ESAPI Swingset Interactive - Encoding
Tutorial
Encoding, closely related to Escaping is a powerful mechanism to help protect against many types of attack, especially injection attacks and Cross-site Scripting (XSS). Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. So, for example, using HTML entity encoding before sending untrusted data into a browser will protect against many forms of Cross-site Scripting (XSS).Considerations:
What interpreter?
To encode properly, you need to know what interpreters the data might end up in. For example, if the data is going into a SQL interpreter, you should consider encoding based on syntax of the SQL engine you are using.
What characters? Complete?
You want to make sure that you encode all the characters that might cause a problem, so the best approach is to use a positive encoding scheme, where all characters except a minimal known good set are encoded.
What encoding scheme?
There are dozens of ways to encode characters and many interpreters allow multiple forms of a single significant character. For a browser, HTML entity encoding is a good way to prevent script injection, but URL encoding or Unicode encoding (%xx) will not prevent scripts from running. Be sure to use the appropriate encoding scheme for the target interpreter.
Double encoding and decoding?
Be careful not to double encode your data. In some cases, doubly encoding data can inadvertently introduce special characters in the final output. Also, be aware that some processors may automatically undo your encoding. There is some evidence that XML processors are decoding HTML entity encoding, thus reintroducing potential XSS problems.
Using ESAPI for encoding & decoding:
ESAPI's Encoder interface contains a number of methods for decoding input and encoding output.
//sample usage of ESAPI's Encoder interface
ESAPI.encoder().encodeForHTML(input)
- String canonicalize(String input) This method performs canonicalization on data received to ensure that it has been reduced to its most basic form before validation.
- String canonicalize(String input, boolean strict) This method performs canonicalization on data received to ensure that it has been reduced to its most basic form before validation.
- decodeFromBase64(String input) Decode data encoded with BASE-64 encoding.
- decodeFromURL(String input) Decode from URL.
- encodeForBase64(byte[] input, boolean wrap) Encode for Base64.
- encodeForCSS(String input) Encode data for use in Cascading Style Sheets (CSS) content.
- encodeForDN(String input) Encode data for use in an LDAP distinguished name.
- encodeForHTML(String input) Encode data for use in HTML using HTML entity encoding.
- encodeForHTMLAttribute(String input) Encode data for use in HTML attributes.
- encodeForJavaScript(String input) Encode data for insertion inside a data value in JavaScript.
- encodeForLDAP(String input) Encode data for use in LDAP queries.
- encodeForOS(Codec codec, String input) Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).
- encodeForSQL(Codec codec, String input) Encode input for use in a SQL query, according to the selected codec (appropriate codecs include the MySQLCodec and OracleCodec).
- encodeForURL(String input) Encode for use in a URL.
- encodeForVBScript(String input) Encode data for insertion inside a data value in a Visual Basic script.
- encodeForXML(String input) Encode data for use in an XML element.
- encodeForXMLAtribute(String input) Encode data for use in an XML attribute.
- encodeForXPath(String input) Encode data for use in an XPath query.
- normalize(String input) Reduce all non-ascii characters to their ASCII form so that simpler validation rules can be applied.