<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<title>RE: Implementation of Global Output Encoder with ESAPI</title>
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 @list l0
        {mso-list-id:1484614703;
        mso-list-type:hybrid;
        mso-list-template-ids:-519302816 -1044735772 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-start-at:0;
        mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;
        mso-fareast-font-family:Calibri;
        mso-bidi-font-family:"Times New Roman";}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body bgcolor=white lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Obviously the best way to do things would be to <b>validate</b>
near where the data comes in and <b>escape</b> near where the data goes out. And
&nbsp;I can imagine some applications where this would be difficult to make
happen.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Nevertheless, I don&#8217;t think that that the suggested
approach is really a *<b>big hammer</b>* - it&#8217;s more like a wet
blanket.&nbsp; And it&#8217;s not likely to make anyone happy.&nbsp; Here&#8217;s
what&#8217;s going to happen.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>&middot;<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You&#8217;re going to mess up your database, because now all the
data will be escaped, and queries and sort order will be screwy.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>&middot;<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You&#8217;re going to mess up your HTML, since anywhere that already
escaped properly will now &#8220;double escape&#8221; and will show up as
visible HTML code.<o:p></o:p></span></p>

<p class=MsoListParagraph><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='font-size:11.0pt;font-family:Symbol;color:#1F497D'><span
style='mso-list:Ignore'>&middot;<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></span></span><![endif]><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You&#8217;re NOT going to solve XSS, since HTML entity escaping
won&#8217;t stop XSS attacks for any data that falls outside normal HTML, such
as Javascript, CSS, or URLs.<o:p></o:p></span></p>

<div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>--Jeff<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

</div>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> esapi-user-bounces@lists.owasp.org
[mailto:esapi-user-bounces@lists.owasp.org] <b>On Behalf Of </b>Chris Schmidt<br>
<b>Sent:</b> Friday, May 07, 2010 7:25 PM<br>
<b>To:</b> Jim Manico<br>
<b>Cc:</b> owasp-esapi@lists.owasp.org; esapi-user@lists.owasp.org<br>
<b>Subject:</b> Re: [Esapi-user] [OWASP-ESAPI] Implementation of Global
OutputEncoder with ESAPI<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>Jim you are absolutely right - but there are some cases
where you need the *big hammer* approach... I can vouch for that - especially
as a means of getting ESAPI into the door and implemented in a bloated and ever
evolving enterprise codebase. <br>
<br>
I am not saying this is the *right* way to do things, and I pointed out in the
last part of my reply that while this works for a big hammer approach it is
*not* 100% reliable and it is not quite so daunting to carve out sections of a
site and implement the tags or scriptlet to do it correctly.. :)<br>
<br>
Sometimes you gotta prove that something helps when it is used in not quite the
100% quite correct way just to get it in so you can do things correctly...
You've worked with stubborn managers before.. *g*<br>
<br>
On 5/7/2010 5:17 PM, Jim Manico wrote: <o:p></o:p></p>

<p class=MsoNormal>&gt;&nbsp; You just create an HttpServletRequestWrapper that
returns the encoded values.<br>
<br>
Beef... Noooooo!<br>
<br>
I can't agree with that. This filter method only encodes data in the HTML body
context - leaving all other display contexts vulnerable to XSS!<br>
<br>
I implore you to manually encode each variable per <a
href="http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a>
- you can even come up with a few regular expressions to do mass
search-and-replace for some cases.<br>
<br>
My 2 cents,<br>
Jim<br>
<br>
<br>
<o:p></o:p></p>

<p class=MsoNormal>Ramesh - (Please use the ESAPI-USER list - this list is deprecated.)<br>
<br>
You just create an HttpServletRequestWrapper that returns the encoded values.<br>
<br>
public class MyWrapper extends HttpServletRequestWrapper {<br>
&nbsp;&nbsp; @Override<br>
&nbsp;&nbsp; public String getParameter(String key) {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; try {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return ESAPI.encoder().encodeForHTML(
super.getParameter( key ) );<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } catch ( Exception e ) {<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ESAPI.getLogger(
&quot;MyWrapper&quot; ).error( org.owasp.esapi.Logger.EVENT_FAILURE,
&quot;Unable to encode value&quot;, e );<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return null;<br>
&nbsp;&nbsp; }<br>
}<br>
<br>
Obviously, this is a overly simplified version, but it conveys the point. <br>
<br>
I am curious what you are going for by re-encoding for HTML, HTMLAttribute,
CSS, and JS?<br>
<br>
I understand the desire to not have to make changes to a *ton* of jsps to get
this going quickly, and the above works as a good *big hammer* solution to
solve most problems quickly, but ultimately you are going to want to make sure
that you start implementing the encoding correctly in your view code as you go.
It is pretty easy to carve out sections of a site and go through that section
using the ESAPI tablibs or scriptlet to call the correct one. <br>
<br>
Hope this has been helpful. <br>
<br>
Thanks <br>
<br>
On 5/7/2010 2:28 PM, Kesavanarayanan, Ramesh wrote: <o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I have a
question on the output encoding using the ESAPI.</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In my
application I tried to implement the ESAPI for the response output encoding in
a centralized manner so that I do not need to change every JSP page in my
application.</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>The
following is the piece of code I have written using my sessionFilter.</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>import
java.io.CharArrayWriter;</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>public void doFilter(ServletRequest request,
ServletResponse response,</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>FilterChain chain) throws ServletException,
IOException {</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>HttpServletRequest httpRequest =
(HttpServletRequest) request;</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>HttpServletResponse httpResponse =
(HttpServletResponse) response;</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>HttpSession session =
httpRequest.getSession();</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>ServletResponse newResponse = null;</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>if (request instanceof HttpServletRequest) {</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>newResponse =
new CharResponseWrapper(</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>(HttpServletResponse) response);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>}</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>chain.doFilter(request, response);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>String text = newResponse.toString();</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>text = text.toUpperCase();</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>text = ESAPI.encoder().encodeForHTML(text);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>text =
ESAPI.encoder().encodeForHTMLAttribute(text);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>text =
ESAPI.encoder().encodeForJavaScript(text);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>text = ESAPI.encoder().encodeForCSS(text);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>CharArrayWriter caw = new CharArrayWriter();</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>if (text != null) {</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>try {</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>caw.write(text);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>response.getWriter().write(caw.toString());</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>} catch (java.lang.IllegalStateException
ille) {</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>}</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>}</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
}</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In my JSP I
have the code as follows</span><o:p></o:p></p>

