Java Examples for org.owasp.esapi.ESAPI
The following java examples will help you to understand the usage of org.owasp.esapi.ESAPI. These source code samples are taken from different open source projects.
Example 1
| Project: find-sec-bugs-master File: XssServlet3.java View source code |
public void writeWithEncoders(PrintWriter pw, String input1) {
pw.write(input1);
String encoded = ESAPI.encoder().encodeForHTML(input1);
pw.write(encoded.toLowerCase() + SAFE_VALUE);
pw.write(StringEscapeUtils.escapeHtml(input1));
pw.write(ESAPI.encoder().decodeForHTML(encoded) + SAFE_VALUE);
pw.write(myEncode(input1));
pw.write(myDecode(encoded));
pw.write(input1.replaceAll("[\"'<>&]", ""));
}Example 2
| Project: railo-master File: ESAPIEncode.java View source code |
public static String encode(String item, short encFor) throws PageException {
PrintStream out = System.out;
try {
System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
Encoder encoder = ESAPI.encoder();
switch(encFor) {
//case ENC_CSS:return encoder.encodeForBase64(item);
case ENC_CSS:
return encoder.encodeForCSS(item);
case ENC_DN:
return encoder.encodeForDN(item);
case ENC_HTML:
return encoder.encodeForHTML(item);
case ENC_HTML_ATTR:
return encoder.encodeForHTMLAttribute(item);
case ENC_JAVA_SCRIPT:
return encoder.encodeForJavaScript(item);
case ENC_LDAP:
return encoder.encodeForLDAP(item);
//case ENC_CSS:return encoder.encodeForSQL(arg0, arg1)CSS(item);
case ENC_URL:
return encoder.encodeForURL(item);
case ENC_VB_SCRIPT:
return encoder.encodeForVBScript(item);
case ENC_XML:
return encoder.encodeForXML(item);
case ENC_XML_ATTR:
return encoder.encodeForXMLAttribute(item);
case ENC_XPATH:
return encoder.encodeForXPath(item);
}
throw new ApplicationException("invalid target encoding defintion");
} catch (EncodingException ee) {
throw Caster.toPageException(ee);
} finally {
System.setOut(out);
}
}Example 3
| Project: chukwa-master File: XssFilter.java View source code |
/**
* Strips any potential XSS threats out of the value
* @param value is a string
* @return filtered string
*/
public String filter(String value) {
if (value == null)
return null;
// Use the ESAPI library to avoid encoded attacks.
value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("\0", "");
// Clean out HTML
value = Jsoup.clean(value, Whitelist.none());
return value;
}Example 4
| Project: Java-Web-Security-master File: XPathEscapingServlet.java View source code |
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
String name = request.getParameter("name");
String password = request.getParameter("password");
LOGGER.info("Received {} and {} as parameter", name, password);
String safeName = ESAPI.encoder().encodeForXPath(name);
String safePassword = ESAPI.encoder().encodeForXPath(password);
LOGGER.info("Using safe name {} and {}", safeName, safePassword);
StringBuilder xpathExpression = new StringBuilder();
xpathExpression.append("/customers/customer[name='");
xpathExpression.append(safeName);
xpathExpression.append("' and @password='");
xpathExpression.append(safePassword);
xpathExpression.append("']/orderLimit");
printOrderLimit(xpathExpression.toString(), name, response);
}Example 5
| Project: Lucee-master File: ESAPIEncode.java View source code |
public static String encode(String item, short encFor, boolean canonicalize) throws PageException {
if (StringUtil.isEmpty(item))
return item;
PrintStream out = System.out;
try {
System.setOut(new PrintStream(DevNullOutputStream.DEV_NULL_OUTPUT_STREAM));
Encoder encoder = ESAPI.encoder();
if (canonicalize)
item = encoder.canonicalize(item, false);
switch(encFor) {
case ENC_CSS:
return encoder.encodeForCSS(item);
case ENC_DN:
return encoder.encodeForDN(item);
case ENC_HTML:
return encoder.encodeForHTML(item);
case ENC_HTML_ATTR:
return encoder.encodeForHTMLAttribute(item);
case ENC_JAVA_SCRIPT:
return encoder.encodeForJavaScript(item);
