├── .gitignore ├── 404.html ├── Gemfile ├── README.md ├── _config.yml ├── assets └── images │ ├── OWASP-20th.jpeg │ └── README.md ├── index.md ├── info.md ├── leaders.md ├── tab_accent.md ├── tab_deploy.md ├── tab_example.md ├── tab_news.md ├── tab_numbers.md ├── tab_templates.md └── tab_use.md /.gitignore: -------------------------------------------------------------------------------- 1 | __pycache__ 2 | env 3 | .vscode 4 | _site/ 5 | -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: 404 - Not Found 4 | layout: col-generic 5 | 6 | --- 7 | 8 |

9 |

10 |

WHOA THAT PAGE CANNOT BE FOUND

11 |

Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.

12 | 13 |

14 |

If all else fails you can search our historical site.

15 |

16 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | group :jekyll_plugins do 3 | gem "github-pages" 4 | end -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # www-project-java-encoder 2 | 3 | The code for the web page for OWASP Java Encoder 4 | Webpage can be fond at: https://owasp.org/www-project-java-encoder/ 5 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: "owasp/www--site-theme@main" 2 | plugins: 3 | - jekyll-include-cache-0.2.0 -------------------------------------------------------------------------------- /assets/images/OWASP-20th.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-java-encoder/21311935502db5554489bfb10cde440ea68dc518/assets/images/OWASP-20th.jpeg -------------------------------------------------------------------------------- /assets/images/README.md: -------------------------------------------------------------------------------- 1 | # placeholder 2 | 3 | Put images you wish to link to in this folder 4 | 5 | link would be in form /assets/images/ 6 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | layout: col-sidebar 4 | title: OWASP Java Encoder 5 | tags: java-encoder-tag 6 | level: 0 7 | type: code 8 | 9 | --- 10 | 11 | ## About 12 | 13 | The OWASP Java Encoder is a Java 1.8+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting! 14 | 15 | Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts (primarily JavaScript) are injected into otherwise trusted web sites. One of the primary defenses to stop Cross Site Scripting is a technique called Contextual Output Encoding. WARNING: Please note that XSS prevention requires other defensive strategies besides encoding! For more information, please read the [Cross Site Scripting prevention cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html). 16 | 17 | We actively track project issues and seek to remediate any issues that arise. The project owners feel this project is stable and ready for production use and are seeking project status promotion. 18 | 19 | Happy Encoding! 20 | 21 | ## Getting Started 22 | 23 | The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.3.0.jar, import org.owasp.encoder.Encode and start encoding. 24 | 25 | Please look at the javadoc for [Encode](https://javadoc.io/doc/org.owasp.encoder/encoder/latest/index.html), to see the variety of contexts for which you can encode. Tag libraries and JSP EL functions can be found in the encoder-jsp-1.3.0.jar. 26 | 27 | ## Licensing 28 | 29 | The OWASP Java Encoder is free to use under the New BSD License. 30 | 31 | ## GitHub 32 | 33 | Extensive documentation on how to use this project can be found in our [GitHub repository](https://github.com/OWASP/owasp-java-encoder). 34 | 35 | -------------------------------------------------------------------------------- /info.md: -------------------------------------------------------------------------------- 1 | [![OWASP 20th Anniversary Image](assets/images/OWASP-20th.jpeg)](https://20thanniversary.owasp.org/) 2 | 3 | ### Code Repository 4 | * [GitHub](https://github.com/OWASP/owasp-java-encoder/) 5 | 6 | ## Downloads 7 | * [encoder-1.3.1.jar](https://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder/1.3.1/encoder-1.3.1.jar) 8 | * [encoder-jsp-1.3.1.jar](https://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.3.1/encoder-jsp-1.3.1.jar) 9 | -------------------------------------------------------------------------------- /leaders.md: -------------------------------------------------------------------------------- 1 | ### Leaders 2 | * [Jim Manico](mailto:jim@owasp.org) 3 | * [Jeff Ichnowski](mailto:jeff.ichnowski@owasp.org) 4 | -------------------------------------------------------------------------------- /tab_accent.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Accent 3 | displaytext: Grave Accent 4 | layout: null 5 | tab: true 6 | order: 4 7 | tags: java-encoder-tag 8 | --- 9 | 10 | ## Grave Accent Issue 11 | 12 | The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to **Rafay Baloch** for bringing this to our attention and to **Jeff Ichnowski** for the workaround. 13 | 14 | ### Introduction 15 | 16 | The grave accent (\`), ASCII 96, hex 60 ([wikipedia](http://en.wikipedia.org/wiki/Grave_accent)) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see [Mario Heidrech's presentation](http://www.slideshare.net/x00mario/the-innerhtml-apocalypse). 17 | 18 | ### Background 19 | 20 | In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. 21 | Specifically, IE treats the following as equivalent: 22 | 23 | ```xml 24 | 25 | 26 | ``` 27 | 28 | It is an IE extension, is not in HTML specifications 29 | ([HTML4](http://www.w3.org/TR/REC-html40/intro/sgmltut.html#h-3.2.2), 30 | [HTML5](http://www.w3.org/TR/html5/syntax.html#attributes-0)), and is probably not well supported in other browsers. 31 | 32 | ### The Issue 33 | 34 | The following HTML snippet, demonstrates the cross-site scripting vulnerability related to grave accents on unpatched Internet Explorer: 35 | 36 | ```xml 37 |

