[Esapi-user] Do we need to enable canonicalization in Java?

Eduardo Macarron eduardo.macarron at gmail.com
Mon Oct 27 06:17:08 UTC 2014

Hello everybody in the list.

We are adding ESAPI 2.x to a Spring MVC+Spring Security+MyBatis application.

We only want ESAPI for XSS protection (Canonicalize, Validate, Encode). Not
for SQL injection, authentication or authorization.

To implement the XSS protection we are validating inputs with calls to
Validator.isValid* methods.

We are not encoding output with ESAPI because input data is supposed to be
trusted after validation and also because Spring does some encoding by

My question is about canonicalization. Sorry if this same question has been
made millions of times. I have not been able to find a good reply to it yet.

Do we need canonicalization?

I can not understand how an encoded input can be a threat. Can anybody
point to a sample of an attack using encoded data in Java?

thank you!!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20141027/8623328e/attachment.html>

More information about the Esapi-user mailing list