I understand what ESAPI is used for, but I see these two lines repeated in a lot of ESAPI examples. Can someone please explain what exactly this does?
ESAPI.encoder().canonicalize(inputUrl,false,false);
Asked
Active
Viewed 2.0k times
4
The Guy with The Hat
- 10,836
- 8
- 57
- 75
rickygrimes
- 2,637
- 9
- 46
- 69
1 Answers
5
See the docs:
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack.
The two additional parameters which are set to false in your example indicate whether or not to restrict multiple encoding and mixed encoding (see docs for meaning), respectively.
XiaoChuan Yu
- 3,951
- 1
- 32
- 44
-
Hi, I also need to use the `encoder.encodeForHTML(String)`. So should I do the **canonicalization** first or the `encodeForHTML()` first? What should be my order? – Sajib Acharya May 13 '16 at 18:33
-
1FYI: new link for documentation: https://static.javadoc.io/org.owasp.esapi/esapi/2.1.0/org/owasp/esapi/Encoder.html#canonicalize(java.lang.String) – user969039 Mar 01 '17 at 07:51