[Esapi-user] Fwd: Need help in using esapi.js in a JSP file

Mogare Amey Amey.Mogare at atosorigin.com
Tue May 10 08:38:43 EDT 2011

Hi Chris,


Thank you for reply.

I have arranged the imports as you mentioned and API is now running.

(by the way, I don’t have access to send mails to ‘gmail’ domain from my Atos Origin id. Hence you might have to reply me with your OWASP id.)


But I don’t understand how do I use it to validate and clean the URL parameters.

Here is how I have written test html à


<script type="text/javascript" language="JavaScript" src="./lib/log4js.js"></script>

<script type="text/javascript" language="JavaScript" src="./esapi.js"></script>

<script type="text/javascript" language="JavaScript" src="./resources/i18n/ESAPI_Standard_en_US.properties.js"></script>

<script type="text/javascript" language="JavaScript" src="./resources/Base.esapi.properties.js"></script>


<script type="text/javascript" language="JavaScript">

    // Set any custom configuration options here or in an external js file that gets sourced in above.

    Base.esapi.properties.logging['ApplicationLogger'] = {

                                                            Level: org.owasp.esapi.Logger.ALL,

                                                            Appenders: [ new Log4js.ConsoleAppender() ],

                                                            LogUrl: true,

                                                            LogApplicationName: true,

                                                            EncodingRequired: true



    Base.esapi.properties.application.Name = "My Application v1.0";


    // Initialize the api



    // Using the logger

    //$ESAPI.logger().getLogger('ApplicationLogger').info(org.owasp.esapi.Logger.EventType.EVENT_SUCCESS, 'This is a test message');


    // Using the encoder

    var urlparam = "/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8%26portal=ce.globalapps.atosorigin.com%26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1%27%3balert%281%29//&system=SINEQUA_Search_System&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true";


    if( $ESAPI.validator().isValidInput("URLContext", urlParam, "URL", urlParam.length, false) ) {  

        alert("isValidInput = true");


        alert("isValidInput = false");



    var op = $ESAPI.encoder().encodeForURL( urlparam);

    document.write("<br><br><a href=\""+op+"\">"+op+"</a>");






As you can see, this URL contains malicious script in one of the URL parameters.


Now here, I am facing two issues à

1.    isValidaInput method is always returning ‘true’ in spite of URL containing scripts.

How do I find out if any URL is containing XSS code?

2.    The output given by encodeForURL() method doesn’t remove XSS code. When I run this URL (along with correct host & port), it still gives out alert box!

How do I get rid of malicious content from URL?


Also, I need the JAR version of this API as I want to use it in a .java file.

I downloaded “esapi-2.0_rc11-dist.zip” but it has “esapi-2.0_rc11.jar”.

When I imported the JAR file into my java class, it gave following error à


Code : System.out.println("ESAPI.accessController found: " + ESAPI.accessController());


java.lang.UnsupportedClassVersionError: org/owasp/esapi/ESAPI (Unsupported major.minor version 49.0)

      at java.lang.ClassLoader.defineClass0(Native Method)

      at java.lang.ClassLoader.defineClass(ClassLoader.java:539)

      at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)

      at java.net.URLClassLoader.defineClass(URLClassLoader.java:251)

      at java.net.URLClassLoader.access$100(URLClassLoader.java:55)

      at java.net.URLClassLoader$1.run(URLClassLoader.java:194)

      at java.security.AccessController.doPrivileged(Native Method)

      at java.net.URLClassLoader.findClass(URLClassLoader.java:187)

      at java.lang.ClassLoader.loadClass(ClassLoader.java:289)

      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:274)

      at java.lang.ClassLoader.loadClass(ClassLoader.java:235)

      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)

      at XssTestMain.main(XssTestMain.java:26)

Exception in thread "main"



Thank you.


With warm regards,

Amey Mogare

Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC : Production Line - SAP | Email : Amey.mogare at atosorigin.com <mailto:Amey.mogare at atosorigin.com>  | Office : +91-22-6733-3732 | Mobile : +91-9820-303-464


From: Chris Schmidt [mailto:chrisisbeef at gmail.com] 
Sent: Monday, May 09, 2011 9:33 PM
To: Jim Manico; Mogare Amey
Subject: Re: Fwd: [Esapi-user] Need help in using esapi.js in a JSP file


Interesting that this e-mail never came to me :(

Anyhow, it sounds like you may have the loading order slightly off. Please ensure the correct order as specified below.

<!-- esapi4js dependencies -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/lib/log4js.js" <http://localhost/esapi/esapi4js/lib/log4js.js> ></script>
<!-- esapi4js core -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/esapi.js" <http://localhost/esapi/esapi4js/esapi.js> ></script>
<!-- esapi4js i18n resources -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js" <http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js> ></script>
<!-- esapi4js configuration -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js" <http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js> ></script>

As an aside, I should note that the jquery-encoder is a much more mature Javascript Encoding library that I have built to address this exact problem. It can be downloaded via the jQuery-Plugins Repository and may be a better solution to your problem.


On 5/9/2011 4:39 AM, Jim Manico wrote: 

Jim Manico

Begin forwarded message:

	From: "Mogare Amey" <Amey.Mogare at atosorigin.com>
	Date: May 9, 2011 5:56:33 AM EDT
	To: <esapi-user at lists.owasp.org>
	Subject: [Esapi-user] Need help in using esapi.js in a JSP file



	I am trying to test encodeForURL facility of esapi.js file in following way à


	1.    Downloaded ‘esapi4js-0.1.3.zip’

	2.    Extracted it inside “C:\AMEY\Nessie\Tickets\JUL 2011\UKC4032285-Portculliss security\MyTESTs\esapi\esapi4js-0.1.3”

	3.    Created a new ‘MyESAPITest.htm’ file inside same folder in step-2 (attached file)

	4.    But when I run this htm file, it gives following error à


	Webpage error details


	User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

	Timestamp: Mon, 9 May 2011 09:52:39 UTC


	Message: Object expected

	Line: 14

	Char: 1

	Code: 0

	URI: file:///C:/AMEY/Nessie/Tickets/JUL%202011/UKC4032285-Portculliss%20security/MyTESTs/esapi/esapi4js-0.1.3/resources/Base.esapi.properties.js <file:///C:%5CAMEY%5CNessie%5CTickets%5CJUL%202011%5CUKC4032285-Portculliss%20security%5CMyTESTs%5Cesapi%5Cesapi4js-0.1.3%5Cresources%5CBase.esapi.properties.js> 


	Can you please tell me what is going wrong here?


	I want to use this esapi.js library inside a jsp to validate user input to avoid XSS attacks. 


	Please help.


	Thank you.


	With warm regards,

	Amey Mogare


Esapi-user mailing list
Esapi-user at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110510/83ee7136/attachment.html 

More information about the Esapi-user mailing list