Comments (6)
@jmanico - What @forgedhallpass hall pass is saying is remove that blatant lie in the comment from your Java Encoder source code. ;-)
@forgedhallpass - Seriously, the beauty of FOSS is that you can take its source code and change it to whatever you want. The ESAPI license is one of the most liberal FOSS licenses out there (BSD 3), so the better approach (instead of building a WAF) is to just use the ESAPI WAF and canonicalization and rip out all the parts that you don't need. (Or maybe consider OWASP AppSensor, which is WAF-like). Or use a real WAF; if you want a free one, mod_security and the OWASP Core Rules Set works for a lot of people.
from owasp-java-encoder.
from owasp-java-encoder.
Hello Jim,
Thank you for your answer. I agree with your points about contextual encoding, but as I said it is not always that trivial (e.g. large legacy code base). I've created my own small pluggable WAF library as an additional layer of security and I want to get rid of ESAPI because I am only using its canonicalization feature. Since I've seen the above quoted comment in the code I thought it was worth asking.
p.s. I also know that creating your own WAF is not ideal, but it's a "better than nothing option" for clients who can't set up or do not want to invest into dedicated WAF solutions.
All the best.
from owasp-java-encoder.
I've tried to be subtle, but indeed that comment from the code could be removed :-)
@kwwall as I wrote in the other ESAPI issue, I have already extracted the logic I need, but wanted to have a short discussion to see what other (maybe better) options are out there and to know whether I could make my changes in a way that would potentially benefit the OSS community as well.
Currently for SaaS we have commercial WAF from CloudFlare and reverse proxies with custom rules, but I also wanted to provide at least some basic, embedded, "self-defense" measures for the other deployment strategies.
I haven't heard of the OWASP AppSensor, but I will look into it, thanks for the tip.
from owasp-java-encoder.
from owasp-java-encoder.
from owasp-java-encoder.
Related Issues (20)
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
- Confusing example in Encode.forHtmlAttribute docs HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.