12

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp.

I used to use org.apache.commons.lang.StringEscapeUtils like this:

public static String myEscapeHtml(String s)
{
    String s_escapedString = null;       
    s_escapedString = StringEscapeUtils.escapeHtml(s);
    return s_escapedString;
}

I don't know anymore if this is good enough to protect the webapp "reasonably"...

I would like to know what lines of code I should write to use the OWASP ESAPI to sanitize a Tomcat webapp user inputs.

Can you give an example in which one or several ESAPI "filters" (escaping?, encoding? ...) would be applied to a string to sanitize it?

The backend RDBMS is PostgreSQL.

The Tomcat server can either be be running on a Linux server or on a Windows server.

Thank you and best regards.

isaias-b
  • 2,255
  • 2
  • 25
  • 38
Léa Massiot
  • 1,928
  • 6
  • 25
  • 43
  • My original title was "Howto sanitize inputs using Owasp Esapi for Java". I think it's worth precising what library and programming language I would like to use in the title of the thread. But maybe, according to your standards, the tags are enough to have the thread be properly referenced... I hope I'll get an answer :) – Léa Massiot Jun 22 '14 at 20:54
  • Are you interested in input encoding or output encoding? – avgvstvs Jun 25 '14 at 22:16
  • I'm not sure. I would say "output encoding" to avoid injections inside HTML code... – Léa Massiot Jun 28 '14 at 16:02

2 Answers2

8

For input validation, you'll use org.owasp.esapi.reference.DefaultValidator.

If you want to define your own validation rules in validation.properties, the technique to do that is demonstrated in answers to this question.

For output escaping, that's actually quite easier. Preferably when inserting data into an object that will be sent to the presentation layer, you'll want to use String output = ESAPI.encoder().escapeForHTML(String s); methods.

The full list of methods is defined in org.owasp.esapi.Encoder.

slim
  • 40,215
  • 13
  • 94
  • 127
avgvstvs
  • 6,196
  • 6
  • 43
  • 74
0

Source

This sanitizes the input from HTML, and ensures quotes are kept.

final StringBuilder sb = new StringBuilder();
HtmlSanitizer.Policy policy = myPolicyBuilder.build(new HtmlStreamEventReceiver() {
    public void openDocument() {}
    public void closeDocument() {}
    public void openTag(String elementName, List<String> attribs) {
        if ("br".equals(elementName)) { sb.append('\n'); }
    }
    public void closeTag(String elementName) {}
    public void text(String text) { sb.append(text); }
});
HtmlSanitizer.sanitize(myHtml, policy);
AzzamAziz
  • 2,144
  • 1
  • 24
  • 34