[Esapi-user] [Esapi-dev] Response Splitting

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jan 25 22:30:29 EST 2011

On 01/25/2011 09:57 PM, Jeff Williams wrote:
> Ahh wait – you’re talking about specifically using
> ESAPIFilter/SafeRequest/SafeResponse, aren’t you?  I’m suggesting
> the use of targeted wrappers to prevent header injection.  I do believe
> that the ESAPIFilter has caused issues since it does everything.  But I
> see no problem with the idea of ResponseWrappers in general.

I think a JavaEE Servlet Filter is exactly what Jim was referring to. I think
using targeted wrappers is a better approach and I would expect it to have
minimal performance impact. OTOH, we could do much better on optimizing

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list