Using Security Encoding Library
- Download ESAPI.jar from the ESAPI Project page, and add it to library of the project.
- Import the package in jsp page: <%@ page language=”java” import=”org.owasp.esapi.*” %>
- Add code according to the different cases:
Case #1
HTML escape before inserting untrusted data into HTML element content.
<%
String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
%>
<div><%= safe %></div>
Case #2
Attribute escape before inserting untrusted data into HTML common attributes.
<%
String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );
%>
<div attr='<%= safe %>'></div>
Case #3
JavaScript escape before inserting untrusted data into JavaScript data values.
<%
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
%>
<script>alert('<%= safe %>')</script>
<input type=’button’ onclick=”alert('<%= safe %>')”>
Case #4
URL escape before inserting untrusted data into HTML URL parameter values.
<%
String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
%>
<a href='http://www.victim-site.com?test=<%= safe %>'>link</a >
References
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/es…
http://code.google.com/p/owasp-esapi-java/downloads/list