The XSS prevention cheat sheet mentioned the anti-pattern, placing json inside js block.

<script>
  var initData = <%= data.to_json %>; // Do NOT do this without encoding the data with one of the techniques listed below.
</script>

This has been a common practice, and is an important part of redux's server rendering. But owasp-java-encoder doesn't has the right encoding function to deal with it.

Is it consider doable and necessary, to implement Encode.forJSON()?

From what I read on the cheat sheet, converting < to \u003c would be good enough.

I refer to this part of code:

if (mode == Mode.BLOCK || mode == Mode.HTML) {
            // in <script> blocks, we need to prevent the browser from seeing
            // "</anything>" and "<!--". To do so we escape "/" as "\/" and
            // escape "-" as "\-".  Both could be solved with a hex encoding
            // on "<" but we figure "<" appears often in script strings and
            // the backslash encoding is more readable than a hex encoding.
            // (And note, a backslash encoding would not prevent the exploits
            // on "</...>" and "<!--".
            // In short "</script>" is escaped as "<\/script>" and "<!--" is
            // escaped as "<!\-\-".
            _validMasks[1] &= ~((1 << '/') | (1 << '-'));
        }

The problem is with "-" becasue "-" is also used in date format f.e. 2000-01-01

I am not sure but maybe "--" should be escaped to "\--" ?

Hi,

is it possible to combine the OWASP Sanitizer and the OWASP Encoder to not remove malicious code but to encode the problematic parts from a given string, so that f.e. a script tag will do no harm and is just displayed as a text.
I am asking this because I would like to deal with texts where it is not certain if they will be displayed as inner html or as "normal text".

Thank you very much for any answer ;)

Hi All,
actually we are moving / upgrading our system to commons-lang3 instead of commons-lang.
That's why i want to know that "Is owasp Encoder work with commons-lang3?"
currently i am seeing that owasp Encoder has dependency over commons-lang 2. 6.
Would you please help me to sort out this problem.
Naeem

I suggest creating a SECURITY.md file describing your security process for reporting any security vulnerabilities. I can be as simple as "Report the issue as an email to [email protected] with subject of 'Potential security vulnerability in X'" or however complicated as you want, but you probably do NOT want to have people by default report it publicly via GitHub Issues since generally anyone can read those for a public repository.

I'm not claiming either of these are perfect approach, but just throwing them out there as an idea if you wish to copy or get some ideas for creating your own:

• https://github.com/ESAPI/esapi-java-legacy/blob/develop/SECURITY.md#reporting-a-vulnerability

or

• https://github.com/nahsra/antisamy/blob/main/SECURITY.md#reporting-a-vulnerability

Encode.forJavaScript is intended to

Encode for a JavaScript string. It is safe for use in HTML script attributes (such as onclick), script blocks, JSON files, and JavaScript source. The caller MUST provide the surrounding quotation characters for the string.

However, the string

input = "hell`;alert(1);`o"

encoded with Encode.forJavaScript produces the following output which allows for XSS.

<!DOCTYPE html>
<html>
  <body>
  <script>
  // var data = `<%=Encode.forJavaScript(input)%>`;
  var data = `hell`;alert(1);`o`;
  </script>
  </body>
</html>

Related: #14

Hi

I'm trying to exclude a few HTML tags from getting encoded through Encode.forHtml(). If I understand correctly, the encoder encodes all HTML tags within HTML contexts. Can you please help me understand if I can configure the encoder to exclude a list of HTML tags?

I think we need to make clear somewhere in the documentation clear that customers need to take additional steps for preventing DOM based XSS when using this library. Current documentation says about how to encode in direct CSS/HTML contexts but does not talk about how to encode when inserting Untrusted Data into HTML Subcontext within the Execution Context.

There are many such examples in [1] and I think its worth it to make a note of it somewhere in the documentation of this document.

[1] https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_then_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_HTML_Subcontext_within_the_Execution_Context

In order to keep the previous version tagging and commit history, a proper export could be made :
http://stackoverflow.com/a/79178/89769

Hello! Wanted to start a discussion around adding a function that makes it safe to append strings to URLs in Java. I haven't found a great way to do this, and if we can agree on a good approach I'd be happy to submit a PR.

Imagine the following code:

URL u = new URL("http://example.com/api/v2/" + untrustedInput + "/data");
HttpURLConnection con = (HttpURLConnection) u.openConnection();
...etc...

If unrtustedInput comes in as foo../../../bar what method can make it safe and not allow for path traversal? encode.forUriComponent does not work here because Java URL will just decode the value.

