ESAPI.properties and SafeString

4 views
Skip to first unread message

Jeffrey Walton

unread,
Jun 30, 2026, 11:40:26 AM (2 days ago) Jun 30
to ESAPI Project Users
Hi Everyone/Kevin,

I'm looking through the Validator class, and the use of getValidInput
with type=SafeString. I noticed SafeString was _not_ in
configuration/esapi/ESAPI.properties. Instead, it shows up in
configuration/esapi/validation.properties.

I read through the head notes in each file, but I don't see guidance
on using one or the other. Naively, I thought the regex's belong in
ESAPI.properties.

When should we use validation.properties over ESAPI.properties?

(It also looks like the head notes in validation.properties got
lopped-off in mid sentence).

Jeff

Kevin W. Wall

unread,
Jun 30, 2026, 10:25:45 PM (2 days ago) Jun 30
to Jeff Walton, ESAPI Project Users
Jeff,

IIRC, the validation.properties is used exclusively by implementations of theValidator interface. Pretty much everything else uses ESAPI.properties. (I'm not sure of the historical reasons for this, but it dates back at least to the ESAPI 1.4 version. Maybe  the Validator stuff started out as a separate library. IDK. Maybe ask @Jeff Williams if you're curious.)

I think most (all?) of the other regexes in ESAPI.properties are associated with the HTTPUtilities interface.

Lastly, regarding your comment about:

> ... validation.properties got
lopped-off in mid sentence

Try checking the comments in https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/resources/esapi/validation.properties, or if it's missing there as well, check the git history for those files.

-kevin
--
Blog: https://off-the-wall-security.blogspot.com/    | GitHub: @kwwall | OWASP ESAPI Project co-lead | OWASP and ACM lifetime member
NSA: All your crypto bit are belong to us.

--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAH8yC8%3DBgeezQMMzvZ2PLN09EO3ue1tFG5W3s0pH9VnXrV%3Dkuw%40mail.gmail.com.

Jeffrey Walton

unread,
Jun 30, 2026, 11:18:25 PM (2 days ago) Jun 30
to Kevin W. Wall, ESAPI Project Users
On Tue, Jun 30, 2026 at 10:25 PM Kevin W. Wall <kevin....@gmail.com> wrote:
>
> IIRC, the validation.properties is used exclusively by implementations of theValidator interface. Pretty much everything else uses ESAPI.properties. (I'm not sure of the historical reasons for this, but it dates back at least to the ESAPI 1.4 version. Maybe the Validator stuff started out as a separate library. IDK. Maybe ask @Jeff Williams if you're curious.)
>
> I think most (all?) of the other regexes in ESAPI.properties are associated with the HTTPUtilities interface.
>
> Lastly, regarding your comment about:
>
> > ... validation.properties got
> lopped-off in mid sentence
>
> Try checking the comments in https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/resources/esapi/validation.properties, or if it's missing there as well, check the git history for those files.

Yes, it looks like it is missing some text. Around line 29, the
comments start discussing potential missing canonicalization, and
introduces a partial example:

// Line 29 below
# But note, when you use boolean variants of validation functions, you
lose critical
# canonicalization. It is preferable to use the "get" methods (which
throw exceptions)
# and use the returned user input which is in canonical form. Consider
the following:
#
# try {
# someObject.setEmail(ESAPI.validator().getValidInput("User Email",
input, "Email", maxLength, allowNull));
#
// whoops, the discussion stops there, at line 35.

Jeff

Kevin W. Wall

unread,
Jul 1, 2026, 12:26:55 AM (yesterday) Jul 1
to nolo...@gmail.com, ESAPI Project Users
Jeff,

Good catch (of the missing catch :). Could you maybe drop this email into a GitHub issue so we don't lose track of it and I'll remember to fix it. I'm getting ready to go to sleep now.

Thanks,
-kevin
--
Blog: https://off-the-wall-security.blogspot.com/    | GitHub: @kwwall | OWASP ESAPI Project co-lead | OWASP and ACM lifetime member
NSA: All your crypto bit are belong to us.

Jeffrey Walton

unread,
Jul 1, 2026, 1:44:39 PM (12 hours ago) Jul 1
to Kevin W. Wall, ESAPI Project Users
On Wed, Jul 1, 2026 at 12:26 AM Kevin W. Wall <kevin....@gmail.com> wrote:
>
> Good catch (of the missing catch :). Could you maybe drop this email into a GitHub issue so we don't lose track of it and I'll remember to fix it. I'm getting ready to go to sleep now.

Ok, done: Incomplete documentation in validation.properties,
<https://github.com/ESAPI/esapi-java-legacy/issues/913>.

> On Tue, Jun 30, 2026 at 11:18 PM Jeffrey Walton <nolo...@gmail.com> wrote:
>>
>> On Tue, Jun 30, 2026 at 10:25 PM Kevin W. Wall <kevin....@gmail.com> wrote:
>> >
>> > IIRC, the validation.properties is used exclusively by implementations of theValidator interface. Pretty much everything else uses ESAPI.properties. (I'm not sure of the historical reasons for this, but it dates back at least to the ESAPI 1.4 version. Maybe the Validator stuff started out as a separate library. IDK. Maybe ask @Jeff Williams if you're curious.)
>> >
>> > I think most (all?) of the other regexes in ESAPI.properties are associated with the HTTPUtilities interface.
>> >
>> > Lastly, regarding your comment about:
>> >
>> > > ... validation.properties got
>> > lopped-off in mid sentence
>> >
>> > Try checking the comments in https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/resources/esapi/validation.properties, or if it's missing there as well, check the git history for those files.
>>
>> Yes, it looks like it is missing some text. Around line 29, the
>> comments start discussing potential missing canonicalization, and
>> introduces a partial example:
>>
>> // Line 29 below
>> # But note, when you use boolean variants of validation functions, you
>> lose critical
>> # canonicalization. It is preferable to use the "get" methods (which
>> throw exceptions)
>> # and use the returned user input which is in canonical form. Consider
>> the following:
>> #
>> # try {
>> # someObject.setEmail(ESAPI.validator().getValidInput("User Email",
>> input, "Email", maxLength, allowNull));
>> #
>> // whoops, the discussion stops there, at line 35.
>>

Kevin W. Wall

unread,
Jul 1, 2026, 3:31:44 PM (11 hours ago) Jul 1
to nolo...@gmail.com, esapi-project-users
Thanks Jeff. I will try to get it updated in the 'develop' branch soon. It will take a while longer to get it into an official release.

-kevin
--
Blog: https://off-the-wall-security.blogspot.com/    | GitHub: @kwwall | OWASP ESAPI Project co-lead | OWASP and ACM lifetime member
NSA: All your crypto bit are belong to us.

Reply all
Reply to author
Forward
0 new messages