[Esapi-user] HTMLEntityCodec and optional semicolon for named entities

Jim Manico jim.manico at owasp.org
Wed Oct 19 14:49:25 EDT 2011


To be more specific:

This is the version of getValidInput that you want. It disables 
canonicalization:

http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html#getValidInput(java.lang.String, 
java.lang.String, java.lang.String, int, boolean, boolean) 
<http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html#getValidInput%28java.lang.String,%20java.lang.String,%20java.lang.String,%20int,%20boolean,%20boolean%29>

So instead of:

org.owasp.esapi.ESAPI.validator().getValidInput("userURL",
request.getParameter("userURL"), "HTTPURL", 2000, true);


Do this:

org.owasp.esapi.ESAPI.validator().getValidInput("userURL",
request.getParameter("userURL"), "HTTPURL", 2000, true,_*false*_);

- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20111019/f2fa2f27/attachment.html 


More information about the Esapi-user mailing list