XSS – Java Secure Coding

Using Security Encoding Library

  1. Download ESAPI.jar from the ESAPI Project page, and add it to library of the project.
  2. Import the package in jsp page: <%@ page language=”java” import=”org.owasp.esapi.*” %>
  3. Add code according to the different cases:

Case #1

HTML escape before inserting untrusted data into HTML element content.

String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
<div><%= safe %></div>

Case #2

Attribute escape before inserting untrusted data into HTML common attributes.

String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );
<div attr='<%= safe %>'></div>

Case #3

JavaScript escape before inserting untrusted data into JavaScript data values.

String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
<script>alert('<%= safe %>')</script>
<input type=’button’ onclick=”alert('<%= safe %>')”>

Case #4
URL escape before inserting untrusted data into HTML URL parameter values.

String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
<a href='http://www.victim-site.com?test=<%= safe %>'>link</a >


1 reply
  1. Naresh
    Naresh says:

    I tried using ESAPI for Case#1.
    Am trying to use OWASP ESAPI library in my web app to escape request parameters in JSPs as below ESAPI.encoder().encodeForHTML(request.getParameter()).

    I have added esapi-2.1.0.jar under WEB-INF/lib but I get the below exception

    org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail. org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)

    But I couldnt find ESAPI.properties in the JAR file. Any idea where I can get this? Also where should I place this properties file? Please help.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *