[WEB SECURITY] Implementation of Global Outout Encoder with ESAPI

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Mon May 10 11:59:41 EDT 2010


I might be missing something, but from my point of view it is not
possible to do what you intend with a filter, this is because by the
time you hit the filter all the response HTML is already created, so
there is no way to isolate specific variables or pieces of content
(except by parsing the HTML that will be even more work). Also if you
encode all the HTML then you will see the response HTML displayed in the
browser as text but not interpreted as usual. So the only centralization
I can see you can do is to have a global function or a JSP tag to use
everywhere in your JSPs. 
 
Maybe a massive replace of out.print and <%= can do the job, yet you
will have to validate you don't break the application.
 
Regards,
Juan Carlos

________________________________

From: Kesavanarayanan, Ramesh
[mailto:Ramesh.Kesavanarayanan at Pearson.com] 
Sent: Viernes, 07 de Mayo de 2010 03:23 p.m.
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Implementation of Global Outout Encoder with
ESAPI
Importance: High



I have a question on the output encoding using the ESAPI.

In my application I tried to implement the ESAPI for the response output
encoding in a centralized manner so that I do not need to change every
JSP page in my application.

The following is the piece of code I have written using my
sessionFilter.

import java.io.CharArrayWriter;

        public void doFilter(ServletRequest request, ServletResponse
response,

                        FilterChain chain) throws ServletException,
IOException {

                HttpServletRequest httpRequest = (HttpServletRequest)
request;

                HttpServletResponse httpResponse = (HttpServletResponse)
response;

                HttpSession session = httpRequest.getSession();

                ServletResponse newResponse = null;

                if (request instanceof HttpServletRequest) {

                        newResponse = new CharResponseWrapper(

                                        (HttpServletResponse) response);

                }

                chain.doFilter(request, response);

                String text = newResponse.toString();

                text = text.toUpperCase();

                text = ESAPI.encoder().encodeForHTML(text);

                text = ESAPI.encoder().encodeForHTMLAttribute(text);

                text = ESAPI.encoder().encodeForJavaScript(text);

                text = ESAPI.encoder().encodeForCSS(text);

                CharArrayWriter caw = new CharArrayWriter();

                if (text != null) {

                        try {

                                caw.write(text);

 
response.getWriter().write(caw.toString());

                        } catch (java.lang.IllegalStateException ille) {

                        }

                }

       }

In my JSP I have the code as follows

Not working

<script>

function setUserName(){

         document.getElementById("login").value ='<%=
(String)request.getAttribute("username")  %>';

}

</script>

Working

<%!

        String cleanXSS(String value) {

                value = ESAPI.encoder().encodeForHTML(value);

                value = ESAPI.encoder().encodeForHTMLAttribute(value);

                value = ESAPI.encoder().encodeForJavaScript(value);

                value = ESAPI.encoder().encodeForCSS(value);

                return value;

        }

%>

<script>

function setUserName(){

         document.getElementById("login").value ='<%= cleanXSS(
(String)request.getAttribute("username")  ) %>';

}

</script>

As you can see I expect the response to be updated with the ESAPI
functions, but somewhere I loose the ESAPI. The idea for me is to
centralize the output encoding so that it saves me time and effort.

Appreciate if you have any pointers on the same.

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100510/b6693371/attachment.html>


More information about the websecurity mailing list