Tuesday 4 June 2013

View ESAPI 11 Encodings methods in real-time via an ASP.NET Web Page

In the Another step in the use of ESAPI and AppSensor Jars from .Net/C# (using Jni4Net) I posted the screenshots below, which are such a big step forward that I'm creating this separate blog post to expand the idea a little bit :)

One of the things that I always wanted to do with ESAPI , was to have programmatic access to the multiple ESAPI encodings methods, since I believe they are a great example of the type of encodings capabilities that are needed in order to safely consume data provided by (potentially malicious) users.

ESAPI provides a number of sepecific methods to encode a string (each focused on a particular use case)
  1. encodeForHTML
  2. encodeForHTMLAttribute
  3. encodeForCSS
  4. encodeForJavascript
  5. encodeForVBScript
  6. encodeForLDAP
  7. encodeForDN
  8. encodeForXPath
  9. encodeForXML
  10. encodeForXmlAttribute
  11. encodeForURL
And given a particular string, what does each of of these look like?

Well, using the View_ESAPI_Encodings Tbot page we can now answer that question:

image
image

Note that you can use this GUI to try out what a specific encoding looks like.

For example change the text on the left and click on of the ‘encodeFor…’ buttons

image

Other related ESAPI posts: