How can I directly encode object for HTML using ESAPI.
String a = "<t"
String a= ESAPI.encoder().encodeForHTML(a);
Instead of String a, I want to pass a object which contains String fields?
Asked
Active
Viewed 2,222 times
1
Harshana
- 7,297
- 25
- 99
- 173
-
What's your threat model? I see Spring boot, so what you're suggesting is that you cannot trust your application's startup or config files. – avgvstvs Aug 12 '16 at 02:17
-
@avgvstvs In order to prevent Cross Site Scripting. Also this is for Rest api, request params etc – Harshana Aug 12 '16 at 04:54
1 Answers
0
You would have to write your own. Encoder.EncodeForHTML(String s ) will only take a string. ESAPI provides no other option to handle encoding for you.
You could use reflection to iterate over a class's String typed fields and encode them all. It sounds like you want to be able to generically just encode EVERYTHING without having to analyze what the application is doing with that data. That's risky for reasons I have previously outlined here.
You want to encode as late as possible, as close to the view as possible. It's the code in the view that determines the correct context for escaping.