case ENC_LDAP:
return encoder.encodeForLDAP(item);
case ENC_URL:
return encoder.encodeForURL(item);
case ENC_VB_SCRIPT:
return encoder.encodeForVBScript(item);
case ENC_XML:
return encoder.encodeForXML(item);
case ENC_XML_ATTR:
return encoder.encodeForXMLAttribute(item);
case ENC_XPATH:
return encoder.encodeForXPath(item);
}
throw new ApplicationException("invalid target encoding defintion");
} catch (EncodingException ee) {
throw Caster.toPageException(ee);
} finally {
System.setOut(out);
}
}Example 6
| Project: simba-os-master File: DTOValidator.java View source code |
private static void encodeFieldForHTML(AbstractIdentifiableDTO dto, String methodName) {
try {
String value = (String) dto.getClass().getMethod("get" + methodName).invoke(dto);
if (value != null && !StringUtils.isBlank(value)) {
String cleanedValue = ESAPI.encoder().encodeForHTML(value);
dto.getClass().getMethod("set" + methodName, new Class[] { String.class }).invoke(dto, cleanedValue);
}
} catch (Exception e) {
throw new IllegalArgumentException("Unable to access get/set " + methodName + " on " + dto.getClass().getName(), e);
}
}Example 7
| Project: sling-master File: XSSAPIImpl.java View source code |
/**
* @see org.apache.sling.xss.XSSAPI#getValidLong(String, long)
*/
@Override
public Long getValidLong(String source, long defaultValue) {
if (source != null && source.length() > 0) {
try {
LongValidationRule ivr = new LongValidationRule("number", ESAPI.encoder(), -9000000000000000000L, 9000000000000000000L);
ivr.setAllowNull(false);
return ivr.getValid("XSS", source);
} catch (Exception e) {
}
}
// fall through to default if empty, null, or validation failure
return defaultValue;
}Example 8
| Project: webpasswordsafe-master File: EsapiEncryptor.java View source code |
/* (non-Javadoc)
* @see net.webpasswordsafe.server.plugin.encryption.Encryptor#decrypt(java.lang.String)
*/
@Override
public String decrypt(String cryptedText) {
String clearText = null;
try {
CipherText cipherText = CipherText.fromPortableSerializedBytes(Base64.decode(cryptedText));
clearText = ESAPI.encryptor().decrypt(cipherText).toString();
} catch (EncryptionException e) {
LOG.error("EsapiEncryptor.decrypt: " + e.getMessage(), e);
}
return clearText;
}Example 9
| Project: ApacheChemistryInAction-master File: HTMLHelper.java View source code |
public static String format(Object value) {
if (value == null) {
return "";
}
if (value instanceof Calendar) {
Date date = ((Calendar) value).getTime();
long delta = System.currentTimeMillis() - date.getTime();
if (delta >= 0) {
if (delta < (60 * 1000)) {
return "just now";
}
if (delta < (2 * 60 * 1000)) {
return "a minute ago";
}
if (delta < (10 * 60 * 1000)) {
return ((int) Math.floor((double) delta / (60 * 1000))) + " minutes ago";
}
}
SimpleDateFormat sdf = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss Z");
return sdf.format(date);
} else if (value instanceof Number) {
return NumberFormat.getInstance().format(value);
}
return ESAPI.encoder().encodeForHTML(value.toString());
}Example 10
| Project: appverse-web-master File: SecurityHelper.java View source code |
public static String createXSRFToken(final HttpServletRequest request) throws IOException {
// getSession(false) as this method never creates a new session
HttpSession session = request.getSession(false);
String xsrfSessionToken = (String) session.getAttribute(XSRF_TOKEN_NAME);
if (xsrfSessionToken == null) {
long value = System.currentTimeMillis() + ESAPI.randomizer().getRandomLong();
char ids[] = session.getId().toCharArray();
for (int i = 0; i < ids.length; i++) {
value += ids[i] * (i + 1);
}
xsrfSessionToken = Long.toString(value);
session.setAttribute(XSRF_TOKEN_NAME, xsrfSessionToken);
}
return xsrfSessionToken;
}Example 11
| Project: coprhd-controller-master File: SecurityUtils.java View source code |
/**
* Removes any potential XSS threats from the value.
