[OWASP-ESAPI] ESAPI-related SQLi/XSS cheat sheet questions

Kevin W. Wall kevin.w.wall at gmail.com
Sat Aug 29 09:12:15 EDT 2009

Jim Manico wrote:
> Kevin,
> ...
> The case where a developer is using multiple implementations of the
> encoder seems odd to me a best, but I get your edge-case-ish point. Do
> you have a suggestion to clean this up?

Given enough developers to use ESAPI Java, someone likely will do
this. If we want to keep the same interfaces, then we could simply
point out warnings, or we could make the 'setters' protected, which
would require them to subclass the ESAPI class first to do something
stupid like this. I really haven't thought very hard about alternatives
at this point. I'll ruminate a bit more on it to see if I come up with
anything. But making classes reusable, extensible, and also thread-safe
w/out a big performance hit is not a simple task.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the OWASP-ESAPI mailing list