Kevin W. Wall
Kevin W. Wall
@davewichers and @spassarop - Okay, I looked at this, and from ESAPI's perspective, we just adjusted our JUnit tests in ESAPI's at: https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java to agree with whatever 1.7.5 was producing....
The Java Encoder project doesn't do sanitization. It does output encoding. Same if you are using ESAPI's Encoder methods. If you want sanitization, use the OWASP HTML Sanitizer project or...
@ricardonostrum - I'm not saying that. I merely was trying to point out that you used the word 'sanitize' (implying HTML sanitization) and that's not what the Java Encoder Project...
@Manicode- I can submit a PR to fix this for you if you want, but I am away on business with only a company laptop, so I likely won't be...
@TheMarvelFan - I never heard back from @Manicode (but perhaps that's because he's not using GH handle @jmanico) so I never submitted a PR. But given that I and on...
Sure. I'll create a PR for it a soon as the new ESAPI 2.5.3.0 release is available from Maven Central. Should have that done by this Friday at the latest....
@casid - It looks as though a simple grep of the code base shows that it affects all the encoder tags under 'jsp/src/main/java/org/owasp/encoder/tag' so that would be 19 files that...
When I worked at WF doing secure code reviews, unless the application under review was explicitly checking the User-Agent request header and rejecting certain browsers, we always assumed that someone,...
Now _that_ is how you write a bug report. Kudos to you @JerryDevis.
@JerryDevis - I guess I really should have asked first, but I really thought that you deserved a shout-out for this, so I gave you one on a [LinkedIn post](https://www.linkedin.com/feed/update/urn:li:activity:7186545513054281728/)....