38 | 39 |

40 | 41 |

42 |

43 | 44 | 47 | ``` 48 | 49 | When this snippet is run in Internet Explorer the following steps happen: 50 | 51 | 1. Two div elements are created with id's "a" and "b" 52 | 2. The script executes "a.innerHTML" which returns: 53 | 54 | ```xml 55 | 56 | ``` 57 | 58 | 3. The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of 59 | 60 | ```xml 61 | 62 | ``` 63 | 64 | The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue. 65 | 66 | When... 67 | 68 | ```xml 69 | 70 | ``` 71 | 72 | ...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding. 73 | 74 | ### Recommend Solution 75 | 76 | Our recommended workaround is to update any JavaScript based innerHTML read to replace the accent grave with a numeric entity encoded form: "\`". 77 | 78 | As an example, the following change to the XSS vulnerable code above fixes the issue: 79 | 80 | ```xml 81 | 84 | ``` 85 | 86 | This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to: 87 | 88 | ```xml 89 | 90 | ``` 91 | 92 | Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM. 93 | 94 | ### Other Possible Solutions 95 | 96 | As there is no encoding option available, the following options are available to web application authors: 97 | 98 | 1. Do not use innerHTML copies 99 | 2. Filter out the accent grave from any user input 100 | 3. Clean up grave accents when using an innerHTML copy 101 | 102 | ### OWASP Java Encoder Library Related Changes 103 | 104 | The OWASP Java Encoder Library at its core is intended to be a XSS safe 105 | _encoding_ library. The grave accent is a legitimate and frequently 106 | used character, that cannot be encoded to avoid this bug in unpatched 107 | versions of IE. With enough user feedback, we may update the library to 108 | include one of the following options: (1) alternate, drop-in build that 109 | filters grave accents, with unchanged API, (2) new filtering methods. 110 | -------------------------------------------------------------------------------- /tab_deploy.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Deploy 3 | layout: null 4 | tab: true 5 | order: 6 6 | tags: java-encoder-tag 7 | --- 8 | 9 | ## How to Deploy the Java Encoder 10 | 11 | The OWASP Java Encoder version 1.3.0 is now available in central 12 | 13 | [OWASP Encoder at MavenCentral](http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). 14 | 15 | ### Core 16 | Direct Download: 17 | [encoder-1.3.0.jar](http://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder/1.3.0/encoder-1.3.0.jar) 18 | 19 | #### Maven 20 | 21 | 22 | org.owasp.encoder 23 | encoder 24 | 1.3.0 25 | 26 | 27 | ### Jakarta JSP Tag Library 28 | 29 | Direct Download: 30 | [encoder-jsp-1.3.0.jar](https://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jakarta-jsp/1.3.0/encoder-jakarta-jsp-1.3.0.jar) 31 | 32 | #### Maven 33 | 34 | 35 | org.owasp.encoder 36 | encoder-jakarta-jsp 37 | 1.3.0 38 | 39 | 40 | ### JSP Tag Library 41 | 42 | Direct Download: 43 | [encoder-jsp-1.3.0.jar](https://search.maven.org/remotecontent?filepath=org/owasp/encoder/encoder-jsp/1.3.0/encoder-jsp-1.3.0.jar) 44 | 45 | #### Maven 46 | 47 | 48 | org.owasp.encoder 49 | encoder-jsp 50 | 1.3.0 51 | 52 | -------------------------------------------------------------------------------- /tab_example.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Example 3 | layout: null 4 | tab: true 5 | order: 1 6 | tags: example-tag 7 | --- 8 | 9 | ## Example 10 | 11 | Put whatever you like here: news, screenshots, features, supporters, or remove this file and don't use tabs at all. 12 | -------------------------------------------------------------------------------- /tab_news.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: News 3 | layout: null 4 | tab: true 5 | order: 7 6 | tags: java-encoder-tag 7 | --- 8 | 9 | ## News and Events 10 | 11 | * [20 August 2024] 1.3.1 Released! 12 | * [2 August 2024] 1.3.0 Released! 13 | * [8 November 2020] 1.2.3 Released! 14 | * [24 July 2020] GitHub migration complete!!! 15 | * [14 September 2018] 1.2.2 Released! 16 | * [19 February 2017] 1.2.1 Released! 17 | * [11 June 2016] No reported issues and library use is strong! 18 | * [1 May 2015] Moved to GitHub 19 | * [12 Apr 2015] 1.2 Released! 20 | * [10 Apr 2015] GitHub move 21 | * [1 Feb 2015] Removed ThreadLocal 22 | * [20 Mar 2014] Doc additions 23 | * [5 Feb 2014] New Wiki 24 | * [4 Feb 2014] 1.1.1 Released -------------------------------------------------------------------------------- /tab_numbers.