I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp.
I used to use org.apache.commons.lang.StringEscapeUtils
like this:
public static String myEscapeHtml(String s)
{
String s_escapedString = null;
s_escapedString = StringEscapeUtils.escapeHtml(s);
return s_escapedString;
}
I don't know anymore if this is good enough to protect the webapp "reasonably"...
I would like to know what lines of code I should write to use the OWASP ESAPI to sanitize a Tomcat webapp user inputs.
Can you give an example in which one or several ESAPI "filters" (escaping?, encoding? ...) would be applied to a string to sanitize it?
The backend RDBMS is PostgreSQL.
The Tomcat server can either be be running on a Linux server or on a Windows server.
Thank you and best regards.
For input validation, you'll use org.owasp.esapi.reference.DefaultValidator
.
If you want to define your own validation rules in validation.properties
, the technique to do that is demonstrated in answers to this question.
For output escaping, that's actually quite easier. Preferably when inserting data into an object that will be sent to the presentation layer, you'll want to use String output = ESAPI.encoder().escapeForHTML(String s);
methods.
The full list of methods is defined in org.owasp.esapi.Encoder
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With