Howto sanitize inputs

Asked 22/6, 2014 at 17:21 Answered 18/5, 2022 at 19:11

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp.

I used to use org.apache.commons.lang.StringEscapeUtils like this:

public static String myEscapeHtml(String s)
{
    String s_escapedString = null;       
    s_escapedString = StringEscapeUtils.escapeHtml(s);
    return s_escapedString;
}

I don't know anymore if this is good enough to protect the webapp "reasonably"...

I would like to know what lines of code I should write to use the OWASP ESAPI to sanitize a Tomcat webapp user inputs.

Can you give an example in which one or several ESAPI "filters" (escaping?, encoding? ...) would be applied to a string to sanitize it?

The backend RDBMS is PostgreSQL.

The Tomcat server can either be be running on a Linux server or on a Windows server.

Thank you and best regards.

Westernmost answered 22/6, 2014 at 17:21 Comment(3)

My original title was "Howto sanitize inputs using Owasp Esapi for Java". I think it's worth precising what library and programming language I would like to use in the title of the thread. But maybe, according to your standards, the tags are enough to have the thread be properly referenced... I hope I'll get an answer :) – Breather 22/6, 2014 at 20:54

Are you interested in input encoding or output encoding? – Seafowl 25/6, 2014 at 22:16

I'm not sure. I would say "output encoding" to avoid injections inside HTML code... – Breather 28/6, 2014 at 16:2

For input validation, you'll use org.owasp.esapi.reference.DefaultValidator.

If you want to define your own validation rules in validation.properties, the technique to do that is demonstrated in answers to this question.

For output escaping, that's actually quite easier. Preferably when inserting data into an object that will be sent to the presentation layer, you'll want to use String output = ESAPI.encoder().escapeForHTML(String s); methods.

The full list of methods is defined in org.owasp.esapi.Encoder.

Seafowl answered 22/1, 2015 at 15:44 Comment(0)

Source

This sanitizes the input from HTML, and ensures quotes are kept.

final StringBuilder sb = new StringBuilder();
HtmlSanitizer.Policy policy = myPolicyBuilder.build(new HtmlStreamEventReceiver() {
    public void openDocument() {}
    public void closeDocument() {}
    public void openTag(String elementName, List<String> attribs) {
        if ("br".equals(elementName)) { sb.append('\n'); }
    }
    public void closeTag(String elementName) {}
    public void text(String text) { sb.append(text); }
});
HtmlSanitizer.sanitize(myHtml, policy);

Zurkow answered 18/5, 2022 at 19:11 Comment(0)

Recommended topics

Hot tags