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Numbers 3 | displaytext: Numbers 4 | layout: null 5 | tab: true 6 | order: 3 7 | tags: java-encoder-tag 8 | --- 9 | 10 | ## How to Handle Numbers 11 | 12 | Numbers don’t need encoding since they cannot cause XSS. There are no numbers that will break out of a javascript context. 13 | 14 | **If (and only if) ‘javaNumber’ is a numeric type (primitive or box wrapper), just use:** 15 | 16 | ```javascript 17 | var javaScriptNumber = <%= javaNumber %>; 18 | ``` 19 | 20 | This is true even for the special cases of java.lang.Double.POSITIVE_INFINITY, NEGATIVE_INFINITY, NaN, and java.lang.Float equivalents. 21 | 22 | On the other hand, if ‘javaNumber’ is some user provided data that is NOT a numeric type, then you should either (see option 1) convert it to a number on the java side, or (option 2) encode it to a string and handle it on the javascript side. E.g. 23 | 24 | ### Option 1 25 | 26 | ```java 27 | <% 28 | String javaNumber = (untrusted data); 29 | Double actualNumber = Double.parseDouble(javaNumber); //remember to catch NumberFormatException 30 | %> 31 | ``` 32 | 33 | ```javascript 34 | 35 | 38 | ``` 39 | 40 | ### Option 2 41 | 42 | ```java 43 | <% 44 | String javaNumber = (untrusted data); 45 | %> 46 | ``` 47 | 48 | ```javascript 49 | 52 | ``` 53 | -------------------------------------------------------------------------------- /tab_templates.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Templates 3 | displaytext: Template Literals 4 | layout: null 5 | tab: true 6 | order: 5 7 | tags: java-encoder-tag 8 | --- 9 | 10 | 11 | ## Encoding and Template Literals 12 | 13 | In addition to the below examples, taglibs are provided for both Jakarta Servlet Spec and legacy JSP; see the usage tab for more information. 14 | 15 | Several users of the Java Encoder have asked how to properly use the OWASP Java Encoder in combination with template literals. 16 | 17 | The best way to encode template literal variables is to first escape the 18 | untrusted data in a JavaScript variable and then place that variable in 19 | the template literal. 20 | 21 | ```jsp 22 | var user = "<%= Encode.forJavaScript(user) %>"; 23 | Hello ${user}, here is your total: ${total} 24 | ``` 25 | 26 | Another method is to properly escape the variable in-line. 27 | 28 | ```jsp 29 | ${"<%= Encode.forJavaScript(user) $>"}, here is your total ${total} 30 | ``` 31 | -------------------------------------------------------------------------------- /tab_use.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Use 3 | displaytext: How to Use 4 | layout: null 5 | tab: true 6 | order: 2 7 | tags: java-encoder-tag 8 | --- 9 | 10 | ## How to Use the OWASP Java Encoder 11 | 12 | The general API pattern is to utilize the Java Encoder Project in your 13 | user interface code and wrap all variables added dynamically to HTML 14 | with a proper encoding function. The encoding pattern is 15 | "Encode.forContextName(untrustedData)", where "ContextName" is 16 | the name of the target context and "untrustedData" is untrusted output. 17 | 18 | ### Basic HTML Context 19 | 20 | ```java 21 | 22 | <%= Encode.forHtml(UNTRUSTED) %> 23 | 24 | ``` 25 | 26 | ### HTML Content Context 27 | 28 | ```java 29 | 32 | ``` 33 | 34 | ### HTML Attribute context 35 | 36 | ```java 37 | 38 | ``` 39 | Generally Encode.forHtml(UNTRUSTED) is also safe but slightly 40 | less efficient for the above two contexts (for textarea content and 41 | input value text) since it encodes more characters than necessary but 42 | might be easier for developers to use. 43 | 44 | ### Encode URL parameter values 45 | 46 | ```java 47 | 48 | ``` 49 | 50 | ### Encode REST URL parameters 51 | 52 | ```java 53 | 54 | ``` 55 | 56 | ### Handling a Full Untrusted URL 57 | 58 | When handling a full URL with the OWASP Java encoder, first validate to ensure the URL is in the format of a legal URL. 59 | 60 | ```java 61 | String url = validateURL(untrustedInput); 62 | ``` 63 | 64 | Then encode the URL as an HTML attribute when outputting to the page. 65 | Note the linkable text needs to be encoded in a different context. 66 | 67 | ```java 68 | 69 | <%= Encode.forHtmlContent(untrustedLinkName) %> 70 | 71 | ``` 72 | 73 | ### Javascript Block context 74 | 75 | ```javascript 76 | 80 | ``` 81 | 82 | ### Javascript Variable context 83 | 84 | ```java 85 | 88 | ``` 89 | 90 | JavaScript Content Notes: Encode.forJavaScript(UNTRUSTED) is safe for the above two contexts, but encodes more characters and is less efficient. 91 | 92 | ### CSS contexts 93 | 94 | ```java 95 |

