DefaultEncoder and encodeForLDAP

[Jeffrey Walton]

Hi Everyone/Kevin,

I was looking at ESAPI's encodeForLDAP at https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java#L302. I took a look at [1], and it is textbook LDAP filtering. The filtering does not include AND ('&') OR ('|') and some other operators like EQUAL ('=') and NOT ('!').

My question is, is the recommended LDAP filtering sufficient to avoid a LDAP Injection given the encoder does not include the operators?

[1] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx

Jeff