ESAPI and spring framework?

[Jeffrey Walton]

Hi Everyone,

We are having trouble with a Spring project. We are trying to do this:

<form:form action='...'>
<form:input type="hidden" ... value="${someValue}" />
</form:form>

We want to encode for 'value', so we think we need something like
this, using a JSP expression:

value="<%= ESAPI.encoder().encodeForHTMLAttribute(${someValue}) %>"

However, ${someValue} is because Spring has not performed its
translations when ESAPI.encoder().encodeForHTMLAttribute is
translated.

I think it is this problem:
https://stackoverflow.com/questions/21164915/esapi-implementation-for-spring-form-tags.

What does ESAPI recommend for a Spring framework project?

Jeff

[Kevin W. Wall]

I think that avgvstvs' advice in the SO link you referenced is good advice. The only thing that I'd add is if you do the output encoding in the controller, make sure that either you are only doing it for this particular request mapping or have a dedicated controller. Otherwise, if you end up displaying that data in another context (e.g., you insert it directly into the DOM via JavaScript), you would have the incorrect encoding type. (That's why we recommend that you do it as close to where tainted data are being rendered as possible, which for JSPs, generally means in the JSP itself.)

-kevin

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAH8yC8mQaYDL5AoKHUmx9QCbvsUJQy85Cdq89wabOJJPz-x5tQ%40mail.gmail.com.

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.