[Esapi-user] Using esapi4js without log4js

Chris Schmidt chris.schmidt at owasp.org
Thu Jan 5 04:48:22 UTC 2012

Eashwaran -

FWIW, ESAPI4JS should be evaluated heavily before use in a production
app - when I released it, it was as a proof of concept implementation
and was never meant to be used in production code. That being said,
depending on what you are planning to with the library I can recommend
the jq-encoder [1] jQuery plugin to address client-side encoding
concerns (DOM-Based XSS). Also, as a further disclaimer, it should be
noted that in 99% of cases, javascript does not provide ample support
against attack and should not be relied on as a single line of defense
against XSS attacks (or any other attacks for that matter) - up until
*very* recently, it was possible for an attacker to bypass javascript
protection completely by exploiting xss that existed prior to the use
(and consequental loading) of the library, or by abusing the mutable
nature of javascript objects and functions and removing the library from
use as part of their attack.

All that said, if you are dead-set on using ESAPI4JS, then awesome! I
look forward to hearing how it works for you! The Log4JS library is
indeed a dependency in the default installation of ESAPI4JS, however -
you can remove this dependency by defining a different implementation of
the Logger in your configuration object. This can simply be a no-op
logger of any a wrapper around any other logger you may want to use. If
you wish to continue using Log4JS as the Logger implementation, you can
configure Log4JS to use a different appender [2]

[1] http://software.digital-ritual.net/jqencoder/
[2] http://log4js.berlios.de/docu/users-guide.html#configuration

Hope this helps you out, and let me know if you have additional questions!


On 1/4/2012 6:52 PM, eashwaran.padmanabhaswamy at aciworldwide.com wrote:
> Hello Chris,
> I'm using OWASP esapi4js 0.1.3.  Whenever my scripts encounter a
> javascript exception, like an script errors, a popup window is used
> for displaying the errors.  I would prefer not to use popup window.  I
> was wondering if it is possible to tell esapi4js or log4js (via
> esapi4js) to not use popup windows.
> The only way I found to disable the popup behaviour is to not include
> the log4js.js file.  But I wanted to check with you first, if it is
> even okay to use the esapi4js.js without including the log4js.js!  Is
> there any dependency in esapi4js on log4js? Will esapi4js function
> just as well without the inclusion of log4js?
> I'm aware that we can use popup-blockers to block popup windows.  But
> I face a peculiar problem with Firefox (versions 8 and 9, and maybe
> some previous ones too) and the popup window thrown by log4js, when
> popup blocker is used with Firefox.  Firefox reports that it has
> blocked a few hundred popup windows and shows a dialog about a runaway
> script; essentially the Firefox hangs!  Chrome and IE decently just
> show me the 'blocked popup' message and continue on.  But irrespective
> of this Firefox hang, I'd like to use ESAPI4JS without the popup
> windows.  I was wondering if that is possible.  I've googled on this
> topic, but didn't encounter any solutions or suggestions/advises of
> using esapi4js without log4js.
> Thanks in advance for your help!
> Regards,
> Eashwaran Padmanabhaswamy
> ACI Worldwide
> 770-664-9053_
> __eashwaran.padmanabhaswamy at aciworldwide.com_
> <mailto:eashwaran.padmanabhaswamy at aciworldwide.com>
> This e-mail message and any attachments may contain confidential,
> proprietary or non-public information.  This information is intended
> solely for the designated recipient(s).  If an addressing or
> transmission error has misdirected this e-mail, please notify the
> sender immediately and destroy this e-mail.  Any review,
> dissemination, use or reliance upon this information by unintended
> recipients is prohibited.  Any opinions expressed in this e-mail are
> those of the author personally.
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120104/3fbd3777/attachment.html>

More information about the Esapi-user mailing list