[Esapi-user] [OWASP-ESAPI] Implementation of Global Output Encoder with ESAPI

Chris Schmidt chrisisbeef at gmail.com
Fri May 7 17:33:30 EDT 2010


Ramesh - (Please use the ESAPI-USER list - this list is deprecated.)

You just create an HttpServletRequestWrapper that returns the encoded
values.

public class MyWrapper extends HttpServletRequestWrapper {
   @Override
   public String getParameter(String key) {
      try {
         return ESAPI.encoder().encodeForHTML( super.getParameter( key ) );
      } catch ( Exception e ) {
         ESAPI.getLogger( "MyWrapper" ).error(
org.owasp.esapi.Logger.EVENT_FAILURE, "Unable to encode value", e );
      }
      return null;
   }
}

Obviously, this is a overly simplified version, but it conveys the point.

I am curious what you are going for by re-encoding for HTML,
HTMLAttribute, CSS, and JS?

I understand the desire to not have to make changes to a *ton* of jsps
to get this going quickly, and the above works as a good *big hammer*
solution to solve most problems quickly, but ultimately you are going to
want to make sure that you start implementing the encoding correctly in
your view code as you go. It is pretty easy to carve out sections of a
site and go through that section using the ESAPI tablibs or scriptlet to
call the correct one.

Hope this has been helpful.

Thanks

On 5/7/2010 2:28 PM, Kesavanarayanan, Ramesh wrote:
>
> I have a question on the output encoding using the ESAPI.
>
> In my application I tried to implement the ESAPI for the response
> output encoding in a centralized manner so that I do not need to
> change every JSP page in my application.
>
> The following is the piece of code I have written using my sessionFilter.
>
> import java.io.CharArrayWriter;
>
>         public void doFilter(ServletRequest request, ServletResponse
> response,
>
>                         FilterChain chain) throws ServletException,
> IOException {
>
>                 HttpServletRequest httpRequest = (HttpServletRequest)
> request;
>
>                 HttpServletResponse httpResponse =
> (HttpServletResponse) response;
>
>                 HttpSession session = httpRequest.getSession();
>
>                 ServletResponse newResponse = null;
>
>                 if (request instanceof HttpServletRequest) {
>
>                         newResponse = new CharResponseWrapper(
>
>                                         (HttpServletResponse) response);
>
>                 }
>
>                 chain.doFilter(request, response);
>
>                 String text = newResponse.toString();
>
>                 text = text.toUpperCase();
>
>                 text = ESAPI.encoder().encodeForHTML(text);
>
>                 text = ESAPI.encoder().encodeForHTMLAttribute(text);
>
>                 text = ESAPI.encoder().encodeForJavaScript(text);
>
>                 text = ESAPI.encoder().encodeForCSS(text);
>
>                 CharArrayWriter caw = new CharArrayWriter();
>
>                 if (text != null) {
>
>                         try {
>
>                                 caw.write(text);
>
>                                
> response.getWriter().write(caw.toString());
>
>                         } catch (java.lang.IllegalStateException ille) {
>
>                         }
>
>                 }
>
>        }
>
> In my JSP I have the code as follows
>
> *_Not working_*
>
> <script>
>
> function setUserName(){
>
>          document.getElementById("login").value ='<%=
> (String)request.getAttribute("username")  %>';
>
> }
>
> </script>
>
> *_Working_*
>
> <%!
>
>         String cleanXSS(String value) {
>
>                 value = ESAPI.encoder().encodeForHTML(value);
>
>                 value = ESAPI.encoder().encodeForHTMLAttribute(value);
>
>                 value = ESAPI.encoder().encodeForJavaScript(value);
>
>                 value = ESAPI.encoder().encodeForCSS(value);
>
>                 return value;
>
>         }
>
> %>
>
> <script>
>
> function setUserName(){
>
>          document.getElementById("login").value ='<%= cleanXSS( 
> (String)request.getAttribute("username")  ) %>';
>
> }
>
> </script>
>
> As you can see I expect the response to be updated with the ESAPI
> functions, but somewhere I loose the ESAPI. The idea for me is to
> centralize the output encoding so that it saves me time and effort.
>
> Appreciate if you have any pointers on the same.
>
> */Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 /
> 215972 (O)/**//**/ |  //* *//**/ 319-621-7641 (M) /*
>  | */_ramesh.kesavanarayanan at pearson.com_/*
> <mailto:ramesh.kesavanarayanan at pearson.com>
>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100507/fd5966be/attachment.html 


More information about the Esapi-user mailing list