My thoughts on the inevitable ESAPI demotion

[Damon Miller]

I posted something on my blog on my thoughts around the potential ESAPI demotion.

http://damonmiller513.blogspot.com/2014/04/my-thoughts-on-inevitable-esapi-demotion.html

[Sebastiaan Naafs-van Dijk]

Hi Damon, what about making this OWASP Java Encoder project (https://www.owasp.org/index.php/OWASP_Java_Encoder_Project) a CF-project as well? Isn't that a good idea? Or at least write a tutorial on how to implement this? Or get Adobe and Railo to make this JAR available via a tag also? Youǘe been succesful in getting ESAPI as a JAR and tags available in CF8+ and Railo B4 ;-)

Sebastiaan

[Sebastiaan Naafs-van Dijk]

http://damonmiller513.blogspot.nl/2014/10/dont-use-esapi-encoders-in.html

Damon, are you saying that we shouldn't be using your ESAPI4CF project AT ALL in CF/RAILO? That sort of goes against everything else on your blog, on GitHub (the project) and in the Google Group (cfesapi).

On Thursday, 3 April 2014 03:09:32 UTC+2, Damon Miller wrote:

[Damon Miller]

Hi Sebastiaan,

I have not really given a thought to making Java Encoder a CF project but I will say that implementing it in CF is very simple as I have done this for an Enterprise project.  I may have to write this up in a blog post per your suggestion.

I am currently working on development for ESAPI4CF v2.0 and I am including the Java Encoder project within it.  Both the ESAPI .encodeFor* methods and the Java Encoder .for* methods will be available within the ESAPI4CF Encoder module.  There will also be a configuration to prefer use of the Java Encoder under the hood for even for the ESAPI encodeFor* methods if there is an equivalent available.

That article was really me venting about my frustrations with ESAPI while working on it and the demotion of the project was just the icing on the cake. There is a lot of room for improvement and the ESAPI project as a whole has been very slow going which is sad as it does have a lot of potential.  I am still actively working on development of ESAPI4CF and looking for ways to improve it.  Even if that means veering away from the ESAPI spec and make it more CF-like in order to remove some complexity out of its implementation and just make it simple.

I will definitely say however, do NOT use ESAPI or ESAPI4CF encoders under ColdFusion 8.x.  This uses ESAPI 1.4.4 which has a known concurrency issues with the encoder under high volume applications.  I personally have experienced this concurrency issue and it forced us to use Java Encoder in its place.

Damon