View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page

In the Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using Jni4Net) I posted the screenshots below, which are such a big step forward that I'm creating this separate blog post to expand the idea a little bit :)

One of the things that I always wanted to do with ESAPI , was to have programmatic access to the multiple ESAPI encodings methods, since I believe they are a great example of the type of encodings capabilities that are needed in order to safely consume data provided by (potentially malicious) users.

ESAPI provides a number of sepecific methods to encode a string (each focused on a particular use case)

1. encodeForHTML
2. encodeForHTMLAttribute
3. encodeForCSS
4. encodeForJavascript
5. encodeForVBScript
6. encodeForLDAP
7. encodeForDN
8. encodeForXPath
9. encodeForXML
10. encodeForXmlAttribute
11. encodeForURL

And given a particular string, what does each of of these look like?

Well, using the View_ESAPI_Encodings Tbot page we can now answer that question:




Note that you can use this GUI to try out what a specific encoding looks like.

For example change the text on the left and click on of the ‘encodeFor…’ buttons



Other related ESAPI posts:

• First execution of ESAPI.jar Encoder methods from O2's C# REPL 
• Loading OWASP ESAPI jar and its dependencies from C# (using jni4net) 
• Getting list of Jars loaded in SystemClassLoader (using Jni4Net) 
• The ESTAPI idea 
• A couple more comments on ESAPI and ESTAPI 
• Recommending ESAPI?