[Esapi-user] Newcomer doubt

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jun 25 23:04:41 UTC 2015

On Wed, Jun 24, 2015 at 5:59 PM, Jose Ortuño <joselor at gmail.com> wrote:
> Despite what it have been said about a possible project "sunset" I would
> like to give a try to ESAPI.
> My question would be: Is it possible to use it in a non-web environment?


While ESAPI certainly has lost much momentum that it had in the early days,
I don't believe that there are any formal plans to sunset it. In fact,
Chris Schmidt
and I have been discussing amongst ourselves about releasing a point release
with several bug fixes. To that end, I have even been recently working with some
students that have been fixing bugs and we have noted a couple of different
issues to be fixed on Bug Bounty.

The question as to whether or not it is useful in a non-web environment
greatly depends on which controls that you are considering using. For
example, if by non-web you mean non-HTML that would imply that many
of ESAPI's output encoders are not relevant since they generally use
HTML entity encoding. (Although you could extend things by writing your
own Codecs to do custom output encoding.) If by non-web you are only
referring to non-HTTP but not non-HTML, then the ESAPI encoders would
still be relevant, but things like ESAPI's ClickjackFilter or its
various mechanisms
to help prevent CSRF attacks would not be useful. Some things like it's
encryptors and validators should be applicable to many domains though.

Hope that helps. If you have more specific questions, please let us know.

Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the Esapi-user mailing list