[Esapi-user] Fwd: ESAPI development process

Patrick Higgins patrick.allen.higgins at gmail.com
Fri Sep 10 13:54:40 EDT 2010


Forwarding to list because I accidentally left it off.

---------- Forwarded message ----------
On Fri, Sep 10, 2010 at 8:33 AM, Ed Schaller <schallee at darkmist.net> wrote:
> I'm not sure I'd like the codec configurations being unchangeable for
> all code in a container though.  I may want exceptions to be thrown
> for invalid characters in some of my code but not in my JSPs. As such I
> lean toward the factory route or something else where code that wants a
> codec with certain options can get one without affecting thread safety
> or codec options for other code.

My thought on this would be to just create two configurations. I think
having a single global ESAPI locator is a mistake. It's so easy to
just declare your own class with static volatile variables to locate
the configurations you need. For example,
MyESAPI.JSP_ENCODER.encodeForHTML() and
MyESAPI.SERVLET_ENCODER.encodeForHTML().

If you need more configurations, just create more instances.

--Patrick


More information about the Esapi-user mailing list