[Esapi-user] ESAPI 1.4 SafeHTTPFilter

Jim Manico jim.manico at owasp.org
Mon Jul 26 23:26:01 EDT 2010


I've made a few configurable changes to the ESAPI SafeHTTPFilter in the 
1.4 branch at:


This allows for a list of URL root fragments, exact URL's or regular 
expression matching to exclude certain URL's from the SafeHTTPFilter.

1) Does this solution seem reasonable?
2) Do you want it in ESAPI 2.0?
2) Can you please give SafeHTTPFilter.java a quick code review? I'm not 
set up with a solid Java 1.4 app to test this with while on the road.
3) This is a "first pass" - I have not cached anything yet. The 
configurable lists could also be saved as hashes to speed up access to 
large lists of URL's. I'm just trying to get it right first, I'll 
optimize later (Knuth told me that was ok ;)

Thanks Folks,

More information about the Esapi-user mailing list