* Depends on the WASP ESAPI (owasp.org) and jsoup libraries (jsoup.org).
*
* @param value data to be cleaned
* @return cleaned data
*/
public static String stripXSS(String value) {
if (value == null) {
return null;
}
// firstly, ESAPI canonicalize input, then Jsoup cleans all html tags, which includes <script> tags.
value = ESAPI.encoder().canonicalize(value, false, false);
value = value.replaceAll("\0", "");
value = Jsoup.clean(value, "", Whitelist.none(), new Document.OutputSettings().prettyPrint(false));
return value;
}Example 12
| Project: SecurityShepherd-master File: Getter.java View source code |
/**
* Returns HTML menu for challenges. Challenges are only referenced by their id,
* The user will have to go through another servlet to get the module's View address
* @param ApplicationRoot The current running context of the application
* @return HTML menu for challenges
*/
public static String getChallenges(String ApplicationRoot, String userId, Locale lang) {
log.debug("*** Getter.getChallenges ***");
String output = new String();
//Getting Translated Level Names
ResourceBundle bundle = ResourceBundle.getBundle("i18n.moduleGenerics.moduleNames", lang);
//Encoder to prevent XSS
Encoder encoder = ESAPI.encoder();
Connection conn = Database.getCoreConnection(ApplicationRoot);
try {
CallableStatement callstmt = conn.prepareCall("call moduleAllInfo(?, ?)");
callstmt.setString(1, "challenge");
callstmt.setString(2, userId);
log.debug("Gathering moduleAllInfo ResultSet");
ResultSet challenges = callstmt.executeQuery();
log.debug("Opening Result Set from moduleAllInfo");
String challengeCategory = new String();
// Identifies the first row, ie the start of the list. This is slightly different output to every other row
int rowNumber = 0;
while (challenges.next()) {
if (!challengeCategory.equalsIgnoreCase(challenges.getString(2))) {
challengeCategory = challenges.getString(2);
//output prepared for Every row after row 1
if (rowNumber > 0)
output += "</ul></li><li><a href='javascript:;' class='challengeHeader' >" + encoder.encodeForHTML(bundle.getString("category." + challengeCategory)) + "</a><ul class='challengeList' style='display: none;'>";
else
//output prepared for First row in entire challenge
output += "<li><a href='javascript:;' class='challengeHeader'>" + encoder.encodeForHTML(bundle.getString("category." + challengeCategory)) + "</a><ul class='challengeList' style='display: none;'>";
//log.debug("Compiling Challenge Category - " + challengeCategory);
}
//Starts next LI element
output += "<li>";
if (challenges.getString(4) != null) {
//Completed marker
output += "<img src='css/images/completed.png'/>";
} else {
//Incomplete marker
output += "<img src='css/images/uncompleted.png'/>";
}
//Final out put compilation
output += "<a class='lesson' id='" + encoder.encodeForHTMLAttribute(challenges.getString(3)) + "' href='javascript:;'>" + encoder.encodeForHTML(bundle.getString(challenges.getString(1))) + "</a>";
output += "</li>";
rowNumber++;
}
//Check if output is empty
if (output.isEmpty()) {
output = "<li><a href='javascript:;'>No challenges found</a></li>";
} else {
log.debug("Appending End tags");
output += "</ul></li>";
}
} catch (Exception e) {
log.error("Challenge Retrieval: " + e.toString());
}
Database.closeConnection(conn);
log.debug("*** END getChallenges() ***");
return output;
}Example 13
| Project: XssSanitizer-master File: XssSanitizerUtil.java View source code |
/**
* This method takes a string and strips out any potential script injections.
*
* @param value
* @return String - the new "sanitized" string.
