org.owasp.esapi.reference

Class DefaultEncoder

java.lang.Object

org.owasp.esapi.reference.DefaultEncoder

All Implemented Interfaces:

Encoder

public class DefaultEncoder
extends java.lang.Object
implements Encoder

Reference implementation of the Encoder interface. This implementation takes a whitelist approach to encoding, meaning that everything not specifically identified in a list of "immune" characters is encoded.

Since:

June 1, 2007

See Also:

Encoder

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.List	codecs
private CSSCodec	cssCodec
private HTMLEntityCodec	htmlCodec
private static char[]	IMMUNE_CSS
private static char[]	IMMUNE_HTML Character sets that define characters (in addition to alphanumerics) that are immune from encoding in various formats
private static char[]	IMMUNE_HTMLATTR
private static char[]	IMMUNE_JAVASCRIPT
private static char[]	IMMUNE_OS
private static char[]	IMMUNE_SQL
private static char[]	IMMUNE_VBSCRIPT
private static char[]	IMMUNE_XML
private static char[]	IMMUNE_XMLATTR
private static char[]	IMMUNE_XPATH
private JavaScriptCodec	javaScriptCodec
private Logger	logger
private PercentCodec	percentCodec
private static Encoder	singletonInstance
private VBScriptCodec	vbScriptCodec
private XMLEntityCodec	xmlCodec

Fields inherited from interface org.owasp.esapi.Encoder

CHAR_ALPHANUMERICS, CHAR_DIGITS, CHAR_LETTERS, CHAR_LOWERS, CHAR_PASSWORD_DIGITS, CHAR_PASSWORD_LETTERS, CHAR_PASSWORD_LOWERS, CHAR_PASSWORD_SPECIALS, CHAR_PASSWORD_UPPERS, CHAR_SPECIALS, CHAR_UPPERS

Constructor Summary

Constructors

Modifier	Constructor and Description
private	DefaultEncoder() Instantiates a new DefaultEncoder
	DefaultEncoder(java.util.List<java.lang.String> codecNames)

Method Summary

Modifier and Type	Method and Description
java.lang.String	canonicalize(java.lang.String input) This method is equivalent to calling
java.lang.String	canonicalize(java.lang.String input, boolean strict) This method is the equivalent to calling
java.lang.String	canonicalize(java.lang.String input, boolean restrictMultiple, boolean restrictMixed) Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form.
java.lang.String	decodeForHTML(java.lang.String input) Decodes HTML entities.
byte[]	decodeFromBase64(java.lang.String input) Decode data encoded with BASE-64 encoding.
java.lang.String	decodeFromURL(java.lang.String input) Decode from URL.
java.lang.String	encodeForBase64(byte[] input, boolean wrap) Encode for Base64.
java.lang.String	encodeForCSS(java.lang.String input) Encode data for use in Cascading Style Sheets (CSS) content.
java.lang.String	encodeForDN(java.lang.String input) Encode data for use in an LDAP distinguished name.
java.lang.String	encodeForHTML(java.lang.String input) Encode data for use in HTML using HTML entity encoding
java.lang.String	encodeForHTMLAttribute(java.lang.String input) Encode data for use in HTML attributes.
java.lang.String	encodeForJavaScript(java.lang.String input) Encode data for insertion inside a data value or function argument in JavaScript.
java.lang.String	encodeForLDAP(java.lang.String input) Encode data for use in LDAP queries.
java.lang.String	encodeForOS(Codec codec, java.lang.String input) Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).
java.lang.String	encodeForSQL(Codec codec, java.lang.String input) Encode input for use in a SQL query, according to the selected codec (appropriate codecs include the MySQLCodec and OracleCodec).
java.lang.String	encodeForURL(java.lang.String input) Encode for use in a URL.
java.lang.String	encodeForVBScript(java.lang.String input) Encode data for insertion inside a data value in a Visual Basic script.
java.lang.String	encodeForXML(java.lang.String input) Encode data for use in an XML element.
java.lang.String	encodeForXMLAttribute(java.lang.String input) Encode data for use in an XML attribute.
java.lang.String	encodeForXPath(java.lang.String input) Encode data for use in an XPath query.
static Encoder	getInstance()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

singletonInstance

private static volatile Encoder singletonInstance

codecs

private java.util.List codecs

htmlCodec

private HTMLEntityCodec htmlCodec

xmlCodec

private XMLEntityCodec xmlCodec

percentCodec

private PercentCodec percentCodec

javaScriptCodec

private JavaScriptCodec javaScriptCodec

vbScriptCodec

private VBScriptCodec vbScriptCodec

cssCodec

private CSSCodec cssCodec

logger

private final Logger logger

IMMUNE_HTML

private static final char[] IMMUNE_HTML

Character sets that define characters (in addition to alphanumerics) that are immune from encoding in various formats

