[jira] [Commented] (OFBIZ-5343) Update owasp-esapi-java

    [ https://issues.apache.org/jira/browse/OFBIZ-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790856#comment-13790856 ]

Jacques Le Roux commented on OFBIZ-5343:
----------------------------------------

Adrian,

This is certainly possible. But from what I have seen this morning, David had to remove some codecs (at least one IIRW) because he got issues with it/them. So at the moment we slightly differ from the default in esapi which have the javascript coded we do'nt use. So if you mean to simply have a property list with codecs, I don't think it would work as is. We would need to get deeper in code...

Here an extract (from https://code.google.com/p/owasp-esapi-java/source/browse/tags/releases/1.4.0/source/src/org/owasp/esapi/reference/DefaultEncoder.java) which will tell you more than my explanation (show me the code way ;) )
{code}
        /**
         * Instantiates a new DefaultEncoder
         *
         */
        public DefaultEncoder() {
                // initialize the codec list to use for canonicalization
                codecs.add( htmlCodec );
                codecs.add( percentCodec );
                codecs.add( javaScriptCodec );

                // leave this out because it eats / characters
                // codecs.add( cssCodec );

                // leave this out because it eats " characters
                // codecs.add( vbScriptCodec );
        }
{code}

As you can see, even them had to comment out their own codecs by default...

Ha, found David's change: http://svn.apache.org/viewvc?view=revision&revision=746292



--
This message was sent by Atlassian JIRA
(v6.1#6144)