[Esapi-user] [Esapi-dev] Validate cannonicalization options

Jim Manico jim.manico at owasp.org
Fri Sep 3 22:46:49 EDT 2010


> What does the javadoc comment "Only URL encoding is supported" mean? 

 

Honestly, I'm not sure - I'll change it. It was there before I.

 

From: Jeff Williams [mailto:jeff.williams at aspectsecurity.com] 
Sent: Friday, September 03, 2010 4:09 PM
To: Jim Manico; esapi-user at lists.owasp.org; ESAPI-Developers
Subject: RE: [Esapi-dev] Validate cannonicalization options

 

I took a look and I *guess* I can live with the new signatures.  I hope
developers don't disable canonicalization after their first error.

 

What does the javadoc comment "Only URL encoding is supported" mean?  I
think the default encoder supports html encoding, URL encoding, and
javascript escaping.

 

--Jeff

 

 

From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, September 03, 2010 7:30 PM
To: esapi-user at lists.owasp.org; 'ESAPI-Developers'
Subject: [Esapi-dev] Validate cannonicalization options

 

Hello Folks,

 

I added 3 new functions to the ESAPI 2.0 Validator interface adding the
ability to disable canonicalization - these are implemented in the reference
implementation as well. (svn checkin 1512 and 1513)

 

boolean isValidInput(String context, String input, String type, int
maxLength, boolean allowNull, boolean canonicalize) throws
IntrusionException;

 

String getValidInput(String context, String input, String type, int
maxLength, boolean allowNull, boolean canonicalize) throws
ValidationException, IntrusionException;

 

String getValidInput(String context, String input, String type, int
maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList
errorList) throws IntrusionException;

 

I also *disabled* canonicalization for getSafeHTML by default, since it
breaks HTML. (svn checkin 1514)

 

Acceptable? I'd like to push this for 2.0 rc8

 

- Jim

 

 

       

       

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100903/61616c8c/attachment.html 


More information about the Esapi-user mailing list