ <space>
encodeForHTMLAttribute 136 ˆ <space>
encodeForHTMLAttribute 137 ‰ <space>
encodeForHTMLAttribute 138 Š <space>
encodeForHTMLAttribute 139 ‹ <space>
encodeForHTMLAttribute 140 Π<space>
encodeForHTMLAttribute 141  <space>
encodeForHTMLAttribute 142 Ž <space>
encodeForHTMLAttribute 143  <space>
encodeForHTMLAttribute 144  <space>
encodeForHTMLAttribute 145 ‘ <space>
encodeForHTMLAttribute 146 ’ <space>
encodeForHTMLAttribute 147 “ <space>
encodeForHTMLAttribute 148 ” <space>
encodeForHTMLAttribute 149 • <space>
encodeForHTMLAttribute 150 – <space>
encodeForHTMLAttribute 151 — <space>
encodeForHTMLAttribute 152 ˜ <space>
encodeForHTMLAttribute 153 ™ <space>
encodeForHTMLAttribute 154 š <space>
encodeForHTMLAttribute 155 › <space>
encodeForHTMLAttribute 156 œ <space>
encodeForHTMLAttribute 157  <space>
encodeForHTMLAttribute 158 ž <space>
encodeForHTMLAttribute 159 Ÿ <space>
More information about the Esapi-user
mailing list