Discussion on Esapi use from Javaweb dangerous character filtration

In advance: Just talking about, I also used this component a little bit.

And to an important XX period (hopefully this article to meet the needs of the colleagues to help), a Web application for the first time to face the security requirements, AppScan Security test report is very refreshing, comprehensive content, hints suggest in place, and is noon Oh, of course some Chinese obviously Dog.

Before this application of the back-end architecture is relatively solid, so the important problem is near the front-end direction of the problem, some similar to the output filtering action does not put in place, need to introduce more mature code specifically to do these jobs, turned a Wu Yu Qing classmate "White hat talk about Web security" Recommended owasp Esapi, this thing is called Enterprise Security API, official website address: Https://www.owasp.org/index.php/Category:OWASP_Enterprise_ Security_api to his home page, as if to provide a lot of language branch version, I have a Java EE version, this thing is very powerful, directly to the Official Document feature list:

2. The features in this release of ESAPI for Java EE include:
4. ESAPI Core Components
6. ESAPI Locator and interface classes.
8. ESAPI security Control reference implementations for the following security controls:
10. Authentication
12. Identity
14. Access Control
16. Input Validation
18. Output escaping
20. Encryption
22. Random Numbers
24. Exception Handling
26. Logging
28. Intrusion Detection
30. Security Configuration
32. Esapi Web Application Firewall (WAF) component
34. Fixes for specific issues. For more information, see "Enhancements and resolved issues".

This component uses not directly into the jar is OK, the initialization to read two configuration files esapi.properties and validation.properties, these two configuration files may not be found in the directory shown in the installation guide, but you unzip the search for the dist directory , should be able to find, put the two files into the SRC directory is ok.

What can be said, to code, I used a bit of defaultencoder in some of the encodeforxxx function, basically are getinstance () single-case way to get a sentence, there is nothing to say, we look at the document who will. What about this blog? Mainly want to say now the Chinese online search about Javaweb output filtering is mostly some people (in fact, a version) of their own code, not to say that his code is not good, the introduction of relatively mature through a certain use of component-level code is always relatively better, how to say, these things are security-related stuff, not to be belittled.

Discussion on Esapi use from Javaweb dangerous character filtration