[Esapi-user] [Esapi-dev] Response Splitting

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jan 25 22:30:29 EST 2011


On 01/25/2011 09:57 PM, Jeff Williams wrote:
[SNIP]
> Ahh wait – you’re talking about specifically using
> ESAPIFilter/SafeRequest/SafeResponse, aren’t you?  I’m suggesting
> the use of targeted wrappers to prevent header injection.  I do believe
> that the ESAPIFilter has caused issues since it does everything.  But I
> see no problem with the idea of ResponseWrappers in general.

I think a JavaEE Servlet Filter is exactly what Jim was referring to. I think
using targeted wrappers is a better approach and I would expect it to have
minimal performance impact. OTOH, we could do much better on optimizing
ESAPIFilter.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME



More information about the Esapi-user mailing list