This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Projects/OWASP Java Encoder Project

From OWASP

Revision as of 20:06, 30 March 2012 by Jmanico (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Main
Build the Java Encoder Project
Use the Java Encoder Project

PROJECT INFO
What does this OWASP project offer you?

RELEASE(S) INFO
What releases are available for this project?

what	is this project?
Name: OWASP Java Encoder Project (home page)
Purpose: This project is a simple-to-use drop-in encoder class with little baggage. This code was designed for high-availability/high-performance encoding functionality. The key motivation for the separate project was: Simple drop-in encoding functionality Redesigned for performance More complete API (uri and uri component encoding, etc) in some regards. This is a Java 1.5 project.
License: New BSD License
who	is working on this project?
Project Leader(s): Jeff Ichnowski @
Project Contributor(s): Jim Manico @
how	can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links: http://code.google.com/p/owasp-java-encoder/
Key Contacts
Contact Jeff Ichnowski @ to contribute to this project Contact Jeff Ichnowski @ to review or sponsor this project

current release

OWASP Java Encoder Project 1.1.1 - January 30, 2014 - (download)
Release description: Critical fix of bug described here https://code.google.com/p/owasp-java-encoder/issues/detail?id=4
Rating: Not Rated

last reviewed release

Not Yet Reviewed

other releases

checkout and run "mvn package" (using maven 2.0 or 3.0)

The general API pattern to utilize the Java Encoder Project is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" in untrusted user input.

For example, to use in a JSP:

<input type="text" name="data" value="<%= Encode.forHtmlAttribute(dataValue) %>" />

<textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />

Generally Encode.forHtml(...) is safe but slightly less efficient for the above two contexts (since it encodes more characters than necessary).

For JavaScript string data:

<button onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">click me</button>

<script type="text/javascript"> var msg = "<%= Encode.forJavaScriptBlock(message) %>"; alert(msg); </script>

Again generally Encode.forJavaScript is safe for the above two context, but slightly less efficient since it encodes more characters.

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

Retrieved from "https://wiki.owasp.org/index.php?title=Projects/OWASP_Java_Encoder_Project&oldid=127146"

Projects/OWASP Java Encoder Project

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools