Stack Overflow
Stack Overflow

Questions tagged [esapi]

The Enterprise Security API (ESAPI) is a library developed by the Open Web Application Security Project (OWASP). It is available for numerous languages with the aim of providing web security related features missing in those languages (and its internal APIs) itself.

Part of the Open Web Application Security Project. Details are available on the ESAPI homepage. Currently the API is available for:

  • Java
  • .Net
  • Classic ASP
  • PHP
  • ColdFusion and CFML
  • Python
  • JavaScript
257 questions
3
votes
3 answers

where should I locate a common ESAPI.properties file used by multiple wars inside an ear?

I have two modules that will use ESAPI with the same properties files (ESAPI and validation.properties). These modules output to wars that are contained in an ear. I have the properties files inside one of the war files, where they are found at…
davidjmcclelland
  • 381
  • 6
  • 17
3
votes
1 answer

filter out encoded javascript content from request

I have a problem where I am trying to cleanse the request content to strip out HTML and javascript if included in the input parameters. This is basically to protect against XSS attacks and the ideal mechanism would be to validate input and encode…
Ash
  • 128
  • 2
  • 11
3
votes
3 answers

ESAPI with spring mvc

I am trying to use OWASP ESAPI for validating strings in a spring mvc project. So far I have done: 1- org.owasp.esapi esapi 2.1.0.1 2- Added…
mnish
  • 3,695
  • 11
  • 34
  • 53
3
votes
3 answers

Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)

I have scan my application in HP fortify portal and getting an issue Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow). I am already using ESAPI library. What should I do to solve this issue. Is there any other…
Shruti
  • 47
  • 1
  • 2
  • 7
3
votes
2 answers

ESAPI for XSS prevention not working

I am working on fixing Cross site scripting issues in our code mainly in JSPS. Below is the original code //scriplet code <% String userId = request.getParameter("sid"); ...%> and in the same Jsp they have
Pro
  • 492
  • 2
  • 7
  • 19
3
votes
1 answer

Java Jersey REST Request Parameter Sanitation

I'm trying to make sure my Jersey request parameters are sanitized. When processing a Jersey GET request, do I need to filter non String types? For example, if the parameter submitted is an integer are both option 1 (getIntData) and option 2…
Voltron
  • 77
  • 1
  • 7
3
votes
1 answer

Encoder and canonicalize in ESAPI

I understand what ESAPI is used for, but I see these two lines repeated in a lot of ESAPI examples. Can someone please explain what exactly this does? ESAPI.encoder().canonicalize(inputUrl,false,false);
rickygrimes
  • 2,301
  • 8
  • 37
  • 63
3
votes
0 answers

ESAPI + Spring MVC

I want to implement the ESAPI in spring-mvc for XSS. We have to use the ESAPI validator API to implement it. The ESAPI property holds the acceptable value for each form field. How should the configuration look like to use the ESAPI within Spring…
Rameez Raja
  • 41
  • 3
3
votes
1 answer

How to implement the OWASP ESAPI validator with groups of validation attempts in ColdFusion?

I have been playing around with the OWASP ESAPI utilities that are included with ColdFusion 9. ColdFusion's Builtin Enterprise Security API. The encoder utilities are pretty straight forward and I believe I have them working fine. My problem is with…
Miguel-F
  • 13,042
  • 5
  • 33
  • 55
2
votes
3 answers

ESAPI for PHP nonexistant?

I've been trying to find the PHP version of ESAPI for quite a while now but all I can find is a ton of documentation and interfaces. I couldn't find any functioning code at the repository either. Do any finished classes even exist?
user1062604
  • 21
  • 1
  • 2
2
votes
2 answers

Error using esapi with CF8 and JavaLoader

java.lang.reflect.InvocationTargetException SecurityConfiguration class (org.owasp.esapi.reference.DefaultSecurityConfiguration) CTOR threw exception. I get the above error when I try to do
ztatic
  • 1,171
  • 3
  • 13
  • 21
2
votes
3 answers

Coldfusion/Lucee Encoding Issue When Using EncodeForHTML

Running into an issue when using EncodeForHTML for certain characters (Emojis in this case) The text in this case is: ⌛️abc ‍♀️‍♀️‍♀️ Now if I just a straight output #txt# It displays correctly, no issues, but if I use…
Jacob FW
  • 123
  • 6
2
votes
2 answers

How to resolve External Control of File Name or Path (CWE ID 73)

I am working on fixing Veracode issues in my application. Veracode has highlighted the flaw "External Control of File Name or Path (CWE ID 73) " in below code. Thread.currentThread().getContextClassLoader().getResourceAsStream(lookupName) How do I…
Nicolas
  • 384
  • 1
  • 8
  • 21
2
votes
3 answers

How to fix open redirect issue in java

Currently my java code uses response.sendRedirect(request.getRequestUrl().toString()); Which is an open redirect. I have to fix this but I can not white list it since there are too many URL's are associated with it. I have tried the following…
Neeraj Sharma
  • 607
  • 8
  • 25
2
votes
2 answers

I am getting Cross-Site Scripting: Poor Validation on Struts call to a bean class

I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application. <%@ taglib prefix="s" uri="/struts-tags" %>
Richard Sandoz
  • 319
  • 3
  • 9
1 2
3
17 18