[Esapi-user] Encoding libraries: ESAPI, owasp encoder and JSTL

August Detlefsen augustd at codemagi.com
Tue Jan 13 20:28:56 UTC 2015


HI Eduardo,

In my testing, I have found the OWASP Encoder to be significantly faster
than ESAPI (at least 10x). If all you need is encoding, the encoder is a
much better bet.

Regards,
August

On Tue, Jan 13, 2015 at 10:51 AM, Eduardo Macarron <
eduardo.macarron at gmail.com> wrote:

> Hi again,
>
> We have a very old java application based on JSP scriplets with several
> XSS vulnerabilities.
>
> We are going to do a full code review and apply encoding everywhere.
>
> Our general policy on newer applications is to use <c:out> and fn:escapeXml
> but both are JSTL tags that cannot be applied to scriptlets so we need a
> java encoding library like ESAPI or the Owasp Java Encoder.
>
> Given that we just want encoding probably we would better use the Owasp
> Java Encoder project instead of the full ESAPI project. We will need no
> config files and will probably save some dependencies.
>
> And the questions are:
> - Are the encoding capabilities of both projects equal?
> - Does the Encoder Project have any relation with ESAPI?
>
> On the other hand. When talking strictly about html encoding (not css, not
> javascript) is there any benefit in using ESAPI or the Owasp Java encoder
> over JSTL?
>
> Thank you!!
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20150113/d3ed897b/attachment.html>


More information about the Esapi-user mailing list