3 Replies Latest reply on May 3, 2013 2:50 PM by Sham HC

    XSS: OWASP ESAPI Taglibs




      I have seen that "com.adobe.granite.xssprotection-5.5.4.jar" is using OWASP ESAPI under the hood.


      Why doesn't Granite make the ESAPI Taglibs (http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/tags/package-s ummary.html) available?


      Then one could for example use




      which in my opinion is cleaner than using the "xssAPI"-object in scriptlets in JSPs.


      Best regards,


        • 1. Re: XSS: OWASP ESAPI Taglibs
          Sham HC Level 7

          Hi ronald ploeger,


          xssAPI on top of esapi take care of CQ-specific things like escape non-URL characters in path etc.. Additionally in future might change/add additional library  apart from ESAPI due to these reason the xssAPI api is made available rather than exposing esapi taglib.





          • 2. Re: XSS: OWASP ESAPI Taglibs
            ronald.ploeger Level 1

            Hi Sham,


            Thanks for your answer. I see.


            I guess it would be good to have a CQ specific taglib similar to the one provided by ESAPI. This would enable developers to keep JSPs clean of scriptlets and enable them to use expression langauge, e.g.






            • 3. Re: XSS: OWASP ESAPI Taglibs
              Sham HC Level 7

              Hi ronald,


              There is already a supporting tab library for XSS protection. An example to apply policy to an HTML source string to clean it up is [1].

              Document request was already been placed.  Might be some of the functionality you are looking would be missing. Please file daycare with business case.





              <%@ taglib uri="http://www.day.com/taglibs/cq/xss/1.0" prefix=“cqxss” %>

              <cqxss:out><%= attributename %><cq:xss:out>





              1 person found this helpful