[Esapi-user] ESAPI with JSTL, EL and Spring tag library for output validation

John Melton jtmelton at gmail.com
Wed Jun 15 23:22:16 EDT 2011


Alex,
You might have already figured this out by now, but thought I'd respond in
case you hadn't. If I understand your question, you're just looking for
basic taglib functionality which is included already. You can see the
existing tags at
http://code.google.com/p/owasp-esapi-java/source/browse/#svn%2Ftrunk%2Fsrc%2Fmain%2Fjava%2Forg%2Fowasp%2Fesapi%2Ftags.
There is also a tld included you can find at
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/configuration/META-INF/esapi.tld.
It does look like in my 2.0GA jar file something got messed up and the
tld
wasn't included in the META-INF directory, which is a problem. I seem to
remember someone else brought this up before on the list, but can't find
that conversation at the moment. Regardless, when the build is fixed you
should be able to make it work by doing the following:

<%@ taglib uri="
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API"
prefix="esapi" %>
<esapi:encodeForHTML>${myvar}</esapi:encodeForHTML>

(In the meantime ...) If your version of the 2.0GA jar is missing the
esapi.tld in the META-INF dir, then you can just copy the esapi.tld file to
your web directory, say under WEB-INF/tld/esapi.tld, and do the following:

<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<esapi:encodeForHTML>${myvar}</esapi:encodeForHTML>

Hope this helps.
Thanks,
John

On Sat, Jun 11, 2011 at 2:08 PM, Alex <azlist1 at gmail.com> wrote:

> Hi,
> I am new to the list, sorry if my question is foolish or posted in the
> wrong place.
>
> I was wondering if there was a simple and standard way to cleanup/validate
> output generated in JSP pages that use the JSTL alongside with EL  variables
> (ex : ${foo} ?
> Same question for Spring tag libraries such as Spring form tags (
> http://static.springsource.org/spring/docs/3.0.x/reference/spring-form.tld.html).
> .
>
> The idea would be to use the ESAPI reference implementation to do this
> mostly to guard against XSS attacks and alike but I'm not sure where to
> start...
>
> Thank you for your help.
>
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110615/85a709d9/attachment.html 


More information about the Esapi-user mailing list