The only good approach I've found is to just strip out all the dots and slashes, as seen here: https://github.com/linkedin/URL-Detector/blob/173c6dbb5d3453d8327b59f254905cdf0338a7de/url-detector/src/main/java/com/linkedin/urls/PathNormalizer.java#L40

Does this sound like something that should belong in owasp-java-encoder? Any other ideas for a sanitization/encoding function that would work?

The How to Use tab on the OWASP Java Encoder site has a link to org.owasp.Encode class methods for browsing the documentation.

Following the link results in two blank frames and these errors in the console:

Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
index.html:63 Refused to frame 'https://owasp.org/owasp-java-encoder/encoder/apidocs/allclasses-frame.html' because it violates the following Content Security Policy directive: "frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com".
index.html:64 Refused to frame 'https://owasp.org/owasp-java-encoder/encoder/apidocs/org/owasp/encoder/package-summary.html' because it violates the following Content Security Policy directive: "frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com".
index.html?index-all.html:58 Refused to frame 'https://owasp.org/owasp-java-encoder/encoder/apidocs/index-all.html' because it violates the following Content Security Policy directive: "frame-src https://*.vuejs.org https://*.stripe.com https://*.wufoo.com https://*.sched.com https://*.google.com https://*.twitter.com https://www.youtube.com https://w.soundcloud.com".

OS/Browser: MacOS Mojave, Chrome 91 and others

Greetings,

When I do the following:

    String val = "CF-1.5";
    String jsVal = Encode.forJavaScript(val);

The ending value of jsVal is "CF\-1.5". Based on the javadoc for the Encode class here:

https://owasp.github.io/owasp-java-encoder/encoder/apidocs/index.html?index-all.html

I believe that Encode.forJavaScript() is incorrectly/needlessly escaping the "-" character.

The javadoc does not list "-" as a character to be escaped, and the RFC for JSON:

https://tools.ietf.org/html/rfc7159#section-7

Does not list the "-" character as one that is included in the list of "two-character sequence escape representations of some popular characters".

It seems that since any character can be escaped there is no issue in escaping the "-" character, but I do not think there is a two character shorthand "\-" supported and that the hex escaped version must be used.

Is this a known problem? Has no one else had their JSON parser throw a rod because of this unsupported escape sequence?

Thanks,

Nathan

Hello,

I have tried using the core encoder in a project with java9+ modules but the automatic module name is missing from the jar manifest, version 1.2.3, (even though I saw some configuration in the pom.xml for the automatic module name manifest entry):

Manifest-Version: 1.0
Bundle-Description: The OWASP Encoders package is a collection of high
 -performance low-overhead        contextual encoders, that when utili
 zed correctly, is an effective tool in        preventing Web Applicat
 ion security vulnerabilities such as Cross-Site        Scripting.
Bundle-License: http://www.opensource.org/licenses/BSD-3-Clause
Bundle-SymbolicName: org.owasp.encoder
Built-By: jeremy
Bnd-LastModified: 1604861240860
Bundle-ManifestVersion: 2
Bundle-DocURL: https://www.owasp.org/
Bundle-Vendor: OWASP (Open Web-Application Security Project)
Tool: Bnd-3.3.0.201609221906
Originally-Created-By: Apache Maven Bundle Plugin
Export-Package: org.owasp.encoder;version="1.2.3"
Bundle-Name: Java Encoder
Bundle-Version: 1.2.3
Created-By: Apache Maven Bundle Plugin
Build-Jdk: 1.8.0_212

Extra:
Have you considered using multi-release jars to include module-info.java file for java9+? It seems straightforward (for the core subproject at least) since it only has 1 package and no dependencies (and requires using a jdk9+). I might be missing something regarding OSGi though.
Diff

In any case, thank you for maintaning this project.

First of all, please forgive me posting it here. This is rather a shortcoming in the KML specification or the Google Earth implementation, respectively. But I am not familiar with Google's issue tracking system and the following could be a useful enhancement for owasp-java-encoder, too.

What's the problem?
I just realized that KML files I am generating are vulnerable to injection despite (in my opinion correct) use of HTML encoding powered by owasp-java-encoder. Owasp's Encode.forHtml/forXml works correctly: the input <strike>oops</strike> gets encoded to <strike>oops</strike>. I do not want my users to inject HTML.

However, the KML specification is unclear about encoding of angle brackets, please see KML Reference Errata. And the software consuming the KML (Google Earth) will render it as HTML.