<p><b><u><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Not
working</span></u></b><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&lt;script&gt;</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>function
setUserName(){</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'> document.getElementById(&quot;login&quot;).value
='&lt;%= (String)request.getAttribute(&quot;username&quot;)&nbsp; %&gt;';</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>}</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&lt;/script&gt;</span><o:p></o:p></p>

<p><b><u><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Working</span></u></b><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&lt;%!</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>String cleanXSS(String value) {</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>value = ESAPI.encoder().encodeForHTML(value);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>value =
ESAPI.encoder().encodeForHTMLAttribute(value);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>value =
ESAPI.encoder().encodeForJavaScript(value);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>value = ESAPI.encoder().encodeForCSS(value);</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>return value;</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>}</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>%&gt;</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&lt;script&gt;</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>function
setUserName(){</span><o:p></o:p></p>

<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span style='font-size:10.0pt;
font-family:"Arial","sans-serif"'>
document.getElementById(&quot;login&quot;).value ='&lt;%= cleanXSS(&nbsp;
(String)request.getAttribute(&quot;username&quot;)&nbsp; ) %&gt;';</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>}</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>&lt;/script&gt;</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>As you can
see I expect the response to be updated with the ESAPI functions, but somewhere
I loose the ESAPI. The idea for me is to centralize the output encoding so that
it saves me time and effort.</span><o:p></o:p></p>

<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Appreciate
if you have any pointers on the same.</span><o:p></o:p></p>

<p><b><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:teal'>Regards |&nbsp; Ramesh Kesavanarayanan&nbsp; |&nbsp;&nbsp;
&nbsp;319-354-9200 ext 215785 / 215972 (O)</span> </i></b><b><i><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:teal'>|&nbsp; /</span></i></b><span
style='font-size:10.0pt;font-family:"Arial","sans-serif";color:teal'>&nbsp;</span><b><i>
</i></b><b><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:teal'>319-621-7641 (M)&nbsp;</span></i></b> <span style='font-size:10.0pt;
font-family:"Arial","sans-serif";color:teal'>&nbsp;|&nbsp;</span><a
href="mailto:ramesh.kesavanarayanan@pearson.com"><b><i><span style='font-size:
10.0pt;font-family:"Arial","sans-serif"'>ramesh.kesavanarayanan@pearson.com</span></i></b></a><o:p></o:p></p>

<pre><o:p>&nbsp;</o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>OWASP-ESAPI mailing list<o:p></o:p></pre><pre><a
href="mailto:OWASP-ESAPI@lists.owasp.org">OWASP-ESAPI@lists.owasp.org</a><o:p></o:p></pre><pre><a
href="https://lists.owasp.org/mailman/listinfo/owasp-esapi">https://lists.owasp.org/mailman/listinfo/owasp-esapi</a><o:p></o:p></pre><pre>&nbsp; <o:p></o:p></pre><pre><o:p>&nbsp;</o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre>OWASP-ESAPI mailing list<o:p></o:p></pre><pre><a
href="mailto:OWASP-ESAPI@lists.owasp.org">OWASP-ESAPI@lists.owasp.org</a><o:p></o:p></pre><pre><a
href="https://lists.owasp.org/mailman/listinfo/owasp-esapi">https://lists.owasp.org/mailman/listinfo/owasp-esapi</a><o:p></o:p></pre><pre>&nbsp; <o:p></o:p></pre>

<p class=MsoNormal><br>
<br>
<br>
<o:p></o:p></p>

<pre>-- <o:p></o:p></pre><pre>Jim Manico<o:p></o:p></pre><pre>OWASP Podcast Host/Producer<o:p></o:p></pre><pre>OWASP ESAPI Project Manager<o:p></o:p></pre><pre><a
href="http://www.manico.net">http://www.manico.net</a><o:p></o:p></pre></div>

</body>

</html>