[Esapi-user] ESAPI development process

Ed Schaller schallee at darkmist.net
Wed Sep 8 17:51:48 EDT 2010


> I agree with Jeff. Encoders should never throw exceptions; they are so UI heavy 
> and we don't want JSPs and the like to throw exceptions (nor do we want 
> extensive exception handling requirements in UI code).
> 
> +1 for making this a config issue.

Sounds good to me as well. Having the choice is best and I'm ok with a
good default.

One thought before implementation, is it worth adding a encoder
attribute/feature/property/config level setting for this so it can be
chosen at runtime as well? Let me clarify a bit. Perhaps something like:

Codec#setConfig(String name, Object value)

could be added. If a dev wanted the specific instance to throw an
exception they could do something like:

myInstance.setConfig("org.owasp.esapi.codec.Encoder.throwOnInvalid",
true);

or a different replacement:

myInstance.setConfig("org.owasp.esapi.codec.Encoder.invalidReplacement",
'X');

with constants for know names. The default would come from the config.

This would allow future or codec specific settings without API changes.

Thoughts?

>>>------>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100908/9b3b5dea/attachment.bin 


More information about the Esapi-user mailing list