How can this problem be solved?
According to the errata page mentioned above, numeric character entities have to be used in favor of entity references, i.e. < and > must be encoded to < and > instead of < and >. From looking at owasp's HTMLEncoder/XMLEncoder classes I cannot find an option to control the encode behavior. Do you think this would be a reasonable enhancement? Alternatively, do you think introducing a special KMLEncoder would be reasonable?

How to reproduce?

1. Download Google Earth, start it and then load a KML file with this content:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<kml xmlns="http://www.opengis.net/kml/2.2" xmlns:gx="http://www.google.com/kml/ext/2.2">
    <Document>
        <name><![CDATA[HTML encoding]]></name>
		<Style id="myStyle">
			<BalloonStyle>
				<text>
					<![CDATA[
					Text should be bold only: <b>$[text]</b>
					]]>
				</text>
			</BalloonStyle>
		</Style>
		<Folder>
			<name>Placemarks</name>
			<Placemark>
				<name><![CDATA[insufficient escaping]]></name>
				<address><![CDATA[1200-C Agora Drive, Bel Air, MD 21014, US]]></address>
				<styleUrl><![CDATA[#myStyle]]></styleUrl>
				<ExtendedData>
					<Data name="text">
						<value><![CDATA[&lt;strike&gt;oops&lt;/strike&gt;]]></value>
					</Data>					
				</ExtendedData>
			</Placemark>
			<Placemark>
				<name><![CDATA[sufficient escaping]]></name>
				<address><![CDATA[Leinstraat 104A, B-9660 Opbrakel, Belgium]]></address>
				<styleUrl><![CDATA[#myStyle]]></styleUrl>
				<ExtendedData>
					<Data name="text">
						<value><![CDATA[&#60;strike&#62;fine&#60;/strike&#62;]]></value>
					</Data>					
				</ExtendedData>
			</Placemark>
		</Folder>
	</Document>
</kml>

2. Open the placemark called insufficient escaping and see the strikethrough word:

3. Open the placemark called sufficient escaping and see everything's working correctly:

Please note that this issue can not be reproduced when uploading the KML file to the web-based Google Earth. Things may have changed in the online version. However, the desktop version is still maintained (last build: February 6, 2018).

My application runs over j2sdk1.4.2_19, Can I compile the project with j2sdk1.4.2_19 ? any alternative suggested?

n the API documentation, forHtmlAttribute method's example usage is listed as following.
<%=Encode.forHtml(unsafeData)%>

It should be corrected as following.
<%=Encode.forHtmlAttribute(unsafeData)%>

I have corrected it and sent the PR [2]. Please review and merge.

[1] https://owasp.github.io/owasp-java-encoder/encoder/apidocs/org/owasp/encoder/Encode.html#forHtmlAttribute-java.lang.String-
[2] #23

Rename master to main.

Hi,

How can I properly escape Javascript numbers on JSP files?

forJavaScript() method is designed to work with strings and breaks negative javascript numbers (by encoding them as \-1). I look at the other methods, but I don't see a suitable one.

Thank you for your help!

Minor corrections and additions to Encode class.

I am missing some files like :
org.owasp.esapi.codecs.Codec;
org.owasp.esapi.errors.EncodingException;
org.owasp.esapi.reference.DefaultEncoder;
....

When I do a mvn install, I get :

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.
2:compile (default-compile) on project encoder-esapi: Compilation failure: Compi
lation failure:
[ERROR] /D:/projects/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/es
api/ESAPIEncoder.java:[39,23] package org.owasp.esapi does not exist
[ERROR] /D:/projects/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/es
api/ESAPIEncoder.java:[40,30] package org.owasp.esapi.codecs does not exist
[ERROR] /D:/projects/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/es
api/ESAPIEncoder.java:[41,30] package org.owasp.esapi.errors does not exist
[ERROR] /D:/projects/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/es
api/ESAPIEncoder.java:[42,33] package org.owasp.esapi.reference does not exist
[ERROR] /D:/projects/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/es
api/ESAPIEncoder.java:[114,19] cannot find symbol
[ERROR] symbol: class Encoder
[ERROR] location: class org.owasp.encoder.esapi.ESAPIEncoder
[ERROR] /D:/projects/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/es
api/ESAPIEncoder.java:[128,34] cannot find symbol
[ERROR] symbol: class Encoder

Hi Jim Manico!

I couldn't sanitize the vector "<%", using the methods available in "encoder-1.2.3.jar", I would like some help to be able to identify if using the "ESAPI" this would be solved or if a correction in the library would be necessary.

