yaoyi2008 / owasp-esapi-python Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/owasp-esapi-python
Automatically exported from code.google.com/p/owasp-esapi-python
Requirements: **If you have setuptools installed, you should be able to install all except KeyCzar and Visual C++ 2008 by doing 'easy_install <packagename>' in a shell or command prompt.** PyCrypto 2.01 - http://www.amk.ca/python/code/crypto PyCrypto requires a C Compiler. Windows users can us Visual C++ 2008 Express Edition - http://www.microsoft.com/express/vc/#webInstall KeyCzar 0.6b - http://www.keyczar.org/ KeyCzar requires PyASN1 - http://pypi.python.org/pypi/pyasn1 and simplejson, which is standard in 2.6 - http://pypi.python.org/pypi/simplejson PyLint 0.18.1 - Only needed for static analysis. - http://pypi.python.org/pypi/pylint Coverage module by Ned Batchelder v3.0.1 - Only needed if you want coverage analysis - http://pypi.python.org/pypi/coverage/3.0.1 Nose 0.11.1 - Only needed if you want to run unit tests together and combine it with coverage analysis - http://pypi.python.org/pypi/nose/0.11.1 Installation: * Install any of the missing dependencies listed above. * Extract the ESAPI on Python package. * Add the extracted folder to your Python path. One way to do this is to create a text file, such as 'esapi.pth', in your Python installation's Lib\site-packages folder. Copy the path of the folder you extracted into this text file. The path should have the 'esapi' folder inside. * Start a new interactive Python console and enter 'import esapi'. If you get no output, it ran successfully and you can move on to the next step. If you got "ImportError: No module named esapi", double check the step above. * By default, ESAPI is set up for Linux. If you are running ESAPI on Windows or wish to change these paths, you will need to modify the Encryptor_KeysLocation and Executor_WorkingDirectory settings in esapi/conf/settings.py AND esapi/test/conf/settings.py. You should use forward slashes in the paths. * See "To set up a crypto keyring" to generate the keys necessary for crypto. * Run the unit tests by opening a shell or command prompt in esapi/test and running runTests.bat or runTests.sh, depending on your platform. If you get around 7 errors relating to crypto, please ensure you have followed the steps under "To set up a crypto keyring". Note: Running all tests may appear to block or pause, particularly on Windows. This may be be due to exhaustion of the entropy pool. If it blocks, try moving the mouse, typing, or generating some disk activity to help regenerate the entropy pool. To adapt and integrate with your project: You can use as much or as little of ESAPI as you would like. You'll want to do a 'from esapi.core import ESAPI' and use the methods that class provides. To set up a crypto keyring: Select a root directory for your keyring, like /esapi/keyring/, and set Encryptor_KeysLocation in BOTH settings.py files to this string if you have not already. Open a python interactive shell and execute: from esapi.core import ESAPI ESAPI.encryptor().gen_keys() Modify esapi/conf/settings.py according to the output by replacing the Encryptor_MasterSalt line with the one given. Why there are two conf directories: One conf directory, esapi/conf, is used for the running application. This file ships with very conservative defaults. The other conf directory, esapi/test/conf, is used only for unit tests. It should never be used with any app because it is insecure by default. It contains specific configuration elements that are tied to the unit tests. To enable internationalization: Set the 'LANGUAGE' environment variable with your locale On *nix: export LANGUAGE=en_US On Windows: set LANGUAGE=en_US Please note that as of this writing, no translation files are available. A GNU gettext .pot file is available in esapi/conf/locale .
The reference encoder implementation does not encode the comma character (",")
in some cases where it should according to the OWASP XSS Prevention Cheat Sheet:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Shee
t#XSS_Prevention_Rules
To be specific, the comma should be removed from at least the following class
attributes of the class esapi.reference.default_encoder.DefaultEncoder:
- IMMUNE_HTMLATTR (as comma is mentioned in rule #2 of above cheat sheet)
- IMMUNE_JAVASCRIPT (as comma is mentioned in rule #3 of above cheat sheet)
Original issue reported on code.google.com by [email protected]
on 22 Jun 2011 at 12:32
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.