Howto sanitize inputs

Léa Massiot picture Léa Massiot · Jun 22, 2014 · Viewed 25.4k times · Source

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp.

I used to use org.apache.commons.lang.StringEscapeUtils like this:

public static String myEscapeHtml(String s)
{
    String s_escapedString = null;       
    s_escapedString = StringEscapeUtils.escapeHtml(s);
    return s_escapedString;
}

I don't know anymore if this is good enough to protect the webapp "reasonably"...

I would like to know what lines of code I should write to use the OWASP ESAPI to sanitize a Tomcat webapp user inputs.

Can you give an example in which one or several ESAPI "filters" (escaping?, encoding? ...) would be applied to a string to sanitize it?

The backend RDBMS is PostgreSQL.

The Tomcat server can either be be running on a Linux server or on a Windows server.

Thank you and best regards.

Answer

avgvstvs picture avgvstvs · Jan 22, 2015

For input validation, you'll use org.owasp.esapi.reference.DefaultValidator.

If you want to define your own validation rules in validation.properties, the technique to do that is demonstrated in answers to this question.

For output escaping, that's actually quite easier. Preferably when inserting data into an object that will be sent to the presentation layer, you'll want to use String output = ESAPI.encoder().escapeForHTML(String s); methods.

The full list of methods is defined in org.owasp.esapi.Encoder.