<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Book Antiqua";
        panose-1:2 4 6 2 5 3 5 3 3 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Book Antiqua","serif";
        color:black;
        font-weight:normal;
        font-style:normal;
        text-decoration:none none;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Book Antiqua","serif";
        color:black;
        font-weight:normal;
        font-style:normal;
        text-decoration:none none;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 @list l0
        {mso-list-id:553662710;
        mso-list-type:hybrid;
        mso-list-template-ids:1996230332 -1068082600 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-start-at:877;
        mso-level-number-format:bullet;
        mso-level-text:;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;
        mso-fareast-font-family:Calibri;
        mso-bidi-font-family:"Times New Roman";}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body bgcolor=white lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I like the idea of leveraging the crypto red/black diagram style,
but I’m sorry, I don’t get the one below.  To me there are only four states…<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Raw<o:p></o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Canonicalized<o:p></o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Validated<o:p></o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Escaped<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>But that’s not really that important.  There really two
important integration questions for preventing injection.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>How do you hook up ESAPI validation?  Here you have to find the
place where your framework is doing validation.  If it’s extensible (like
Struts pluggable validators) then you can just use that to plug in ESAPI.  If
it’s not extensible, then you’ve got an “engineering challenge” – either you
have to switch to only ESAPI, or you have to modify the framework.<o:p></o:p></span></p>

<p class=MsoListParagraph><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>How do you hook up ESAPI escaping? Here you have to find all the
places where your application emits data that isn’t 100% trusted.  Usually this
is UI or data layer. Then you have to properly escape any data before it
leaves.  Now if you have a component UI, then you can modify your custom components
to use ESAPI escaping.  But you’ll also have to check the “standard” components
that come with the framework, as in most libraries they are horribly inconsistent
about escaping.<o:p></o:p></span></p>

<div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>--Jeff<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
esapi-dev-bounces@lists.owasp.org [mailto:esapi-dev-bounces@lists.owasp.org] <b>On
Behalf Of </b>Boberski, Michael [USA]<br>
<b>Sent:</b> Monday, April 26, 2010 3:51 PM<br>
<b>To:</b> Jim Manico<br>
<b>Cc:</b> ESAPI-Developers; ESAPI-Users<br>
<b>Subject:</b> Re: [Esapi-dev] [Esapi-user] Has anyone created a
&quot;UserEffect&quot; kind of ESAPI control...<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Maybe,
a “state” pattern would be one way to provide at least </span><span
style='color:#1F497D'>some initial guidance on hooking ESAPI up to frameworks</span><span
style='font-family:"Book Antiqua","serif";color:black'> etc. that we can put in
our new documentation, something like:<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><img
width=499 height=315 id="Picture_x0020_6"
src="cid:image001.png@01CAE565.7AFE8A80"><o:p></o:p></span></p>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Since,
there’s nothing equivalent in terms of a picture in “doc-files” or other
written guidance along the lines of either of your guys’ responses that I can
find.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Best,</span><span
style='font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Mike
B.<o:p></o:p></span></p>

</div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
esapi-user-bounces@lists.owasp.org [mailto:esapi-user-bounces@lists.owasp.org] <b>On
Behalf Of </b>Boberski, Michael [USA]<br>
<b>Sent:</b> Monday, April 26, 2010 1:03 PM<br>
<b>To:</b> Jim Manico<br>
<b>Cc:</b> ESAPI-Developers; ESAPI-Users<br>
<b>Subject:</b> Re: [Esapi-user] Has anyone created a &quot;UserEffect&quot;
kind of ESAPI control...<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Jeff
and Jim, thanks. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>I
think based on your responses, there might be a fourth (maybe more?) “design
pattern” related to validation lifecycle as you call it, to be extracted and
added here: <a
href="http://code.google.com/p/owasp-esapi-java/wiki/esapi4java_v2_Design_patterns">http://code.google.com/p/owasp-esapi-java/wiki/esapi4java_v2_Design_patterns</a>
<o:p></o:p></span></p>

<div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>I’ll
think about it further…<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Thanks
both,<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Best,</span><span
style='font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'>Mike
B.<o:p></o:p></span></p>

</div>

<p class=MsoNormal><span style='font-family:"Book Antiqua","serif";color:black'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jim Manico
[mailto:jim.manico@owasp.org] <br>
<b>Sent:</b> Monday, April 26, 2010 11:15 AM<br>
<b>To:</b> Boberski, Michael [USA]<br>
<b>Cc:</b> ESAPI-Users; ESAPI-Developers<br>
<b>Subject:</b> Re: [Esapi-user] Has anyone created a &quot;UserEffect&quot;
kind of ESAPI control...<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal>Mike,<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>I use the ValidationGroup class to ensure that each
validation attempt for each field still&nbsp;<span class=apple-style-span>fires
even if the first one fails. Then I check if that list is empty and act
accordingly. I pass error messages from the controller to the UI via a request
attribute - so that the header tile of my app will list the error messages. I
also access the error list at my body tile so I can highlight certain fields
that are in error.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><span class=apple-style-span>This is the &quot;full
lifecycle&quot; of validation and I think ESAPI covers it well.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><span class=apple-style-span>Most validation errors are just
honest user mistakes - missing a required field or adding a bad character that
breaks a regex. &nbsp;</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><span class=apple-style-span>But for validation errors that
are extrodinary - I just use the IntrusionDetector.</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><span class=apple-style-span>Forgive me if I'm missing
something sir. :) Can you explain to me just one more time were this proposal
fits into the validation lifecycle?&nbsp;</span><o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><br>
Jim Manico<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
On Apr 26, 2010, at 7:56 AM, &quot;Boberski, Michael [USA]&quot; &lt;<a
href="mailto:boberski_michael@bah.com">boberski_michael@bah.com</a>&gt; wrote:<o:p></o:p></p>

</div>

<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>

<div>

<div>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>… that triggers on
failures, regardless of IntrusionDetector use/configuration?</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>E.g., to wrap HTTP 500
error message generation, or e.g. to do a lookup for some kind of
context-specific error to display on a user form, and hook this up to other
ESAPI controls?</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>E.g.,</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:8.0pt;font-family:"Courier New";
color:black'>if( !validator.isValidXX() ) {</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:8.0pt;font-family:"Courier New";
color:black'>&nbsp;&nbsp;&nbsp; ESAPI.effect().rejectUserInput(); //maybe,
generate an HTTP 500, cause a form error, ?</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
margin-left:.5in'><span style='font-size:8.0pt;font-family:"Courier New";
color:black'>}</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>This would be towards the
end of standardizing how e.g. user input validation failures (ESAPI isWhatever
failures and failures causing exceptions to be thrown more generally) should be
handled. I think by adding an interface to ESAPI might help proactively answer
(and promote the wrapping and standardization of security-relevant behaviors
inside of ESAPI) what is one of the first questions dev teams ask me on how to
use ESAPI. </span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>If I’m missing something
obvious, please be kind, and explain what the/a preferred approach <i>using ESAPI</i>
is, to wrap and standardize such things for an application, generally/according
to best practices.</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>Best,</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>&nbsp;</span><o:p></o:p></p>

<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='font-family:"Book Antiqua","serif";color:black'>Mike B.</span><o:p></o:p></p>

</div>

</div>

</blockquote>

<blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'>

<div>

<p class=MsoNormal>_______________________________________________<br>
Esapi-user mailing list<br>
<a href="mailto:Esapi-user@lists.owasp.org">Esapi-user@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/esapi-user">https://lists.owasp.org/mailman/listinfo/esapi-user</a><o:p></o:p></p>

</div>

</blockquote>

</div>

</body>

</html>