[Esapi-user] ESAPI development process

Jim Manico jim.manico at owasp.org
Wed Sep 8 23:36:04 EDT 2010

Can we just hard-code the replacement char? Is there a compelling reason to make it configurable? This is a big deal - I'd like to push this fix into both versions and soon.

Thanks for this, Ed.

-Jim Manico

On Sep 8, 2010, at 2:51 PM, Ed Schaller <schallee at darkmist.net> wrote:

>> I agree with Jeff. Encoders should never throw exceptions; they are so UI heavy 
>> and we don't want JSPs and the like to throw exceptions (nor do we want 
>> extensive exception handling requirements in UI code).
>> +1 for making this a config issue.
> Sounds good to me as well. Having the choice is best and I'm ok with a
> good default.
> One thought before implementation, is it worth adding a encoder
> attribute/feature/property/config level setting for this so it can be
> chosen at runtime as well? Let me clarify a bit. Perhaps something like:
> Codec#setConfig(String name, Object value)
> could be added. If a dev wanted the specific instance to throw an
> exception they could do something like:
> myInstance.setConfig("org.owasp.esapi.codec.Encoder.throwOnInvalid",
> true);
> or a different replacement:
> myInstance.setConfig("org.owasp.esapi.codec.Encoder.invalidReplacement",
> 'X');
> with constants for know names. The default would come from the config.
> This would allow future or codec specific settings without API changes.
> Thoughts?
>>>> ------>

More information about the Esapi-user mailing list