[Esapi-user] Encoding libraries: ESAPI, owasp encoder and JSTL

Eduardo Macarron eduardo.macarron at gmail.com
Wed Jan 14 07:21:31 UTC 2015

We will definitely go the Java Encoder

Thank you very much for your detailed replies and also for your great work
on these projects.


2015-01-14 6:31 GMT+01:00 Jim Manico <jim.manico at owasp.org>:

> Yes it does.
> - Jim
> On 1/13/15 6:40 PM, Kevin W. Wall wrote:
>> Not only is it faster (while that's a win, the Java Encoder project
>> can be configured to use as the default encoder in ESAPI), but IMO the
>> biggest advantage is that you don't get burdened with all of ESAPI's
>> dependencies (many which haven't been updated for 2 or 3 yrs). If you
>> want to use a significant portion of the other ESAPI functionality, it
>> probably makes sense to use ESAPI. If you only want to do output
>> encoding, I'd stick with the Java Encoder project. Another option, if
>> you are already using Struts is to use the Struts JSP tag library.
>> The only thing I'm not sure of is if the Java Encoder project has a
>> tag library comes as part of it. ESAPI does (although writing your own
>> is not a major undertaking). Jim, can you comment on that? Does the
>> encoder project have a tag library?
>> -kevin
>> On Tue, Jan 13, 2015 at 3:28 PM, August Detlefsen <augustd at codemagi.com>
>> wrote:
>>> HI Eduardo,
>>> In my testing, I have found the OWASP Encoder to be significantly faster
>>> than ESAPI (at least 10x). If all you need is encoding, the encoder is a
>>> much better bet.
>>> Regards,
>>> August
>>> On Tue, Jan 13, 2015 at 10:51 AM, Eduardo Macarron
>>> <eduardo.macarron at gmail.com> wrote:
>>>> Hi again,
>>>> We have a very old java application based on JSP scriplets with several
>>>> XSS vulnerabilities.
>>>> We are going to do a full code review and apply encoding everywhere.
>>>> Our general policy on newer applications is to use <c:out> and
>>>> fn:escapeXml but both are JSTL tags that cannot be applied to
>>>> scriptlets so
>>>> we need a java encoding library like ESAPI or the Owasp Java Encoder.
>>>> Given that we just want encoding probably we would better use the Owasp
>>>> Java Encoder project instead of the full ESAPI project. We will need no
>>>> config files and will probably save some dependencies.
>>>> And the questions are:
>>>> - Are the encoding capabilities of both projects equal?
>>>> - Does the Encoder Project have any relation with ESAPI?
>>>> On the other hand. When talking strictly about html encoding (not css,
>>>> not
>>>> javascript) is there any benefit in using ESAPI or the Owasp Java
>>>> encoder
>>>> over JSTL?
>>>> Thank you!!
>>>> _______________________________________________
>>>> Esapi-user mailing list
>>>> Esapi-user at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20150114/fb239d2b/attachment.html>

More information about the Esapi-user mailing list