3 Replies Latest reply on May 3, 2013 2:50 PM by Sham HC

    XSS: OWASP ESAPI Taglibs

    ronald.ploeger Level 1

      Hi,

       

      I have seen that "com.adobe.granite.xssprotection-5.5.4.jar" is using OWASP ESAPI under the hood.

       

      Why doesn't Granite make the ESAPI Taglibs (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/tags/package-s ummary.html) available?

       

      Then one could for example use

       

          <esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>

       

      which in my opinion is cleaner than using the "xssAPI"-object in scriptlets in JSPs.

       

      Best regards,

      Ronald

        • 1. Re: XSS: OWASP ESAPI Taglibs
          Sham HC Level 7

          Hi ronald ploeger,

           

          xssAPI on top of esapi take care of CQ-specific things like escape non-URL characters in path etc.. Additionally in future might change/add additional library  apart from ESAPI due to these reason the xssAPI api is made available rather than exposing esapi taglib.

           

          Thanks,

          Sham

          @adobe_sham

          • 2. Re: XSS: OWASP ESAPI Taglibs
            ronald.ploeger Level 1

            Hi Sham,

             

            Thanks for your answer. I see.

             

            I guess it would be good to have a CQ specific taglib similar to the one provided by ESAPI. This would enable developers to keep JSPs clean of scriptlets and enable them to use expression langauge, e.g.

             

              <cq:encodeForHTMLAttribute>${book.title}</cq:encodeForHTMLAttribute>

             

            Best,

            Ronald

            • 3. Re: XSS: OWASP ESAPI Taglibs
              Sham HC Level 7

              Hi ronald,

               

              There is already a supporting tab library for XSS protection. An example to apply policy to an HTML source string to clean it up is [1].

              Document request was already been placed.  Might be some of the functionality you are looking would be missing. Please file daycare with business case.

               

               

              [1]

               

              <%@ taglib uri="http://www.day.com/taglibs/cq/xss/1.0" prefix=“cqxss” %>

              <cqxss:out><%= attributename %><cq:xss:out>

               

              Thanks,

              Sham

              @adobe_sham

              1 person found this helpful