96 |

97 | ``` 98 | 99 | ### To use in a JSP with EL 100 | 101 | #### Jakarta Servlet Spec 102 | 103 | If using Jakarta Servlet Spec 5+ use the following dependency and taglib: 104 | 105 | ```xml 106 | 107 | org.owasp.encoder 108 | encoder-jakarta-jsp 109 | 1.3.0 110 | 111 | ``` 112 | 113 | ```jsp 114 | <%@page contentType="text/html;charset=UTF-8" language="java"%> 115 | <%@taglib prefix="c" uri="jakarta.tags.core"%> 116 | <%@taglib prefix="e" uri="owasp.encoder.jakarta"%> 117 | 118 | 119 | 120 | <b><e:forHtml value="${param.title}" /></b> 121 | 122 | 123 | 124 |

125 | ${e:forHtml(param.data)} 126 |

127 | 128 | 129 | ``` 130 | 131 | #### Legacy Servlet Spec 132 | 133 | If using legacy JSP (javax.servlet.jsp) use the following dependency and taglib: 134 | 135 | ```xml 136 | 137 | org.owasp.encoder 138 | encoder-jsp 139 | 1.3.0 140 | 141 | ``` 142 | 143 | ```jsp 144 | <%@page contentType="text/html" pageEncoding="UTF-8"%> 145 | 146 | <%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> 147 | 148 | 149 | 150 | 151 | <b><e:forHtml value="${param.title}" /></b> 152 | 153 | 154 | 155 |

156 | ${e:forHtml(param.data)} 157 |

158 | 159 | 160 | ``` 161 | --------------------------------------------------------------------------------