OWASP - User contributions [en]

Talk:XSS (Cross Site Scripting) Prevention Cheat Sheet

2017-08-03T20:02:04Z

Mseil: Migrated a bug for ESAPI over to where it belongs.

This was somehow entered as a [[bug for ESAPI:https://github.com/ESAPI/esapi-java-legacy/issues/247|bug for ESAPI:]]
The cheat sheet currently gives three examples of CSS

<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value
<style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value
text</style> property value
only 2 is safe against IE's expression syntax even when correctly encoded (see Issue 236).

The text then goes on to say:

"All attributes should be quoted but your encoding should be strong enough to prevent XSS when untrusted data is placed in unquoted contexts."

which is impossible since in an unquoted context, IE will still honour an encoded expression.

There's a missing syntax:

text</style> property value
It's a dangerous omission since it's the only safe syntax for the style attribute.

I think three things need to be done:

Add syntax example 4
Mark 1 and 3 as "unsafe"
Modify the wording underneath to read "All attributes should be quoted or they will be vulnerable to XSS" or similarly acknowledge that encoding isn't enough in unquoted contexts.

==============
Rule #5 has a few concerning points:
It mentions <a href=http://...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>link</a >, but I think more common is <a href=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>link</a > where the full href contents are untrusted. There should be some mention here about relative links too.

Is the following a contradiction?

"Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format."

"Note that entity encoding is useless in this context."

The following is confusing and possibly nonsensical. "Including untrusted data in data: URLs should not be allowed as there is no good way to disable attacks with escaping to prevent switching out of the URL."

Other points about Rule #5:

There are numerous special characters that must be accepted in URLs. The note that entity encoding is useless is not quite right. Entity encoding is useful to stop injecting UP. The problem with it, which should be explained in the article, is that when an anchor tag is clicked on, the entities are interpreted. This usually means that the link has to be clicked on to trigger the payload. However, if there is other javascript on the page which references this href value, it will use the un-encoded value. I've seen this in redirection javascript.

Does forcing the untrusted data to start with http remediate this hole for absolute URLs? My assumption here is that the way to attack here would be to use "Javascript:some javascript" as the untrusted input.

== DOM Based XSS ==

Consider cross linking and adding information to ESAPI4JS for DOM-Based XSS Protection.

For quick reference it has nearly the same API as ESAPI for Java EE

$ESAPI.encoder().encodeForHTML()
$ESAPI.encoder().encodeForHTMLAttribute()
$ESAPI.encoder().encodeForJavaScript()
$ESAPI.encoder().encodeForCSS()

This also is a direct port of the Java EE Encoders
== Examples ==
Agree with all above. In addition – article will greatly benefit from examples of evil input data examples.
For instance statement “Most web frameworks have a method for HTML escaping for the characters detailed below. However, this is absolutely not sufficient for other HTML contexts” would be even bolder if accompanied with example of alert statement executable in different contexts after it was HTML escaped.
Like for code

<% String url = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); %>

<img src='$url'>

Following input : …

Will produce executable

“1.jpg' onerror='alert(document.cookie)”

ESAPI-BuildingWithEclipse

2016-04-04T03:50:33Z

Mseil:

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Spring Source ToolSuite==
STS is an eclipse distribution from the Spring foundation. If you just care about getting up and running, and don't care about bloat, download here: https://spring.io/tools/sts/all

On Windows and linux distros, all you should have to do after extracting the main STS folder, is to navigate into the folder, and double-clicking the file "STS" or "STS.exe"

It comes pre-packaged with a git plugin (so you can skip those instructions below) as well as its own versions of Ant and Maven. You should be able to follow the "EGit" section to clone/import ESAPI in STS as soon as you have it running. It still has a minimum dependency of java 1.6 jdk.

Detailed steps:

1. Right click on the "Package Explorer" pane, and select "import."

2. Filter on "git" and select "Projects from git."

3. Select "Clone URI"

4. Enter the URI: https://github.com/ESAPI/esapi-java-legacy.git

5. Click "Next."

6. Click "Next" again.

7. Select where you want to store the cloned repo, it defaults to %USERPROFILE%\git\esapi-java-legacy on windows.

8. click "Next."

9. On the import wizard, cancel.

10. Right-click again on the package explorer, and click import, filter on "Maven" and click on "Existing Maven Projects."

11. Navigate to the folder you created in step 7. Select "esapi-java-legacy" and click next.

12. Click finish.

Congratulations! You are ready to develop!

