OWASP Java Encoder Project

= Main = Welcome to the OWASP Java Encoder Project

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with little baggage.

= Use the Java Encoder Project =

The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.

For example, to use in a JSP
" />

 <%= Encode.forHtmlContent(textValue) %>" />

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

For JavaScript string data
');">click me 

  var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); 

Again generally Encode.forJavaScript is safe for the above two context, but slightly less efficient since it encodes more characters.

Other Contexts
Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

= Build the Java Encoder Project =

checkout and run "mvn package" (using maven 2.0 or 3.0)