[Esapi-user] [OWASP-ESAPI] Implementation of Global Output Encoder with ESAPI

Jim Manico jim.manico at owasp.org
Fri May 7 19:17:21 EDT 2010


 >  You just create an HttpServletRequestWrapper that returns the 
encoded values.

Beef... Noooooo!

I can't agree with that. This filter method only encodes data in the 
HTML body context - leaving all other display contexts vulnerable to XSS!

I implore you to manually encode each variable per 
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 
- you can even come up with a few regular expressions to do mass 
search-and-replace for some cases.

My 2 cents,
Jim

> Ramesh - (Please use the ESAPI-USER list - this list is deprecated.)
>
> You just create an HttpServletRequestWrapper that returns the encoded 
> values.
>
> public class MyWrapper extends HttpServletRequestWrapper {
>    @Override
>    public String getParameter(String key) {
>       try {
>          return ESAPI.encoder().encodeForHTML( super.getParameter( key 
> ) );
>       } catch ( Exception e ) {
>          ESAPI.getLogger( "MyWrapper" ).error( 
> org.owasp.esapi.Logger.EVENT_FAILURE, "Unable to encode value", e );
>       }
>       return null;
>    }
> }
>
> Obviously, this is a overly simplified version, but it conveys the point.
>
> I am curious what you are going for by re-encoding for HTML, 
> HTMLAttribute, CSS, and JS?
>
> I understand the desire to not have to make changes to a *ton* of jsps 
> to get this going quickly, and the above works as a good *big hammer* 
> solution to solve most problems quickly, but ultimately you are going 
> to want to make sure that you start implementing the encoding 
> correctly in your view code as you go. It is pretty easy to carve out 
> sections of a site and go through that section using the ESAPI tablibs 
> or scriptlet to call the correct one.
>
> Hope this has been helpful.
>
> Thanks
>
> On 5/7/2010 2:28 PM, Kesavanarayanan, Ramesh wrote:
>>
>> I have a question on the output encoding using the ESAPI.
>>
>> In my application I tried to implement the ESAPI for the response 
>> output encoding in a centralized manner so that I do not need to 
>> change every JSP page in my application.
>>
>> The following is the piece of code I have written using my sessionFilter.
>>
>> import java.io.CharArrayWriter;
>>
>> public void doFilter(ServletRequest request, ServletResponse response,
>>
>> FilterChain chain) throws ServletException, IOException {
>>
>> HttpServletRequest httpRequest = (HttpServletRequest) request;
>>
>> HttpServletResponse httpResponse = (HttpServletResponse) response;
>>
>> HttpSession session = httpRequest.getSession();
>>
>> ServletResponse newResponse = null;
>>
>> if (request instanceof HttpServletRequest) {
>>
>> newResponse = new CharResponseWrapper(
>>
>> (HttpServletResponse) response);
>>
>> }
>>
>> chain.doFilter(request, response);
>>
>> String text = newResponse.toString();
>>
>> text = text.toUpperCase();
>>
>> text = ESAPI.encoder().encodeForHTML(text);
>>
>> text = ESAPI.encoder().encodeForHTMLAttribute(text);
>>
>> text = ESAPI.encoder().encodeForJavaScript(text);
>>
>> text = ESAPI.encoder().encodeForCSS(text);
>>
>> CharArrayWriter caw = new CharArrayWriter();
>>
>> if (text != null) {
>>
>> try {
>>
>> caw.write(text);
>>
>> response.getWriter().write(caw.toString());
>>
>> } catch (java.lang.IllegalStateException ille) {
>>
>> }
>>
>> }
>>
>>        }
>>
>> In my JSP I have the code as follows
>>
>> *_Not working_*
>>
>> <script>
>>
>> function setUserName(){
>>
>> document.getElementById("login").value ='<%= 
>> (String)request.getAttribute("username")  %>';
>>
>> }
>>
>> </script>
>>
>> *_Working_*
>>
>> <%!
>>
>> String cleanXSS(String value) {
>>
>> value = ESAPI.encoder().encodeForHTML(value);
>>
>> value = ESAPI.encoder().encodeForHTMLAttribute(value);
>>
>> value = ESAPI.encoder().encodeForJavaScript(value);
>>
>> value = ESAPI.encoder().encodeForCSS(value);
>>
>> return value;
>>
>> }
>>
>> %>
>>
>> <script>
>>
>> function setUserName(){
>>
>> document.getElementById("login").value ='<%= cleanXSS(  
>> (String)request.getAttribute("username")  ) %>';
>>
>> }
>>
>> </script>
>>
>> As you can see I expect the response to be updated with the ESAPI 
>> functions, but somewhere I loose the ESAPI. The idea for me is to 
>> centralize the output encoding so that it saves me time and effort.
>>
>> Appreciate if you have any pointers on the same.
>>
>> */Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 
>> 215972 (O)/**//**/ |  //* *//**/ 319-621-7641 (M) /*  | 
>> */_ramesh.kesavanarayanan at pearson.com_/* 
>> <mailto:ramesh.kesavanarayanan at pearson.com>
>>
>>
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>    
>
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>    


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100507/6730fe1d/attachment.html 


More information about the Esapi-user mailing list