esapi-java-legacy
esapi-java-legacy copied to clipboard
ESAPI
Move validation patterns of http fields out of ESAPI.properties and to an XML file or database. (1.4)
From [email protected] on February 26, 2012 15:08:50
The attached ziped project is finished and tested code for moving validation patterns of http fields like Email, etc out of ESAPI.properties. This will improve the API since it will allow definition of http validation per web application instead of the system-wide effect of ESAPI.properties.
New packages:
- org.owasp.esapi.fields The ESAPI fields package provides interfaces to model a so called "SiteDefintion". A SiteDefinition allows for validation and checks of every possible Http Parameter that is used by a Java Web Application. Unlike the ESAPI.properties which is set via a System Property, a SiteDefinition can (and should) be set per web application.
The idea is to provide the system with a list of the most important http parameters that you need to validate within a web site. By http parameters we mean for example the name of a textbox or a list control on an html form. For each of these paeameters the system needs to know:
The parameter name. The parameter's validation pattern to match when validating its value received in a Http Request Optionally, An String array of the allowed URIs that this parameter can appear on. Maximum allowed length of a received http parameter value. Whether to allow blanks or not.
In addition, the SiteDefinition needs the following application-wide settings:
Website Name Default validation pattern: Because it is impractical to define every single web site http parameter, this is the default validation pattern to be used for http parameters not explicitely defined. Maximum allowed length: Default maximum length for http parameters not explicitely defined. Parameter name validation pattern. The maximum http parameter name length. The maximum http cookie name length The maximum http cookie value length The validation pattern used to validate cookie values The validation pattern used to validate cookie names The maximum http header value length The maximum http header name length The validation pattern used to validate http header values The validation pattern used to validate http header names The ESAPI-Site-Definition.xsd file within this package defines the structure mentioned above for loading site definitions from xml files.
org.owasp.esapi.reference.fields; : Contains implemenation of Web Site Validation from definitions stored into an XML file.
Attachment: ESAPI.1.4.ex.zip
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=265
From [email protected] on February 26, 2012 12:46:36
We have used Jdeveloper and Ant for developement and compilation, but the attached zip file contains all eclipse settings and projects included in the ESAPI 1.4 download.
The zip file contains the following projects:
- Esapi: The Esapi api 1.4
- EsapiTest: JUnit tests
- Web-Tester: Test web application.
- Diagrams: Jdeveloper Diagram project, ignore.
From [email protected] on June 25, 2012 05:55:18
I am reminded again by a blog post by Will Stranathan about the e-v-i-l-s of XML for configuration. So if this is something that we would expect an operations or system administration team to have to edit, I think XML is a bad idea.
For details, see: http://will.thestranathans.com/post/20241350046/stop-it
From [email protected] on June 26, 2012 10:42:51
I did not read about the evils of XML conf on the post you mention. Just some frustration. Who is Will Stranathan? Is he a contributor to ESAPI?