[WEB SECURITY] Implementation of Global Outout Encoder with ESAPI

Kesavanarayanan, Ramesh Ramesh.Kesavanarayanan at Pearson.com
Fri May 7 16:22:32 EDT 2010


I have a question on the output encoding using the ESAPI.

In my application I tried to implement the ESAPI for the response output
encoding in a centralized manner so that I do not need to change every
JSP page in my application.

The following is the piece of code I have written using my
sessionFilter.
import java.io.CharArrayWriter;

	public void doFilter(ServletRequest request, ServletResponse
response,
			FilterChain chain) throws ServletException,
IOException {
		HttpServletRequest httpRequest = (HttpServletRequest)
request;
		HttpServletResponse httpResponse = (HttpServletResponse)
response;
		HttpSession session = httpRequest.getSession();
		ServletResponse newResponse = null;
		if (request instanceof HttpServletRequest) {
			newResponse = new CharResponseWrapper(
					(HttpServletResponse) response);
		}
		chain.doFilter(request, response);

		String text = newResponse.toString();
		text = text.toUpperCase();
		text = ESAPI.encoder().encodeForHTML(text);
		text = ESAPI.encoder().encodeForHTMLAttribute(text);
		text = ESAPI.encoder().encodeForJavaScript(text);
		text = ESAPI.encoder().encodeForCSS(text);
		CharArrayWriter caw = new CharArrayWriter();

		if (text != null) {
			try {
				caw.write(text);
	
response.getWriter().write(caw.toString());
			} catch (java.lang.IllegalStateException ille) {
			}
		}
       }

In my JSP I have the code as follows

Not working
<script>
function setUserName(){
	 document.getElementById("login").value ='<%=
(String)request.getAttribute("username")  %>';
}
</script>

Working

<%!
	String cleanXSS(String value) {
		value = ESAPI.encoder().encodeForHTML(value);
		value = ESAPI.encoder().encodeForHTMLAttribute(value);
		value = ESAPI.encoder().encodeForJavaScript(value);
		value = ESAPI.encoder().encodeForCSS(value);
		return value;
	}
%>

<script>
function setUserName(){
	 document.getElementById("login").value ='<%= cleanXSS(
(String)request.getAttribute("username")  ) %>';
}
</script>

As you can see I expect the response to be updated with the ESAPI
functions, but somewhere I loose the ESAPI. The idea for me is to
centralize the output encoding so that it saves me time and effort.

Appreciate if you have any pointers on the same.

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100507/6633ea82/attachment.html>


More information about the websecurity mailing list