0

In the last year i used ESAPI project to sanitize and bring the html to common form, today i saw that my mainly heavy "traffic" is mainly because of the only line that i use from ESAPI:

ESAPI.encoder().canonicalize(string);

I read about OWASP new project "Java Encoder" which is a lightweight of the whole ESAPI to whom want to use only the encoder(and i do). The only thing i'm not quite understood, is how to replace the one line with the new Encoder?(hence, it doesn't have encoder() and canonicalize() functions). The only way i found is to parse it through is:

Encode.forHtml();
Encode.forCssString()

and so on. Is there another way? or maybe i even didn't understood right the documentation.

neorus
  • 477
  • 1
  • 6
  • 19
  • yes. don't forget to add the .jar in your pom.xml or orther artifact and pass the string to encode as argument – SPoint May 28 '19 at 16:44
  • yes of course. but isn't there another way to make the canonicalize without passing in to 10 different functions? (if i'm not mistaken, canonicalize does it, he search for a specific format and parse it) – neorus May 29 '19 at 07:07
  • also, it's not working the same, previously if i passed argument like "%3Cscript%3E" to the canonicalize it would return – neorus May 30 '19 at 04:59
  • The Owasp encoder project ONLY escapes output. It does no intrusion detection nor decoding of user input. – avgvstvs Jun 04 '19 at 21:28

0 Answers0