[OWASP-ESAPI] [Owasp-antisamy] AntiSamy versus ESAPI?

Jim Manico jim.manico at owasp.org
Sun Aug 9 17:41:02 EDT 2009


In regards to the "when to use AntiSamy" conversation.... I see it like 
this:

1) If you accept "normal text data" from a user, then
    a) (input validation) Use the ESAPI validator for input valiation 
(functions OTHER than getValidSafeHTML)
    b) (output encoding) Use the ESAPI encoding library for contextual 
output encoding when displaying dynamic data in a web browser
        1. encodeForHTML
        2. encodeForJavascript
        3. encodeForHTMLEntity
        4. encodeFor

2) If you accept HTML from a user, you need to use AntiSamy
   a) (input validation) You must validate and CHANGE (make it safer) HTML 
that you accept from a user with AntiSamy (which can be called via ESAPI - 
getValidSafeHTML)
   b) (output translation) You can optionally use AntySamy for output 
translation (it does not encode; it only makes HTML "safer")
        1. This is crucial when you have legacy HTML in your data storage 
mechanism that may still contain XSS

- Jim

----- Original Message ----- 
From: "Abius X" <abiusx at gmail.com>
To: "Jim Manico" <jim at manico.net>
Sent: Saturday, August 08, 2009 11:50 PM
Subject: Re: [Owasp-antisamy] AntiSamy versus ESAPI?


> Hi, To make things clear:
> ESAPI is a solution for enterprise application security, Which contains
> lots of integrated subsystems. One of these is used to handle user input
> validation (slangly XSS).
> Because this very task has been very bugous and many enterprises has
> failed to provide a sufficient solution (due to complication of web and
> user input today), another new project known as AntiSamy started to
> handle this tedious task.
>
> So if you're about to start an enterprise (and not only in Java) you
> should consider using ESAPI. if you're working on a framework or
> modifying an already developed application, you can use AntiSamy to
> provide only the XSS protection.
>
> regards
> AbiusX
>
> Jim Manico wrote:
>> On ESAPI, AntiSamy, and Input Validation.
>>
>> When accepting HTML from a user that you then need to render, use
>> AntiSamy to set a policy for what HTML you accept as input from users.
>> Some also use AntiSamy as an "output policy checker" for HTML output
>> that came from other users.
>>
>> Use ESAPI's validation for pretty much all else.
>>
>> If you need to do secure file upload, that is a WAY more complex issue
>> that ESAPI only partially addresses, currently.
>>
>> - Jim
>>
>>     ----- Original Message -----
>>     *From:* Joanne Sun <mailto:joannehsun at gmail.com>
>>     *To:* owasp-antisamy at lists.owasp.org
>>     <mailto:owasp-antisamy at lists.owasp.org>
>>     *Sent:* Tuesday, August 04, 2009 11:49 AM
>>     *Subject:* [Owasp-antisamy] AntiSamy versus ESAPI?
>>
>>     Hi,
>>
>>     Can anybody point a similar page
>>
>> 
>> http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>> 
>> <http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet>
>>
>>     to use AntiSamy for XSS prevention? All the rules in the page use
>>     ESAPI.
>>
>>     Can you tell me when to use AntiSamy, when to use ESAPI?
>>
>>     Thanks,
>>
>>     Joanne
>>
>>     ------------------------------------------------------------------------
>>     _______________________________________________
>>     Owasp-antisamy mailing list
>>     Owasp-antisamy at lists.owasp.org 
>> <mailto:Owasp-antisamy at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Owasp-antisamy mailing list
>> Owasp-antisamy at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-antisamy
>>
> 



More information about the OWASP-ESAPI mailing list