Menu
With OWASP demoting Java ESAPI from a flagship project and all of the discussion and uncertainty revolving around the library, I'd like to see what alternatives are available. I currently utilize ESAPI for input validation, HTML/JS/etc encoding and CSRF. I've looked around and found libraries such as OVal, Vlad and others, but have not found an inclusive library that handles the previous 3 items all-inclusive. I'd also like it to be externally "configurable" for the rules as well if possible (as ESAPI is).
Do you have any recommendations to handle Java input/bean validation, HTML/JS encoding and CSRF token utilization? Either open source or commercial.
467
The Validator interface defines a set of methods for canonicalizing and validating untrusted input. Implementors should feel free to extend this interface to accommodate their own data formats. Rather than throw exceptions, this interface returns boolean results because not all validation problems are security issues.
properties. Add the ESAPI Jar to the classpath: right-click the project, choose Properties, then under Categories choose Libraries. Installation Tips: If you use a shared Libraries Folder, simply copy the ESAPI jar into the directory specified by Libraries Folder.
The validation expressions contained in the ESAPI. properties file can be modified; this file is included when you install the Sites server. This file resides in the Sites WEB-INF/classes folder.
The Encoder performs two key functions, encoding and decoding. These functions rely on a set of codecs that can be found in the org. owasp. esapi.
If you are using some of the following web frameworks, Spring MVC, Grails, Struts 1, Struts 2, JSF, take a look to HDIV
You can see the differece between HDIV and ESAPI features at: Difference between HDIV and ESAPI
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
