[Esapi-user] Regarding encoderforHTML in ESAPI

Kevin W. Wall kevin.w.wall at gmail.com
Mon Nov 26 02:37:19 UTC 2012


Hi Vijay.

On Sat, Nov 24, 2012 at 9:31 AM, viijay.mani <viijay.mani at gmail.com> wrote:
> Hi,
>
> So far i was using ESAPI1.4.5a.jar and now i am using 2.0GA
>
> Problem that i am facing is after encoding the text inside
>  angle bracket is not coming in my application..

There were some bugs fixed in 2.0.1. I do not know if that was
one of them, but I do know that in 2.0.1, we have a test like this

        Encoder instance = ESAPI.encoder();
        ...
        assertEquals("<script>", instance.encodeForHTML("<script>"));

that should cover this case.

You also had mentioned in an earlier email to which I responded,
that you couldn't find the ESAPI.properties file because it wasn't
in the 2.0GA zip file.  So another question is where did you get
the ESAPI.properties file that you are now using? The one from
ESAPI 1.4.5 has many properties that are not compatible so you
really shouldn't use it. If you made customizations to the 1.4.5
version, you will have to reapply them to the 2.0.1 version.

> Problem that i am facing is after encoding the text inside
>  angle bracket is not coming in my application..
>
> Steps to reproduce:-
> Example.
> Create a jsp file.
> String value=example for[]?! encoding < using esapi jar latest version >
> example
>
> If the above string value is passed encodeforHTML method
> I am getting the following output.
> "example for[]?! encoding sample"

Sorry, you've lost me there. This doesn't even make sense much less
compile.  If after trying this with ESAPI 2.0.1, that you find that you
still have a particular problem, Please include a short JUnit code
snippet that will illustrate the problem. E.g.,

        Encoder enc = ESAPI.encoder();
        assertEquals(
            "&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;<script>",
            enc.encodeForHTML( "[email protected]$%()=+{}[]<script>" )
        );

Also, if you are using anything except the standard, out-of-the-box
2.0.1 ESAPI.properties file (with the exception of the settings for
Encryptor.MasterKey and Encryptor.MasterSalt), please make sure
to also include your ESAPI.properties file that you are using.

> Problem is crystal clear what ever i am placing inside angle brackets <>is
> not displaying.
>
> This issue is not exists in 1.4.5
>
> I think something need to be modified in properties file..
>
> Could anyone help me what need to be modified in properties file..

The standard 2.0.1 ESAPI.properties file should work as-is. Please
see above for additional instructions.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-user mailing list