[Owasp-leaders] Encoding projects at OWASP

Jim Manico jim.manico at owasp.org
Tue Apr 12 11:06:22 EDT 2011

OWASP Leaders,

At this point have at least 3 different output encoding projects at OWASP all meant to stop XSS.

The OWASP REFORM project led the charge. It's actually an incredibly powerful project with encoding support for a wide variety of languages!

The ESAPI project has its own series of encoders in various states of completion. Overall, the Reform projects looks more complete from a language point of view, while ESAPI supports a few more contexts that REFORM does not.

I also started a new Java project intended to be a more high performance encoder for SaaS applications.

There are also several encoders at Apache and other open source projects. 

This is completely maddening for a developer. Where to go? What to use?

So I'm wondering if there would be a way to bring these projects together somehow.

John Steven and Dinis recommended we set up unit tests that all other encoder projects could use to verify their completeness. I'm a few years late, but I finally see the wisdom in this.

Aloha from Paris,
- Jim

More information about the OWASP-Leaders mailing list