In a previous post I discussed the short comings of the Apache Commons Lang StringEscapeUtils class in regards to output encoding in a JavaScript context. In this same post, I mentioned two other projects that do output encoding on this context, as well as others, correctly. One of these was OWASP Reform which is now part of the OWASP Encoding Project. In this post I hope to give a few short examples that will help you get started using this project.
The first thing that you will need to do is visit the OWASP Encoding Project webpage and download the zip archive of the source. As of this writing, the latest version is Reform 0.12. After you unzip the archive, you will notice that Reform has actually been ported to many different languages. In my examples I will be focusing on the Java implementation, but the concepts should apply to any implementation you choose to use.
As the project comes via source, I simply copied the Reform.java file into a new Eclipse project. From there, I simply created a very simple JSP that should get you started. Here is the code:
<%@ page language="java"As you can see, all that is required is to import the correct library, in this case org.owasp.reform.Reform and call the methods that are right for the context of the data. The most important thing to remember about output encoding is that context matters.
contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ page import="org.owasp.reform.Reform"%>
<!DOCTYPE html PUBLIC
"-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1">
<title>OWASP Reform Example</title>
<script>
var jsParam = <%= Reform.JsString((String)
request.getParameter("jsParam")) %>;
alert("You passed in: " + jsParam);
</script>
</head>
<body>
You passed in: <%= Reform.HtmlEncode((String)
request.getParameter("htmlParam")) %>
</body>
</html>
Reform also has other encoding functions for contexts such as HTML Attributes, XML, XML Attributes, and lastly VB Script. I hope this helps.
5 comments:
Matt -- your profile says your from Memphis. Did you go to high school in Memphis?
Not your. You are from Memphis. Sorry for the lack of grammar skills, there.
Maybe ;).
Matt, nice post. Are you familiar with OWASP ESAPI and its encoding capabilities? I am wondering which does a better job or which is easier to use.
Dave,
I am familiar with the ESAPI. As far as which one is better, I believe that the Reform Project, also done by OWASPO, was incorporated into ESAPI as the base for the Encoder classes. I am not sure how much change went on as part of that incorporation, but either solution should work sufficiently.
Post a Comment