[Esapi-user] [OWASP-ESAPI] Implementation of Global Output Encoder with ESAPI

Kevin W. Wall kevin.w.wall at gmail.com
Fri May 7 21:12:22 EDT 2010

Jim Manico wrote:
>> Jim you are absolutely right - but there are some cases where you need
> the *big hammer* approach.
> You are starting to sound like a WAF vendor. I think Imperva is hiring
> for sales....
> *ducks*

Ouch! Let's keep this a clean fight. No more hitting below the belt. :)

> <soapbox>
> Comon boys - Risk Management is often used to justify NOT doing the
> right thing. Around these parts we OUTPUT ENCODE CONTEXTUALLY FOR ALL
> </soapbox>

Jim is right. Remember the 4th point of the Rugged Software Manifesto:
	I recognize that my code will e used in ways I cannot anticipate,
	in ways it was not designed, and for longer than it was ever

That means that even if a filter will work _today_ in your code, there is
no guarantee that it will work in the future. As soon as someone starts
putting user input in some other context such as a CSS, then your filter
will not work and your XSS problems are back.

It takes a lot of effort to do write the code right...but not nearly as
much effort as it does if you write the code wrong.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list