Thanks.

What does this error mean? I've googled it but can't figure it out. I'm using NetBeans 8.2. Can someone please direct me to some resources on resolving this error?

This is what I have in my JSP file:

<%@ taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>

title="<e:forHtml value="${navItem.title}" />"

Artifact file that fails:
AmpersandIssue.txt

CloudFoundry buildpack: java_buildpack_offline-3_8_1
OpenJDK JRE: 1.8.0_91-unlimited-crypto
org.owasp.encoder:encoder: 1.1
org.owasp.esapi:esapi: 2.1.0.1

Also tested on:

java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

Simple code:

Encode.forHtml(new String(Files.readAllBytes(Paths.get("AmpersandIssue.txt")), UTF_8));

The stack trace is:

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
	at java.lang.String.getChars(String.java:826)
	at org.owasp.encoder.Encode$Buffer.encode(Encode.java:1306)
	at org.owasp.encoder.Encode.encode(Encode.java:1220)
	at org.owasp.encoder.Encode.forXml(Encode.java:739)
	at org.owasp.encoder.Encode.forHtml(Encode.java:155)

The transitive dependency on esapi today picked up version 2.2.0.0-RC2 which was also released today. Unfortunately, there is a bug that broke our code in that version. With the "principle of least astonishment" I would not have expected to pick up a release-candidate build. Should not the dependency be limited to actual releases?

I'd like to reuse owasp-java-encoder in a project licensed under Apache 2.0.

To avoid third-party runtime dependencies, I decided to use Maven Shade Plugin that includes and relocates the owasp-java-encoder classes during packaging.

To include your BSD 3 license, which is required to be legally allowed (BSD 3), I wanted to use org.apache.maven.plugins.shade.resource.IncludeResourceTransformer.

Unfortunately, owasp-java-encoder doesn't include its LICENSE in the META-INF folder.

So, could you please include your license in the JAR?

Do you guys have any plan of including unescape/unencode functions within this library? They will be helpful in few cases (Ex: If I am encoding all my untrusted parameters within requests in my application) and need 1/2 of them to be decoded within my application for some processing before sending it to view?

Hi,

I want to replace Encode::forUri with something that is not depricated. Does anyone know what method should I use to cover that up? I can't use forUriComponent() because I have to convert an link, not a query, and also forUriComponent() doesn't convert all the characters as forUri() did

Code example:
private static final ImmutableList<UnaryOperator> ENCODING_CHAIN_URL_IN_HTML_ATTRIBUTE = ImmutableList.of(Encode::forUri, EsEncode::uriAsSafeSchemeUri, Encode::forHtml);

Thanks!

if the input string contains unicode escaped character e.g. ✅
the output is "& amp ;#9989;"
the '&' character is encoded again.
Does Encoder support unicode escaped characters and it is a bug or this is not supported?

We are currently migrating our Spring Boot application to version 3.0.

In Spring Boot 3.0 they've migrated all dependencies from Java EE to Jakarta EE APIs. Now Jakarta EE 10 dependencies are used.

We are using the OWASP Java Encoder library and specifically the JSP module to encode user input. For example:

<%@ taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
<e:forHtml value="${user.name}" />

This is causing the following error:

java.lang.ClassNotFoundException: javax.servlet.jsp.tagext.SimpleTagSupport

This is because we are now using Jakarta Servlet 5.0 and the packages have been changed from javax.* to jakarta.*.
javax.servlet.jsp.tagext.SimpleTagSupport is now jakarta.servlet.jsp.tagext.SimpleTagSupport.

Are there any plans for a version using Jakarta Servlet 5.0?

I noticed that there's a discussion in the OWASP ESAPI project which deals with the same problem.

encoder.encodeForHtml of Japanese character “𠮷”( &#x20BB7; ) resulting in &#xd842;&#xdfb7; and these code points are not identified by HTML document.
The browser doesn't understands the surrogate pairs.
We are using org.owasp.esapi esapi2.1.0.1
and
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder

Any leads will be appreciated.

Hi,

I'd like to use owasp-java-encoder in PrimeFaces (a popular JSF component suite). However, because of very restrictive policies regarding the use of third-party policies my PR cannot be merged.

The problem is the dependency to guava, which is a really big one that is also widely used and therefore version conflicts are conceivable.

So I come to the question if it would be possible for you to provide an additional all-in-one version of owasp-java-encoder having the guava dependency shaded?

