[OWASP-ESAPI] Javadoc fails for org.owasp.esapi.PreparedString in ESAPI 2.0

Kevin W. Wall kevin.w.wall at gmail.com
Mon Aug 17 00:33:14 EDT 2009


The Javadoc fails for org.owasp.esapi.PreparedString with several error
messages of the type

	unmappable character for encoding UTF8

from lines 22 through 30, inclusive. The problem is the class documentation
at the beginning of the file:

/**
 * A parameterized string that can be used to send data to an interpreter.
 * <pre>
 * PreparedString div = new PreparedString( <93><a href=<94>@1<94>
onmouseover=<94>alert(<91>@2<92>)<94>>test</a><94> );
 * div.setURL( 1, request.getParameter( <93>url<94> ) );
 * div.setJavaScriptString( 2, request.getParameter( <93>message<94> ) );
 * out.println( div.toString() );
 *
 * // escaping for SQL
 * PreparedString query = new PreparedString( <93>SELECT * FROM users WHERE
[email protected] AND [email protected]<94> );
 * query.setSQLString( 1, request.getParameter( <93>name<94> ) );
 * query.setSQLString( 1, request.getParameter( <93>pass<94> ) );
 * stmt.execute( query.toString() );
 * </pre>
 *
 * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
 *         href="http://www.aspectsecurity.com">Aspect Security</a>
 * @since June 1, 2007
 */

(NOTE: This is how they are rendered in vim. Each of the <91>, <92>, etc.
are in reality a single character.)

The <pre> tags weren't originally there. I was hoping they might help, but
they had no effect. Either way, I'm pretty sure the <pre>...</pre> tags should
stay so all the lines are not munged together.

However, I'm not sure I understand Jeff's intent with all the
<#> sort of things listed here. Did he mean to use HTML entity encoding,
such as &#93; for <93>, etc.?  That wouldn't seem to make sense. My guess
was that somehow this was something left a by Windows tool using Windows
encoding instead of UTF8 encoding, but I'm not sure. But I'd guess that

	<91> == left '
	<92> == right '
	<93> == left "
	<94> == right "

but in reality, I think that (straight) ' and " are in order. So I'm going
to change these to:

/**
 * A parameterized string that can be used to send data to an interpreter.
 * <pre>
 * PreparedString div = new PreparedString( "<a href=\"@1\"
onmouseover=\"alert('@2')\">test</a>" );
 * div.setURL( 1, request.getParameter( "url" ) );
 * div.setJavaScriptString( 2, request.getParameter( "message" ) );
 * out.println( div.toString() );
 *
 * // escaping for SQL
 * PreparedString query = new PreparedString( "SELECT * FROM users WHERE [email protected]
AND [email protected]" );
 * query.setSQLString( 1, request.getParameter( "name" ) );
 * query.setSQLString( 1, request.getParameter( "pass" ) );
 * stmt.execute( query.toString() );
 * </pre>
 *
 * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
 *         href="http://www.aspectsecurity.com">Aspect Security</a>
 * @since June 1, 2007
 */

unless someone else (Jeff???) has a better idea of what to do with it. At
least this will allow the Javadoc to complete (with 291 warnings, but ONLY
warnings).

If these Javadoc changes look OK to everyone (especially to Jeff), then
I'll commit it to the 2.0_quality branch.

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME



More information about the OWASP-ESAPI mailing list