Difference between revisions of "Projects/OWASP Java Encoder Project"

Jump to: navigation, search
m (add jeremy long to project)
Line 1: Line 1:
= Main =
<b>Welcome to the OWASP Java Encoder Project</b>
<i>Contextual Output Encoding</i> is a computer programming technique necessary to stop [https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet Cross Site Scripting]. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with little baggage.
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
Line 56: Line 50:
| project_about_page = Projects/OWASP Java Encoder Project
| project_about_page = Projects/OWASP Java Encoder Project
= Use the Java Encoder Project =
The general API pattern to utilize the Java Encoder Project is
<b>"Encode.forContextName(untrustedData)"</b>, where "ContextName" is the
name of the target context and "untrustedData" in untrusted user input.
== For example, to use in a JSP ==
<b><input type="text" name="data" value="<%=
Encode.forHtmlAttribute(dataValue) %>" /></b>
<b><textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /></b>
Generally <b>Encode.forHtml(...)</b> is safe but slightly less efficient for
the above two contexts (since it encodes more characters than
== For JavaScript string data ==
<b><button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg)
%>');">click me</button></b>
<script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
Again generally Encode.forJavaScript is safe for the above two
context, but slightly less efficient since it encodes more characters.
== Other Contexts ==
Other contexts can be found in the org.owasp.Encode class methods,
including CSS strings, CSS urls, XML contexts, URIs and URI
= Build the Java Encoder Project =
<b>checkout and run "mvn package" (using maven 2.0 or 3.0)</b>
__NOTOC__ <headertabs />

Revision as of 16:00, 30 January 2014

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Java Encoder Project (home page)
  • This project is a simple-to-use drop-in encoder class with little baggage.
  • No third party libraries or configuration necessary.
  • This code was designed for high-availability/high-performance encoding functionality.
  • The key motivation for the separate project was:
  1. Simple drop-in encoding functionality
  2. Redesigned for performance
  3. More complete API (uri and uri component encoding, etc) in some regards.
  • This is a Java 1.5 project.
License: New BSD License
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
OWASP Java Encoder Project 1.1.1 - January 30, 2014 - (download)
Release description: Critical fix of bug described here https://code.google.com/p/owasp-java-encoder/issues/detail?id=4
Rating: Not Rated
last reviewed release
Not Yet Reviewed

other releases