Please see primefaces/primefaces#3214 for the reasons why my PR was reverted.

Thanks.

We should create a function to safely embed JSON on a webpage simular to to what https://github.com/yahoo/serialize-javascript accomplishes.

Compilation breaks with org.owasp.esapi:esapi:2.5.1.0 because org.owasp.encoder.esapi.ESAPIEncoder.Impl does not implement the new methods

• org.owasp.encoder.esapi.ESAPIEncoder.Impl#decodeFromJSON
• org.owasp.encoder.esapi.ESAPIEncoder.Impl#encodeForJSON

which were introduced with the 2.5.1.0.

Solution (?):

• Set a fix dependency on the previous version of org.owasp.esapi:esapi
• Implement and test the missing interface functions
• Update the dependency

Running 'mvn compile' causes the following compilation errors in the encoder-esapi artifact (aka, ESAPI Thunk) when used with esapi-2.2.0.0-rc2.jar:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.5.1:compile (default-compile) on project encoder-esapi: Compilation failure
[ERROR] /home/kww/Code/GitHub/owasp-java-encoder/esapi/src/main/java/org/owasp/encoder/esapi/ESAPIEncoder.java:[128,13] org.owasp.encoder.esapi.ESAPIEncoder.Impl is not abstract and does not override abstract method getCanonicalizedURI(java.net.URI) in org.owasp.esapi.Encoder

Note that this problem was described as part of your GitHub issue #30 but is not related to that. It was the serendipitous discovery caused by the non-pinned ESAPI transitive dependency that allowed this issue to be discovered.

If you want to eventually be able to support ESAPI 2.2.0.0 this will need to be fixed.

"Please note that with sufficient feedback from the user base, the above
mentioned methods may be implemented in future releases of the OWASP
Java Encoders, if/when that happens, this shim class will be updated to
call out to the new methods.)"

With regards to the quote copied from the org.owasp.encoder.esapi.Encoder class:
It would be nice if this project would support such functionality, independently from the EASPI project.

Use-case:
Contextual encoding is not always possible, especially in case of big legacy projects that use the same database to serve both browser and non-browser clients. To (somewhat) minimize the risk, I have created some pluggable filters that among other things, verify every request (headers, body, cookies) against common XSS payloads (tested against the OWASP XSS cheatsheet). In order for such validations to be successful, the canonicalization of the input is a pre-requisite.

The Javadoc link in the Getting Started section of the main project page at https://owasp.org/www-project-java-encoder/ seems to be broken. Does the project still intend to host Javadoc on github.io or should the copy at https://javadoc.io/doc/org.owasp.encoder/encoder/latest/index.html be used instead?

Due to its private constructor Encoder cannot be used in scripting language bindings that require an object.

It would seem that a rule for email would not completely match any of the existing rules. Additionally, this seems to be a value that is an obvious choice for reflected attacks.

When encoding Strings that have hyphens in them using the Encode#forJavaScript method, a backslash is prepended before the hyphen in the output of the encoded String.

For example,

Encode.forJavaScript(String.valueOf(-1));

produces \-1

These causes illegal character errors on resulting HTML and JavaScript files if you try to use the result as a JavaScript Number type.

Encoding values with hyphens in them for all of the other contexts (e.g., forHtml, forCssString, forXml, forCDATA, forJava, etc.) produces the expected values without the backslashes (-1) .

Verified this is how it behaves in all versions of the OWASP Encoder library published to Maven Central (1.1 - 1.2.1).

In regards to the issue with the grave accent issue described here https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Grave_Accent_Issue
I found out that ESAPI.encoder.encodeForHTMLAttribute() is converting the ` in its hexadecimal-form:

`
Why owasp-java-encoder is not doing the same? Wouldn't this prevent the possible xss-attack in IE?

if we use css expression property, client side code is getting executed even after applying css encoding.
Example: xss:expression(alert(1));
do we need to validate properties like 'expression' and url only only contains http and https before applying css encoding as per cheat sheet? or is it cheat sheet older one?

I'm using the OWASP Java Encoder API to prevent XSS in my program, but when I use the JSP/EL function as shown on the project's website, https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project I've noticed that using this causes the special characters that are being encoded to not display along with the rest of the content. For example, with the string:
(123)-456-7890, it will instead display as:
123?456?7890

I am implementing it as such:
<sbean:define id="name" value="${enc:forHtml(prospect.name)}" /><%=name %>

One possible cause for this is that the program i'm working on already contains a separate XSS filter, but some weak spots were found so I am using this API in addition to the filter. Is this the cause, or is there something else going on here? If this is the reason, how can I tell OWASP Java Encoder to ignore that data?

