[jira] [Commented] (OFBIZ-5343) Update owasp-esapi-java

Wed, 09 Oct 2013 14:08:56 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790856#comment-13790856
 ] 

Jacques Le Roux commented on OFBIZ-5343:
----------------------------------------

Adrian,

This is certainly possible. But from what I have seen this morning, David had 
to remove some codecs (at least one IIRW) because he got issues with it/them. 
So at the moment we slightly differ from the default in esapi which have the 
javascript coded we do'nt use. So if you mean to simply have a property list 
with codecs, I don't think it would work as is. We would need to get deeper in 
code...

Here an extract (from 
https://code.google.com/p/owasp-esapi-java/source/browse/tags/releases/1.4.0/source/src/org/owasp/esapi/reference/DefaultEncoder.java)
 which will tell you more than my explanation (show me the code way ;) )
{code}
        /**
         * Instantiates a new DefaultEncoder
         *
         */
        public DefaultEncoder() {
                // initialize the codec list to use for canonicalization
                codecs.add( htmlCodec );
                codecs.add( percentCodec );
                codecs.add( javaScriptCodec );

                // leave this out because it eats / characters
                // codecs.add( cssCodec );

                // leave this out because it eats " characters
                // codecs.add( vbScriptCodec );
        }
{code}

As you can see, even them had to comment out their own codecs by default...

Ha, found David's change: 
http://svn.apache.org/viewvc?view=revision&revision=746292

> Update owasp-esapi-java
> -----------------------
>
>                 Key: OFBIZ-5343
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-5343
>             Project: OFBiz
>          Issue Type: Task
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: esapi
>             Fix For: SVN trunk
>
>         Attachments: commons-configuration-1.9.jar, esapi-2.1.0.jar, 
> logkit-1.0.1.jar, OFBIZ-5343-Update owasp-esapi-java.patch
>
>
> As reported by Christoph Neuroth at OFBIZ-5254, we still use a patched 
> version from OFBIZ-3135 and it's time to update to last version



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to