[Esapi-user] Using ESAPI.encoder's canonicalization & encoder methods

Jeff Williams jeff.williams at aspectsecurity.com
Sun Jul 11 22:25:26 EDT 2010

I agree with Jim on this.  Canonicalization is important if you want to
get validation right.  The idea is that you can't properly validate
untrusted data unless you first reduce it to its simplest form.  That's
why canonicalization is performed automatically in the ESAPI Validator.


I understand that the code you provided is just examples, but no real
application would (hopefully) be writing out HTML to the output stream
the way you suggest. More likely it would be JSP or JSF tags.  Here's
some conceptual code that demonstrates the use of validation (which
canonicalizes) ...


String unvalidated = request.getParameter("input" );

String validated = ESAPI.validate( "input", "LastName", unvalidated );


out.print( "<input value='" + ESAPI.encodeForHtmlAttribute( validated )
+ "'>" );


Now, you've asked a complicated question about "customEncode" that I
don't think I understand.  It might be that you're asking about nested
encoding contexts, which do exist in the browser, such as a URL inside
Javascript.  If so, then you're in some dangerous waters that are not
fully explored (yet). There is definitely research going on at OWASP to
detail out exactly what combinations of escaping to use in each of these
nested contexts.


It could also be that you're asking about how to deal with a custom
encoding when you're canonicalizing. The ESAPI Canonicalization engine
uses a set of codecs, which are fairly easy to extend.  You can then
create a DefaultEncoder that uses exactly the set of codecs that you
want to apply to your data.  Your examples are almost certainly wrong,
since they encode and then canonicalize, which will undo any encoding
(assuming you have the right set of codecs).


If you could provide more details about what you mean with the
"customEncode()" perhaps we'll be able to help.




From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Sunday, July 11, 2010 9:35 PM
To: Shar Lwin Khin
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] Using ESAPI.encoder's canonicalization &
encoder methods


You only need to cannonicalize on input, IMO.

Keep in mind that cannonicalization can break data in some cases. Since
you are just trying to stop XSS here without output encoding, I suggest
you ONLY encode like so:

out.print("<input value='\""+
ESAPI.encoder().encodeForHTMLAttribute(request.getParameter("input"))  +

- Jim

Dear all, 


I am a web security researcher who wants to secure the user inputs using
ESAPI's encoding methods such as encodeForHTML, encodeForJavaScript. But
I am confused on how to use canonicalization method correctly in the
presence of some custom encoding schemes that i can't analyze. Say for
example, if an application has code:


out.print("<input ... value=' "+
customEncode(request.getParameter("input")) );


In the above code, customEncode is the custom encoding method used by
the application which can be any Encoding scheme. So the question is: Is
it ok to use ESAPI's encoder to secure the input in the following way:


out.print("<input ... value=' "+
("input"))) );


OR is the following way, which canonicalize first and then ESAPI encode,


out.print("<input ... value=' "+
omEncode(request.getParameter("input")))) );


OR both way is incorrect and in fact requires to know what is the
customEncode() doing???


I'd also like to know the solutions for the similar cases that requires
encodeForHTML,  encodeForCSS, and encodeForJavaScript.


best regards,




Esapi-user mailing list
Esapi-user at lists.owasp.org

Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100711/5c38374a/attachment.html 

More information about the Esapi-user mailing list