Difference between revisions of "Projects/OWASP Java Encoder Project"

From OWASP
Jump to: navigation, search
m (add jeremy long to project)
(21 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
= Main =
 +
 +
<b>Welcome to the OWASP Java Encoder Project</b>
 +
 +
<i>Contextual Output Encoding</i> is a computer programming technique necessary to stop [https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet Cross Site Scripting]. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with little baggage.
 +
 
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
 
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
  
 
| project_name = OWASP Java Encoder Project
 
| project_name = OWASP Java Encoder Project
 
+
| project_info = '''Welcome to the OWASP Java Encoder Project'''
 
| project_home_page = OWASP Java Encoder Project
 
| project_home_page = OWASP Java Encoder Project
  
 
| project_description =  
 
| project_description =  
 
*This project is a simple-to-use drop-in encoder class with little baggage.
 
*This project is a simple-to-use drop-in encoder class with little baggage.
*This code was donated from SuccessFactors as part of the [[OWASP Java XML Templates Project|OWASP JXT project]]. This code was designed for high-availability/high-performanceencoding functionality.
+
*No third party libraries or configuration necessary.
*The current code base averages: 744ns/encode for XML We have plans to optimize it past: 450ns/encode (fairly easily) ESAPI.encodeForXML with same benchmark data: 3450ns/encode (7x slower)
+
*This code was designed for high-availability/high-performance encoding functionality.
 
*The key motivation for the separate project was:
 
*The key motivation for the separate project was:
#Simple drop-in encoding functionality
+
# Simple drop-in encoding functionality
#Redesigned for performance
+
# Redesigned for performance
 
# More complete API (uri and uri component encoding, etc) in some regards.
 
# More complete API (uri and uri component encoding, etc) in some regards.
 
*This is a Java 1.5 project.
 
*This is a Java 1.5 project.
*We are currently finishing up the core encoding capability and will have all of the other ESAPI-encoder functions supported soon as well.
 
  
 
| project_license = [http://www.opensource.org/licenses/bsd-license.php New BSD License]
 
| project_license = [http://www.opensource.org/licenses/bsd-license.php New BSD License]
Line 25: Line 30:
 
| contributor_email1 = jim.manico@owasp.org
 
| contributor_email1 = jim.manico@owasp.org
 
| contributor_username1 = Jmanico
 
| contributor_username1 = Jmanico
 +
 +
| contributor_name2 = Jeremy Long
 +
| contributor_email2 =  jeremy.long@gmail.com
 +
| contributor_username2 =
  
 
| pamphlet_link =  
 
| pamphlet_link =  
Line 32: Line 41:
 
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project
 
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-java-encoder-project
  
| project_road_map = http://www.owasp.org/index.php/OWASP_Java_Encoder_Project/Roadmap
+
| project_road_map =  
  
 
| links_url1 = http://code.google.com/p/owasp-java-encoder/
 
| links_url1 = http://code.google.com/p/owasp-java-encoder/
Line 40: Line 49:
 
| links_name2 =  
 
| links_name2 =  
  
| release_1 = Coming soon
+
| release_1 = http://code.google.com/p/owasp-java-encoder/
 
| release_2 =  
 
| release_2 =  
 
| release_3 =
 
| release_3 =
Line 47: Line 56:
 
| project_about_page = Projects/OWASP Java Encoder Project
 
| project_about_page = Projects/OWASP Java Encoder Project
 
}}
 
}}
 +
 +
= Use the Java Encoder Project =
 +
 +
The general API pattern to utilize the Java Encoder Project is
 +
<b>"Encode.forContextName(untrustedData)"</b>, where "ContextName" is the
 +
name of the target context and "untrustedData" in untrusted user input.
 +
 +
== For example, to use in a JSP ==
 +
 +
<b><input type="text" name="data" value="<%=
 +
Encode.forHtmlAttribute(dataValue) %>" /></b>
 +
 +
<b><textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /></b>
 +
 +
Generally <b>Encode.forHtml(...)</b> is safe but slightly less efficient for
 +
the above two contexts (since it encodes more characters than
 +
necessary).
 +
 +
== For JavaScript string data ==
 +
 +
<b><button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg)
 +
%>');">click me</button></b>
 +
 +
<b>
 +
<script type="text/javascript">
 +
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
 +
alert(msg);
 +
</script>
 +
</b>
 +
 +
Again generally Encode.forJavaScript is safe for the above two
 +
context, but slightly less efficient since it encodes more characters.
 +
 +
== Other Contexts ==
 +
 +
Other contexts can be found in the org.owasp.Encode class methods,
 +
including CSS strings, CSS urls, XML contexts, URIs and URI
 +
components.
 +
 +
= Build the Java Encoder Project =
 +
 +
<b>checkout and run "mvn package" (using maven 2.0 or 3.0)</b>
 +
 +
__NOTOC__ <headertabs />

Revision as of 23:47, 16 February 2013

[edit]

Welcome to the OWASP Java Encoder Project

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with little baggage.


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Java Encoder Project (home page)
Purpose:
  • This project is a simple-to-use drop-in encoder class with little baggage.
  • No third party libraries or configuration necessary.
  • This code was designed for high-availability/high-performance encoding functionality.
  • The key motivation for the separate project was:
  1. Simple drop-in encoding functionality
  2. Redesigned for performance
  3. More complete API (uri and uri component encoding, etc) in some regards.
  • This is a Java 1.5 project.
License: New BSD License
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
OWASP Java Encoder Project 1.1.1 - January 30, 2014 - (download)
Release description: Critical fix of bug described here https://code.google.com/p/owasp-java-encoder/issues/detail?id=4
Rating: Not Rated
last reviewed release
Not Yet Reviewed


other releases

The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.

For example, to use in a JSP

<input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />

<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

For JavaScript string data

<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>

<script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>

Again generally Encode.forJavaScript is safe for the above two context, but slightly less efficient since it encodes more characters.

Other Contexts

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

checkout and run "mvn package" (using maven 2.0 or 3.0)