Thanks!

It looks like it have some vulnerable log4j 1.2.17 dependency. Have you consider update to 2.17.2?

output from mvn dependency:tree command below

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ encoder-esapi ---
[INFO] org.owasp.encoder:encoder-esapi:jar:1.2.3
[INFO] +- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] +- org.owasp.esapi:esapi:jar:2.4.0.0:compile
[INFO] | +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | - commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] | +- log4j:log4j:jar:1.2.17:compile
[INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] | +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.6.8:compile
[INFO] | | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile
[INFO] | | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
[INFO] | | | +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
[INFO] | | | - commons-codec:commons-codec:jar:1.15:compile
[INFO] | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.3:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | | - org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | | - org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | | +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] | | - xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | - commons-io:commons-io:jar:2.11.0:compile
[INFO] - junit:junit:jar:3.8.2:test

Hey Guys - Awesome work, keep it work!

1. [1] Rule#1 suggests that we also need to encode "/" character as it can be used to end HTML entity but it doesn't seem like java encoder does it any HTML context encoders. Is there a reason why you guys decided not to encode this specific character? If it is not necessary don't we need to update OWASP wiki?

2. [1] Rule#2 suggests that we need to encode characters like "%,*,......." for non-attributed characters but again I don't see them in forHtmlUnquotedAttribute function. IMO they don't break the context, so don't we need to change the OWASP wiki if it's not needed? or am I missing something here?

3. Why can't we just encode ( and ) characters in cssURL context and have only 1 function for CSS encoding? I don't see a reason why we need to have non-encoded ( and ) characters in cssURL?

Are you guys aware of any other enterprises using this library?

A quick response will be highly appreciated :) ..

[1] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Hi. I would like to report an issue that when using the encoder with jsp tags it works perfectly only when using static content like this:
<e:forHtml value="</script>" but not when using EL like this: <e:forHtml value="${param.id}"\>. When using EL, the expression isn't being evaluated but rather gets printed as is on the screen. There might be something wrong with my web.xml and would need additional configs to make it work, or there might be something with the tags that they do not support EL. Please look into it.

Thanks a lot

Just did a quick look through the code and it looks like there is no encoder for RegEx context.

I'm just facing this issue: I have untrusted user input and must escape all RegEx meta characters to avoid possible crashes.

Some libraries (like log4j2) have protections agains log forging and XSS which can be enabled via config settings.
Other libraries (log4j v1 and other ) don't have this option.

Can any of the existing OWASP Java Encoder functions be used to neutralize data recorded in logs ?
If not, is it possible to have a new method, let's say encode#ForLogs(), that will take care of both HTMLEncode and log forging?

Thanks,
Katy

Thank you for writing this great encoding library!
Please sign the jar, so that when I pull from maven, I can verify that the code can be trusted and was not altered.

From: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

"RULE 3 - JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
...
Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. DO NOT use any escaping shortcuts like " because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends " and the vulnerable code turns that into \" which enables the quote."

I had some developers using the older ESAPI Encoder and some using this project and noticed the following difference:

import org.owasp.esapi.ESAPI;
import org.owasp.encoder.Encode;

public class EncoderTest {

public static void main(String[] args) {

         String testString = "--></script><script src=//58348 id=\"";
         
         System.out.println("Testing ESAPI encoder enccodeForJavaScript with " + testString);
         System.out.println("OUTPUT::" + ESAPI.encoder().encodeForJavaScript(testString));
         System.out.println("Testing OWASP encoder with " + testString);
         System.out.println("OUTPUT::" + Encode.forJavaScript(testString));
   }

}

RESULT:

Testing ESAPI encoder enccodeForJavaScript with --></script><script src=//58348 id="
OUTPUT::\x2D\x2D\x3E\x3C\x2Fscript\x3E\x3Cscript\x20src\x3D\x2F\x2F58348\x20id\x3D\x22
Testing OWASP encoder with --></script><script src=//58348 id="
OUTPUT::--></script><script src=//58348 id=\x22

In the owasp-java-encoder the --> is encoded to --> in the ESAPI encoder it is encoded to \x2D\x2D\x3E.

I don't think the sample attack string represents a successful attack, but I thought it noteworthy that it didn't follow the guidance from the cheat sheet. Has the OWASP/security community changed it's thoughts around "escape all characters less than 256 with the \xHH format"?