[OWASP-ESAPI] J2EE ESAPI and International Characters

Jeff Williams jeff.williams at owasp.org
Wed Apr 29 16:08:25 EDT 2009

Hi Don,


Java regex are fully Unicode enabled, so you can customize the regular
expressions as much as you like. The CHAR_LOWERS and CHAR_UPPERS are used in
two places.  First is in deciding what characters to encode, which will
cause ESAPI to overencode a bit - harmless but annoying.  The second is in
verifying password strength, which means ESAPI may not calculate the
strength of passwords with international characters properly.


We are definitely putting a lot of work into internationalization in 2.0,
and we hope to have a version 2.0rc1 release in the next few weeks.  We've
internationalized all the strings used in ESAPI and are integrating that
feature now.  We will also put the character sets in ESAPI.properties for
sure, but really we need to replace these lists with functions that handle
international characters programmatically.   Java 1.4 does not have good
support for this, but Java 1.5+ does.





Sent: Wednesday, April 29, 2009 8:00 AM
To: jeff.williams at owasp.org
Subject: J2EE ESAPI and International Characters


Hi Jeff.


I am interested in using the ESAPI in J2EE applications, but I see that some
of the code only deals with standard ASCII characters and disregards
international characters e.g. accented characters. For example:

- Validator regular expressions in ESAPI.properties

- CHAR_LOWERS and CHAR_UPPERS in Encoder.java


Will this be improved in V2?

When is V2 likely to be released as a stable jar?






-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090429/92fbcc7a/attachment.html 

More information about the OWASP-ESAPI mailing list