Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Howto sanitize inputs

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp.

I used to use org.apache.commons.lang.StringEscapeUtils like this:

public static String myEscapeHtml(String s)
{
    String s_escapedString = null;       
    s_escapedString = StringEscapeUtils.escapeHtml(s);
    return s_escapedString;
}

I don't know anymore if this is good enough to protect the webapp "reasonably"...

I would like to know what lines of code I should write to use the OWASP ESAPI to sanitize a Tomcat webapp user inputs.

Can you give an example in which one or several ESAPI "filters" (escaping?, encoding? ...) would be applied to a string to sanitize it?

The backend RDBMS is PostgreSQL.

The Tomcat server can either be be running on a Linux server or on a Windows server.

Thank you and best regards.

like image 915
Léa Massiot Avatar asked Jun 22 '14 17:06

Léa Massiot


1 Answers

For input validation, you'll use org.owasp.esapi.reference.DefaultValidator.

If you want to define your own validation rules in validation.properties, the technique to do that is demonstrated in answers to this question.

For output escaping, that's actually quite easier. Preferably when inserting data into an object that will be sent to the presentation layer, you'll want to use String output = ESAPI.encoder().escapeForHTML(String s); methods.

The full list of methods is defined in org.owasp.esapi.Encoder.

like image 193
avgvstvs Avatar answered Sep 28 '22 08:09

avgvstvs