Stack Overflow
Stack Overflow

Questions tagged [esapi]

The Enterprise Security API (ESAPI) is a library developed by the Open Web Application Security Project (OWASP). It is available for numerous languages with the aim of providing web security related features missing in those languages (and its internal APIs) itself.

Part of the Open Web Application Security Project. Details are available on the ESAPI homepage. Currently the API is available for:

  • Java
  • .Net
  • Classic ASP
  • PHP
  • ColdFusion and CFML
  • Python
  • JavaScript
307 questions
5
votes
3 answers

ESAPI with spring mvc

I am trying to use OWASP ESAPI for validating strings in a spring mvc project. So far I have done: 1- org.owasp.esapi esapi 2.1.0.1 2- Added…
mnish
  • 3,877
  • 12
  • 36
  • 54
5
votes
1 answer

Java bean validation alternatives to OWASP ESAPI

With OWASP demoting Java ESAPI from a flagship project and all of the discussion and uncertainty revolving around the library, I'd like to see what alternatives are available. I currently utilize ESAPI for input validation, HTML/JS/etc encoding and…
LetsBeFrank
  • 774
  • 11
  • 31
5
votes
3 answers

OWASP ESAPI encodeForHTML with some allowed formatting tags

In a web project, we use OWASP ESAPI in PHP for output encoding. At some points, we'd like to allow a subset of HTML for little formatting options (for example, and ), while disallowing all other tags and special characters (so they are…
leemes
  • 44,967
  • 21
  • 135
  • 183
5
votes
2 answers

Input Validation using Hibernate Validator(JSR 303) vs other Frameworks (ESAPI, Apache Commons etc)

I've looked at various frameworks for input validations, including Hibernate Validator impl for JSR 303 bean validations, as well as ESAPI validator interface and its DefaultValidator implementation. ESAPI input validation revolves around regex…
MasterV
  • 1,162
  • 1
  • 13
  • 18
5
votes
1 answer

antisamy-esapi.xml not found when trying to use OWASP ESAPI

I have been trying to eval the OWASP ESAPI library, but have been having issues just getting it to initialize properly. I set up a resources folder for ESAPI.properties and validation.properties and those are loaded from the classpath without issue.…
Peter Friend
  • 750
  • 1
  • 7
  • 17
4
votes
1 answer

ColdFusion doing OWASP esapi via Java

I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016. application.cfc local.esapi = createObject("java", "org.owasp.esapi.ESAPI"); application.esapiEncoder = local.esapi.encoder() Much…
James A Mohler
  • 11,060
  • 15
  • 46
  • 72
4
votes
3 answers

How to suppress messages output by ESAPI library

Does anyone know how to suppress the following noisy messages output by the ESAPI library? System property [org.owasp.esapi.opsteam] is not setAttempting to load ESAPI.properties via file I/O. Attempting to load ESAPI.properties as resource file via…
Kohei TAMURA
  • 4,970
  • 7
  • 25
  • 49
4
votes
1 answer

encodeForHTMLAttribute vs encodeForJavaScript

I'm trying to identify the difference between encodeForHTMLAttribute and encodeForJavaScript. Still, I couldn't find a scenario where untrusted data is used as javascript data values, which broke the code when escaped with encodeForHTMLAttribute,…
Chamila Wijayarathna
  • 1,815
  • 5
  • 30
  • 54
4
votes
3 answers

Is ESAPI.NET a dead project?

I've been recently tasked with leading an effort to improve our input (and output) validation with OWASP recommendations and PCI compliance in mind. In the process, I'm trying to assess the value of the ESAPI.NET project which does not appear to…
Rick Putnam
  • 546
  • 1
  • 6
  • 20
4
votes
1 answer

I am using the OWASP ESAPI encodeForHTMLAttribute however symbols are displaying as their html entity number instead of symbol

I am just learning about the OWASP ESAPI for XSS prevention and I am using the Javascipt version within my app According to Rule #2 in the XSS prevention cheat sheet you should "Attribute Escape" before inserting untrusted data into attribute…
Sarah
  • 1,943
  • 2
  • 24
  • 39
4
votes
3 answers

Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)

I have scan my application in HP fortify portal and getting an issue Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow). I am already using ESAPI library. What should I do to solve this issue. Is there any other…
Shruti
  • 57
  • 1
  • 2
  • 8
4
votes
1 answer

ESAPI XSS prevention for user supplied url property

One of my REST APIs is expecting a property "url" which expects a URL as input from the user. I am using ESAPI to prevent from XSS attacks. The problem is that the user supplied URL is something like http://example.com/alpha?abc=def&phil=key%3dbdj…
Nishant Nagwani
  • 1,160
  • 3
  • 13
  • 26
4
votes
1 answer

Encoder and canonicalize in ESAPI

I understand what ESAPI is used for, but I see these two lines repeated in a lot of ESAPI examples. Can someone please explain what exactly this does? ESAPI.encoder().canonicalize(inputUrl,false,false);
rickygrimes
  • 2,637
  • 9
  • 46
  • 69
4
votes
4 answers

How to fix the HTTP Response splitting vulnerability with ESAPI

after a recent findbugs (FB) run it complains about a: Security - HTTP Response splitting vulnerability The following code triggers it: String referrer = req.getParameter("referrer"); if (referrer != null) { launchURL += "&referrer="+(referrer); …
Lonzak
  • 9,334
  • 5
  • 57
  • 88
4
votes
3 answers

esapi: for src attribute, shall we use encodeForHTMLAttribute? encodeForURL? or both?

Which one's correct? or or ?
Henry
  • 32,689
  • 19
  • 120
  • 221
1
2
3
20 21