[Esapi-user] [Esapi-dev] URL Validation and Encoding

Jim Manico jim.manico at owasp.org
Thu Sep 23 01:58:11 EDT 2010

We can add a second encoder for relative URL's, but the programmer would
need to specify the domain, using one of the other URL constructors, like:
  new URL("http", "www.gamelan.com", "/pages/Gamelan.net.html");

And ESAPI would provide:

ESAPI.encoder().encodeCompleteURL(String URL);
ESAPI.encoder().encodeURLParameter(String data); //Javascript calls this a
ESAPI.encoder().encodeRelativeURL(String root, String relativeURL);

As well as

ESAPI.validator().assertValidCompleteURL(String url) throws
ESAPI.validator().assertValidRelativeURL(String root, String relativeURL)
throws ValidationException;
boolean ESAPI.validator().isValidCompleteURL(String url);
boolean ESAPI.validator().isValidRelativeURL(String root, String

- Jim

-----Original Message-----
From: Ed Schaller [mailto:schallee at darkmist.net] 
Sent: Wednesday, September 22, 2010 4:44 PM
To: augustd
Cc: Jim Manico; ESAPI-Developers; esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] [Esapi-dev] URL Validation and Encoding

* PGP Signed by an unknown key

> This should be easy enough to do with built-in methods of java.net.URL
> getProtocol(), getHost(), getPath(), etc.

Just to be the devil's advocate here, what happens if the URL the
developer wants to support doesn't have a protocol handler? Is this
something we care about? If it is, java.net.URL wont work well and
adding new protocol handlers has implications on ClassLoaders and java
2 security.


* Unknown Key
* 0xA1297841

More information about the Esapi-user mailing list