OWASP Java Encoder Project

= Main = 

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Java Encoder Project
The OWASP Java Encoder is a Java 1.5 simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Introduction
Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview
The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.

Example usage:

PrintWriter out = ....; out.println(" "+Encode.forHtml(userData)+" ");

Please look at the javadoc for Encode to see the variety of contexts for which you can encode.

If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!

Happy Encoding!

Licensing
The OWASP Java Encoder is free to use under the New BSD License.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is this?
The OWASP Java Encoder provides:


 * Output Encoding functions to help stop XSS
 * Java 1.5+ standalone library

Code Repo
OWASP Java Encoder at Google Code

Project Leader
Project Leader: Jeff Ichnowski (The Encoding Grandmaster) Contributors: Jeremy Long Jim Manico

Related Projects

 * XSS (Cross Site Scripting) Prevention Cheat Sheet
 * OWASP Java HTML Sanitizer Project
 * OWASP JSON Sanitizer

OWASP_Java_Encoder_Project


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download

 * encoder-1.1.1.jar

News and Events

 * [30 Jan 2014] 1.1.1 Released!

In Print
We will be releasing a user guide soon!

Classifications

 * }

= Use the Java Encoder Project =

The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.

For example, to use in a JSP
" />

 <%= Encode.forHtmlContent(textValue) %>" />

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

For JavaScript string data
');">click me 

  var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); 

Again generally Encode.forJavaScript is safe for the above two context, but slightly less efficient since it encodes more characters.

Other Contexts
Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

= Deploy the Java Encoder Project =

The OWASP Java Encoder version 1.1.1 is now available in central!

OWASP Encoder at Maven Central.

Core
Direct Download: encoder-1.1.1.jar

Maven
org.owasp.encoder encoder 1.1.1

JSP Tag Library
Direct Download: encoder-jsp-1.1.1.jar

Maven
org.owasp.encoder encoder-jsp</artifactId> 1.1.1

= About =