Difference between revisions of "Projects/OWASP Java Encoder Project"

From OWASP
Jump to: navigation, search
m
m
Line 55: Line 55:
  
 
The general API pattern to utilize the Java Encoder Project is
 
The general API pattern to utilize the Java Encoder Project is
<b>"Encode.forContextName(untrustedData)"<b>, where "ContextName" is the
+
<b>"Encode.forContextName(untrustedData)"</b>, where "ContextName" is the
 
name of the target context and "untrustedData" in untrusted user input.
 
name of the target context and "untrustedData" in untrusted user input.
  
 
For example, to use in a JSP:
 
For example, to use in a JSP:
  
<input type="text" name="data" value="<%=
+
<b><input type="text" name="data" value="<%=
Encode.forHtmlAttribute(dataValue) %>" />
+
Encode.forHtmlAttribute(dataValue) %>" /></b>
  
<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
+
<b><textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /></b>
  
Generally Encode.forHtml(...) is safe but slightly less efficient for
+
Generally <b>Encode.forHtml(...)</b> is safe but slightly less efficient for
 
the above two contexts (since it encodes more characters than
 
the above two contexts (since it encodes more characters than
 
necessary).
 
necessary).
  
For JavaScript string data, here's some more examples:
+
For JavaScript string data:
  
<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg)
+
<b><button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg)
%>');">click me</button>
+
%>');">click me</button></b>
  
 +
<b>
 
<script type="text/javascript">
 
<script type="text/javascript">
 
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
 
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
 
alert(msg);
 
alert(msg);
 
</script>
 
</script>
 +
</b>
  
 
Again generally Encode.forJavaScript is safe for the above two
 
Again generally Encode.forJavaScript is safe for the above two
Line 84: Line 86:
 
Other contexts can be found in the org.owasp.Encode class methods,
 
Other contexts can be found in the org.owasp.Encode class methods,
 
including CSS strings, CSS urls, XML contexts, URIs and URI
 
including CSS strings, CSS urls, XML contexts, URIs and URI
components. Additional contexts can be added before rel 1.0 if you
+
components.  
have any ideas.
+
 
+
  
 
__NOTOC__ <headertabs />
 
__NOTOC__ <headertabs />

Revision as of 15:06, 30 March 2012

[edit]

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Java Encoder Project (home page)
Purpose:
  • This project is a simple-to-use drop-in encoder class with little baggage.
  • This code was designed for high-availability/high-performance encoding functionality.
  • The key motivation for the separate project was:
  1. Simple drop-in encoding functionality
  2. Redesigned for performance
  3. More complete API (uri and uri component encoding, etc) in some regards.
  • This is a Java 1.5 project.
License: New BSD License
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
OWASP Java Encoder Project 1.1.1 - January 30, 2014 - (download)
Release description: Critical fix of bug described here https://code.google.com/p/owasp-java-encoder/issues/detail?id=4
Rating: Not Rated
last reviewed release
Not Yet Reviewed


other releases

checkout and run "mvn package" (using maven 2.0 or 3.0)

The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.

For example, to use in a JSP:

<input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />

<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

For JavaScript string data:

<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>

<script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>

Again generally Encode.forJavaScript is safe for the above two context, but slightly less efficient since it encodes more characters.

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.