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code,Import Existing Eclipse projects." follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-BuildingWithEclipse

2016-04-04T03:50:12Z

Mseil:

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Spring Source ToolSuite==
STS is an eclipse distribution from the Spring foundation. If you just care about getting up and running, and don't care about bloat, download here: https://spring.io/tools/sts/all

On Windows and linux distros, all you should have to do after extracting the main STS folder, is to navigate into the folder, and double-clicking the file "STS" or "STS.exe"

It comes pre-packaged with a git plugin (so you can skip those instructions below) as well as its own versions of Ant and Maven. You should be able to follow the "EGit" section to clone/import ESAPI in STS as soon as you have it running. It still has a minimum dependency of java 1.6 jdk.

Detailed steps:

1. Right click on the "Package Explorer" pane, and select "import."

2. Filter on "git" and select "Projects from git."

3. Select "Clone URI"

4. Enter the URI: https://github.com/ESAPI/esapi-java-legacy.git
5. Click "Next."
6. Click "Next" again.
7. Select where you want to store the cloned repo, it defaults to %USERPROFILE%\git\esapi-java-legacy on windows.
8. click "Next."
9. On the import wizard, cancel.
10. Right-click again on the package explorer, and click import, filter on "Maven" and click on "Existing Maven Projects."
11. Navigate to the folder you created in step 7. Select "esapi-java-legacy" and click next.
12. Click finish.

Congratulations! You are ready to develop!

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code,Import Existing Eclipse projects." follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-BuildingWithEclipse

2016-04-04T03:46:57Z

Mseil:

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Spring Source ToolSuite==
STS is an eclipse distribution from the Spring foundation. If you just care about getting up and running, and don't care about bloat, download here: https://spring.io/tools/sts/all

On Windows and linux distros, all you should have to do after extracting the main STS folder, is to navigate into the folder, and double-clicking the file "STS" or "STS.exe"

It comes pre-packaged with a git plugin (so you can skip those instructions below) as well as its own versions of Ant and Maven. You should be able to follow the "EGit" section to clone/import ESAPI in STS as soon as you have it running. It still has a minimum dependency of java 1.6 jdk.

Detailed steps:

1. Right click on the "Package Explorer" pane, and select "import."
2. Filter on "git" and select "Projects from git."
3. Select "Clone URI"
4. Enter the URI: https://github.com/ESAPI/esapi-java-legacy.git
5. Click "Next."
6. Click "Next" again.
7. Select where you want to store the cloned repo, it defaults to %USERPROFILE%\git\esapi-java-legacy on windows.
8. click "Next."
9. On the import wizard, cancel.
10. Right-click again on the package explorer, and click import, filter on "Maven" and click on "Existing Maven Projects."
11. Navigate to the folder you created in step 7. Select "esapi-java-legacy" and click next.
12. Click finish.

Congratulations! You are ready to develop!

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code,Import Existing Eclipse projects." follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-BuildingWithEclipse

2016-03-28T16:27:40Z

Mseil:

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Spring Source ToolSuite==
STS is an eclipse distribution from the Spring foundation. If you just care about getting up and running, and don't care about bloat, download here: https://spring.io/tools/sts/all

On Windows and linux distros, all you should have to do after extracting the main STS folder, is to navigate into the folder, and double-clicking the file "STS" or "STS.exe"

It comes pre-packaged with a git plugin (so you can skip those instructions below) as well as its own versions of Ant and Maven. You should be able to follow the "EGit" section to clone/import ESAPI in STS as soon as you have it running. It still has a minimum dependency of java 1.6 jdk.

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code, follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-BuildingWithEclipse

2016-03-27T21:21:51Z

Mseil:

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code, follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the github page for the URL to use.
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]

ESAPI-BuildingWithEclipse

2016-03-27T21:18:33Z

Mseil: Updated source code link

==Prerequisites==
* JDK 1.6 or later [http://www.oracle.com/technetwork/java/javase/downloads/index.html download here]. Note that you need the JDK and not just the JRE.
* To support the latest versions of Maven, first download Maven [https://maven.apache.org/download.cgi here]. (Note: Maven 3.0 or later is required.)
* Eclipse IDE for Java EE Developers 3.3.x or later [http://www.eclipse.org/downloads/ download here]. Install EGit and m2e plug-ins via "Help->Install New Software...".
** EGit Plug-in for Eclipse - Instructions on installing EGit plug-in can be found [https://eclipse.github.io/ here]
** M2E - Maven Integration for Eclipse - You can install the latest version from within Eclipse using the following [https://eclipse.org/m2e/ update site]
** Note that other git and Maven plug-in combinations for Eclipse are possible.

