Menu
I am using espaiESAPI to encode string value to resolve cross site scripting issue as shown below (code snippet).
String encodedString = ESAPI.encoder().encodeForHTML(value);
Exception Trace
org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception.
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:129)
at org.owasp.esapi.ESAPI.encoder(ESAPI.java:99)
<bold>Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/spi/LoggerFactory</bold>
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:190)
at org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:74)
at org.owasp.esapi.ESAPI.logFactory(ESAPI.java:137)
at org.owasp.esapi.ESAPI.getLogger(ESAPI.java:154)
at org.owasp.esapi.reference.DefaultEncoder.<init>(DefaultEncoder.java:75)
at org.owasp.esapi.reference.DefaultEncoder.getInstance(DefaultEncoder.java:59)
... 71 more
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.spi.LoggerFactory
at weblogic.utils.classloaders.GenericClassLoader.findLocalClass(GenericClassLoader.java:297)
at weblogic.utils.classloaders.GenericClassLoader.findClass(GenericClassLoader.java:270)
at weblogic.utils.classloaders.ChangeAwareClassLoader.findClass(ChangeAwareClassLoader.java:64)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
Maven repository pom.xml
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>${org.owasp.esapi.version}</version>
<exclusions>
<exclusion>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
</exclusion>
<exclusion>
<groupId>xercesImpl</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
<exclusion>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
</exclusion>
<exclusion>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
</exclusion>
<exclusion>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
</exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
If I don't exclude log4j then it will throw dependency convergence error because log4j is declared in maven banned dependency as shown below
<executions>
<execution>
<id>enforce</id>
<configuration>
<rules>
<requireJavaVersion>
<version>${java.version}</version>
</requireJavaVersion>
<requireMavenVersion>
<version>3.0</version>
</requireMavenVersion>
<DependencyConvergence />
<bannedDependencies>
<excludes>
<!-- This should not exist as it will force SLF4J calls to be
delegated to log4j -->
<exclude>org.slf4j:slf4j-log4j12</exclude>
<!-- This should not exist as it will force SLF4J calls to be
delegated to jul -->
<exclude>org.slf4j:slf4j-jdk14</exclude>
<!-- Ensure only the slf4j binding for logback is on the classpath -->
<exclude>log4j:log4j</exclude>
<!-- As recommended from the slf4j guide, exclude commons-logging -->
<exclude>commons-logging:commons-logging</exclude>
</excludes>
</bannedDependencies>
</rules>
</configuration>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
Help in this regard would be appreciated. Please let me know if you need any more details. Thanks in advance!
875
ESAPI for JavaScript: DEPRECATED - No longer supported; use at your own risk.
properties. Add the ESAPI Jar to the classpath: right-click the project, choose Properties, then under Categories choose Libraries. Installation Tips: If you use a shared Libraries Folder, simply copy the ESAPI jar into the directory specified by Libraries Folder.
The validation expressions contained in the ESAPI. properties file can be modified; this file is included when you install the Sites server. This file resides in the Sites WEB-INF/classes folder.
The Validator interface defines a set of methods for canonicalizing and validating untrusted input. Implementors should feel free to extend this interface to accommodate their own data formats. Rather than throw exceptions, this interface returns boolean results because not all validation problems are security issues.
I upgraded to the latest version 2.2.1.1 and I needed to add two additional properties (in addition to the one that @Carlo pointed out) in ESAPI.properties:
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Logger.UserInfo=false
Logger.ClientInfo=false
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
