[Esapi-user] Encoding libraries: ESAPI, owasp encoder and JSTL

Eduardo Macarron eduardo.macarron at gmail.com
Tue Jan 13 18:51:04 UTC 2015


Hi again,

We have a very old java application based on JSP scriplets with several XSS
vulnerabilities.

We are going to do a full code review and apply encoding everywhere.

Our general policy on newer applications is to use <c:out> and fn:escapeXml
but both are JSTL tags that cannot be applied to scriptlets so we need a
java encoding library like ESAPI or the Owasp Java Encoder.

Given that we just want encoding probably we would better use the Owasp
Java Encoder project instead of the full ESAPI project. We will need no
config files and will probably save some dependencies.

And the questions are:
- Are the encoding capabilities of both projects equal?
- Does the Encoder Project have any relation with ESAPI?

On the other hand. When talking strictly about html encoding (not css, not
javascript) is there any benefit in using ESAPI or the Owasp Java encoder
over JSTL?

Thank you!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20150113/30cd259a/attachment.html>


More information about the Esapi-user mailing list