0

To escape from Cross-Site-Scripting attack i have to sanitize html content. Previously i used Esapi encoder canonicalize like this:

ESAPI.encoder().canonicalize(content);

and last update on this project was 3 years ago, so i wanted to update to their new project "OWASP Encoder Project".

but I didn't found a way how can i use it so i can sanitize my content? for example, previously when i run the canonicalize method on content like "%3Cscript%3E" i would get back "<script>", but now, no matter which encoder I use, it just doesn't do the same job, maybe I missed something?

Usman Ali
  • 425
  • 1
  • 9
  • 31
neorus
  • 477
  • 1
  • 6
  • 19
  • So ESAPI 2.2 is likely to be released at the end of the month, FYI. Second, the Owasp Encoder project escapes output ONLY. It has NO facilities to decode. It also does not provide canonicalization. FWIW, we have *never* recommended storing canonicalized data: The intent was *always* for prepping data to be validated, and then discarding the data after validation. – avgvstvs May 30 '19 at 16:28

1 Answers1

1

The ESAPI 2.2.0.0-RC2 release is already available; give it a try. The RC3 release should be available in the next couple of days. (I'm just waiting on some comments from fellow ESAPI contributors at this point.) I am anticipating the 2.2.0.0 release to be out before the end of June 2019. We never actually stopped supporting it; it just took forever to figure out how to do the Maven magic to get the releases uploaded correctly.

-kevin wall, ESAPI project co-leader

Kevin W. Wall
  • 1,347
  • 7
  • 7
  • What's new in this version? can you redirect me to the goals/maintenance/version control of this version? Thanks! – neorus Jun 04 '19 at 04:31
  • 1
    The ESAPI 2.2.0.0 release notes are in: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.0.0-release-notes.txt – Kevin W. Wall Jun 06 '19 at 01:55