Difference between revisions of "Projects/OWASP Java Encoder Project"

From OWASP
Jump to: navigation, search
m (add jeremy long to project)
Line 1: Line 1:
= Main =
 
 
<b>Welcome to the OWASP Java Encoder Project</b>
 
 
<i>Contextual Output Encoding</i> is a computer programming technique necessary to stop [https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet Cross Site Scripting]. This project is a Java 1.5 simple-to-use drop-in high-performance encoder class with little baggage.
 
 
 
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
 
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Project About</noinclude>
  
Line 56: Line 50:
 
| project_about_page = Projects/OWASP Java Encoder Project
 
| project_about_page = Projects/OWASP Java Encoder Project
 
}}
 
}}
 
= Use the Java Encoder Project =
 
 
The general API pattern to utilize the Java Encoder Project is
 
<b>"Encode.forContextName(untrustedData)"</b>, where "ContextName" is the
 
name of the target context and "untrustedData" in untrusted user input.
 
 
== For example, to use in a JSP ==
 
 
<b><input type="text" name="data" value="<%=
 
Encode.forHtmlAttribute(dataValue) %>" /></b>
 
 
<b><textarea name="text"><%= Encode.forHtmlContent(textValue) %>" /></b>
 
 
Generally <b>Encode.forHtml(...)</b> is safe but slightly less efficient for
 
the above two contexts (since it encodes more characters than
 
necessary).
 
 
== For JavaScript string data ==
 
 
<b><button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg)
 
%>');">click me</button></b>
 
 
<b>
 
<script type="text/javascript">
 
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
 
alert(msg);
 
</script>
 
</b>
 
 
Again generally Encode.forJavaScript is safe for the above two
 
context, but slightly less efficient since it encodes more characters.
 
 
== Other Contexts ==
 
 
Other contexts can be found in the org.owasp.Encode class methods,
 
including CSS strings, CSS urls, XML contexts, URIs and URI
 
components.
 
 
= Build the Java Encoder Project =
 
 
<b>checkout and run "mvn package" (using maven 2.0 or 3.0)</b>
 
 
__NOTOC__ <headertabs />
 

Revision as of 16:00, 30 January 2014

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Java Encoder Project (home page)
Purpose:
  • This project is a simple-to-use drop-in encoder class with little baggage.
  • No third party libraries or configuration necessary.
  • This code was designed for high-availability/high-performance encoding functionality.
  • The key motivation for the separate project was:
  1. Simple drop-in encoding functionality
  2. Redesigned for performance
  3. More complete API (uri and uri component encoding, etc) in some regards.
  • This is a Java 1.5 project.
License: New BSD License
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
OWASP Java Encoder Project 1.1.1 - January 30, 2014 - (download)
Release description: Critical fix of bug described here https://code.google.com/p/owasp-java-encoder/issues/detail?id=4
Rating: Not Rated
last reviewed release
Not Yet Reviewed


other releases