New ESAPI minor point / patch release issued - ESAPI 2.5.3.1

[Kevin W. Wall]

It's been less than a week, but Dave Wichers suggested logging the deprecated DefaultValidator.isValidSafeHTML methods, and I thought that was a great idea.

ESAPI 2.5.3.1 is a minor point release based on the recent 2.5.3.0 release that adds:

• Updated Javadoc for the Validator.isValidSafeHTML and ValidationRule.getValid methods.
• Adds an always-on log message (a single time only) if either of the isValidSafeHTML methods is invoked. The warning notes that the method is deprecated and provides a link to the GitHub Security Advisory. The warning message itself looks something like this:

[2023-11-30 23:51:13] [DefaultLogger] [SECURITY AUDIT Anonymous:@unknown -> /ExampleApplication/DefaultLogger] WARNING: You are using the Validator.isValidSafeHTML interface, which has been deprecated and should be avoided. See GitHub Security Advisory https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm for details. 

The rationale for this point release was to add the logging so that if ESAPI logs are sent to your SIEM, it provides a message to set up an alert / trigger for. Also, we added clarifying Javadoc for the 2 Validator.isValidSafeHTML methods and corrected the ESAPI property name actually used by ValidationRule.getValid.

You may find this release at https://github.com/ESAPI/esapi-java-legacy/releases/tag/esapi-2.5.3.1

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.