*/
public static String stripXSS(String value) {
try {
if (value != null) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("\0", "");
// test against known XSS input patterns
for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
value = xssInputPattern.matcher(value).replaceAll("");
}
}
} catch (Exception ex) {
System.out.println("Could not strip XSS from value = " + value + " | ex = " + ex.getMessage());
}
return value;
}Example 14
| Project: threadfixRack-master File: ApplicationServiceImpl.java View source code |
public Application encryptCredentials(Application application) {
try {
if (application != null && application.getPassword() != null && application.getPassword() != null) {
application.setEncryptedPassword(ESAPI.encryptor().encrypt(application.getPassword()));
application.setEncryptedUserName(ESAPI.encryptor().encrypt(application.getUserName()));
}
} catch (EncryptionException e) {
log.warn("Encountered an ESAPI encryption exception. Check your ESAPI configuration.", e);
}
return application;
}Example 15
| Project: easyrec-code-master File: ProfileRenderer.java View source code |
/**
* This function appends HTML text based on the given nodeList to the given StringBuilder
* The function will build the HTML recursively until the whole tree is converted to HTML.
*
* @param nodeList the nodeList which you want to convert to HTML
* @param profileHTML the StringBuilder which is used to write the HTML
*/
private void convertNodeListToHTML(NodeList nodeList, StringBuilder profileHTML) {
if (nodeList == null) {
profileHTML.append("<p>could not parse the XML profile of this item. </p>");
return;
}
int elementCounter = countElements(nodeList);
if (elementCounter == 0)
return;
profileHTML.append("<dl>");
for (int i = 0; i < nodeList.getLength(); i++) {
Node item = nodeList.item(i);
if (item.getNodeType() == Node.ELEMENT_NODE) {
profileHTML.append("<dt class=\"profileView\">" + ESAPI.encoder().encodeForHTML(item.getNodeName()) + ":</dt>");
profileHTML.append("<dd class=\"profileView\">");
convertNodeListToHTML(item.getChildNodes(), profileHTML);
String textNodeValue = ESAPI.encoder().encodeForHTML(item.getFirstChild().getNodeValue());
if (textNodeValue != null)
profileHTML.append(textNodeValue);
profileHTML.append("</dd>");
}
}
profileHTML.append("</dl>");
}Example 16
| Project: OpenClinica-master File: StudySubjectDAO.java View source code |
public EntityBean findAnotherBySameLabel(String label, int studyId, int studySubjectId) {
StudySubjectBean eb = new StudySubjectBean();
this.setTypesExpected();
HashMap variables = new HashMap();
variables.put(new Integer(1), ESAPI.encoder().encodeForHTML(label));
variables.put(new Integer(2), new Integer(studyId));
variables.put(new Integer(3), new Integer(studySubjectId));
String sql = digester.getQuery("findAnotherBySameLabel");
ArrayList alist = this.select(sql, variables);
Iterator it = alist.iterator();
if (it.hasNext()) {
eb = (StudySubjectBean) this.getEntityFromHashMap((HashMap) it.next());
}
return eb;
}Example 17
| Project: JavaSecurity-master File: EscapedQuery.java View source code |
public List<Customer> query(String name) {
String safeName = ESAPI.encoder().encodeForSQL(new OracleCodec(), name);
String query = "SELECT * FROM customer WHERE name = '" + safeName + "' ORDER BY id";
List<Map<String, Object>> rows = jdbcTemplate.queryForList(query);
return CustomerRowMapper.mapRows(rows);
}Example 18
| Project: patientview-master File: XssUtils.java View source code |
public static String encodeForHTML(String strSrc, String[] strReplace) {
strSrc = ESAPI.encoder().encodeForHTML(strSrc);
for (String replace : strReplace) {
strSrc = strSrc.replace(replace, "<br/>");
}
return strSrc;
}Example 19
| Project: albert-master File: SecurityUtil.java View source code |
public static final String escapeMySQL(String source) {
return ESAPI.encoder().encodeForSQL(MYSQL_CODEC, source);
}