==Configuration==
* For Winodws, create an Eclipse shortcut
* Right-Click your Eclipse shortcut and select Properties
* At the end of the line that says Target, add -vm "x" where x is the location of a JDK (e.g., "C:\Program Files\Java\jdk7\bin") - This step is necessary for the Maven plugin to work. (If you installed Eclipse under Linux distro after you already had a JDK installed, this probably was already done for you.)
* Restart Eclipse using the edited shortcut.

==Importing the ESAPI Source==

If you choose to use the ESAPI GitHub code, follow the instructions at [[ESAPI-Building]]. Unless you have been added to the ESAPI project as a contributor, please use the submit fixes using [https://help.github.com/articles/using-pull-requests/ Git "pull requests"].

If you are using EGit, as recommended, open Eclipse and:
* Click ''File'' -> ''New'' -> ''Other....''.
* From the ''Git Folder'' select '"Checkout Projects from Git'' (this option will only be available if you have a Git plug-in installed) and hit ''Next >''.
* Click the ''Create a new repository location'' radio button.
* If you are not listed as a project contributor, insert ''https://github.com/ESAPI/esapi-java-legacy.git'' as the URL. If you are listed as a project contributor, check the Google Code page for the URL to use. (Note: if you are a contributor, when prompted for your SVN password, use your Google generated password, available from the Google Code Source page.)
* Once the directory structure appears in the window, click the URL at the top to download everything. Then hit ''Next >''
* Select your desired project options. For most people, the default options should be fine. When finished, click ''Next >''.
* Select your desired workspace options, then click ''Finish''. The latest ESAPI source files will then be downloaded to your workspace. This may take a few minutes.
* After the source code is finished downloading, ensure that the character type of all source code is UTF-8. In Eclipse, right click on the project directory root. At the bottom of the right-click list, choose PROPERTIES. From the PROPERTIES window, select the RESOURCES section (which is selected by default). Ensure that the "Text file encoding" section is set to OTHER->UTF 8. If if it is not, change it and click APPLY->OK.

==Project Setup==

Some configuration may be necessary for ESAPI to compile and build on your system.

ESAPI requires the Java JRE 6 or later.

* Once Java 6.0+ is installed, open the ''Navigator view'' in Eclipse. If this is currently hidden, from the toolbar click ''Window'' -> ''Show View'' -> ''Navigator''.
* Right-click on your ESAPI project in the Navigator, mouse over ''Maven'' and click ''Enable Dependency Management''
** ''Note:'' If Maven is not an option when you right-click on the project, be sure the Maven plugin for eclipse is installed, as described above.
** ''Note:'' If ''Enable Dependency Management'' is not an option, dependency management is probably already enabled, So this step can be skipped.
* ''Right-click on the ESAPI project root folder'' in the Navigator view and select ''Properties''.
* From the left column, select ''Java Build Path''. Under the ''Libraries'' tab, be sure a JRE or JDK is listed next to ''JRE System Library''. If there is a red X on next to the JRE, remove the current JRE and click ''Add Library'' and select an alternate JRE. If you are having trouble figuring out what version the current JRE is, select ''Installed JREs'' and look at the location to which each version is mapped.
* The Libraries tab should list ''JRE System Library'' and ''Maven Dependencies''. If anything else is listed, it is not necessary and should be removed. Maven now handles all dependencies.
* From the left column, select ''Java Compiler''. Be sure ''Compiler compliance level'', ''Generated .class files compatibility'', and ''Source compatibility'' are all set to ''1.6''. (Note: Most of us use JDK 7 or JDK 8 to build ESAPI, but we use '-source 1.6 -target 1.6' when we compile to still support really old web applications still using JDK 1.6.)
* Close the properties window.
* ''Right-click the ESAPI project root folder'' and select ''Refresh''.
* From the toolbar, select ''Project'' -> ''Clean..'' and select the ESAPI project. Click ''OK''.
* If errors remain, select ''Maven'' again, then ''Update Dependencies''.
* ESAPI should now be compiled.

==Building==

Building ESAPI should be easy with the new Maven integration.

Once your environment is set up, as specified above:
* Right-Click your ESAPI project root folder
* Select ''Run As...''
* Select ''Run Configurations''
* Double Click "Maven Build" from the options on the left to create a new configuration.
* Name your configuration at the top. This will be for building ESAPI without running JUnit tests.
* The "Base directory" should point to the root of your project
* The "Goals" field type "package"
* Any options not mentioned should be left as their default
* Click "Apply" to save your build configuration
* Click "Run" to run your configuration

''NOTE: Jars created through building are located in the directory called "target". ''

==Running Demo App==

The ESAPI Demo application has been named ''The ESAPI Swingset''. More information about Swingset is available [http://www.owasp.org/index.php/ESAPI_Swingset here].

__NOTOC__

[[Category:OWASP Enterprise Security API]]