IMMUNE_HTMLATTR

private static final char[] IMMUNE_HTMLATTR

IMMUNE_CSS

private static final char[] IMMUNE_CSS

IMMUNE_JAVASCRIPT

private static final char[] IMMUNE_JAVASCRIPT

IMMUNE_VBSCRIPT

private static final char[] IMMUNE_VBSCRIPT

IMMUNE_XML

private static final char[] IMMUNE_XML

IMMUNE_SQL

private static final char[] IMMUNE_SQL

IMMUNE_OS

private static final char[] IMMUNE_OS

IMMUNE_XMLATTR

private static final char[] IMMUNE_XMLATTR

IMMUNE_XPATH

private static final char[] IMMUNE_XPATH

Constructor Detail

DefaultEncoder

private DefaultEncoder()

Instantiates a new DefaultEncoder

DefaultEncoder

public DefaultEncoder(java.util.List<java.lang.String> codecNames)

Method Detail

getInstance

public static Encoder getInstance()

canonicalize

public java.lang.String canonicalize(java.lang.String input)

This method is equivalent to calling

Encoder.canonicalize(input, restrictMultiple, restrictMixed);

The default values for restrictMultiple and restrictMixed come from ESAPI.properties

 Encoder.AllowMultipleEncoding=false
 Encoder.AllowMixedEncoding=false
 

Specified by:

canonicalize in interface Encoder

Parameters:

input - the text to canonicalize

Returns:

a String containing the canonicalized text

See Also:

canonicalize, W3C specifications

canonicalize

public java.lang.String canonicalize(java.lang.String input,
                                     boolean strict)

This method is the equivalent to calling

Encoder.canonicalize(input, strict, strict);

Specified by:

canonicalize in interface Encoder

Parameters:

input - the text to canonicalize

strict - true if checking for multiple and mixed encoding is desired, false otherwise

Returns:

a String containing the canonicalized text

See Also:

canonicalize, W3C specifications

canonicalize

public java.lang.String canonicalize(java.lang.String input,
                                     boolean restrictMultiple,
                                     boolean restrictMixed)

Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack.

Everyone says you shouldn't do validation without canonicalizing the data first. This is easier said than done. The canonicalize method can be used to simplify just about any input down to its most basic form. Note that canonicalize doesn't handle Unicode issues, it focuses on higher level encoding and escaping schemes. In addition to simple decoding, canonicalize also handles:

• Perverse but legal variants of escaping schemes
• Multiple escaping (%2526 or <)
• Mixed escaping (%26lt;)
• Nested escaping (%%316 or &%6ct;)
• All combinations of multiple, mixed, and nested encoding/escaping (%253c or ┦gt;)

Using canonicalize is simple. The default is just...

     String clean = ESAPI.encoder().canonicalize( request.getParameter("input"));
 

You need to decode untrusted data so that it's safe for ANY downstream interpreter or decoder. For example, if your data goes into a Windows command shell, then into a database, and then to a browser, you're going to need to decode for all of those systems. You can build a custom encoder to canonicalize for your application like this...

     ArrayList list = new ArrayList();
     list.add( new WindowsCodec() );
     list.add( new MySQLCodec() );
     list.add( new PercentCodec() );
     Encoder encoder = new DefaultEncoder( list );
     String clean = encoder.canonicalize( request.getParameter( "input" ));
 

In ESAPI, the Validator uses the canonicalize method before it does validation. So all you need to do is to validate as normal and you'll be protected against a host of encoded attacks.

     String input = request.getParameter( "name" );
     String name = ESAPI.validator().isValidInput( "test", input, "FirstName", 20, false);
 

However, the default canonicalize() method only decodes HTMLEntity, percent (URL) encoding, and JavaScript encoding. If you'd like to use a custom canonicalizer with your validator, that's pretty easy too.

     ... setup custom encoder as above
     Validator validator = new DefaultValidator( encoder );
     String input = request.getParameter( "name" );
     String name = validator.isValidInput( "test", input, "name", 20, false);
 

Although ESAPI is able to canonicalize multiple, mixed, or nested encoding, it's safer to not accept this stuff in the first place. In ESAPI, the default is "strict" mode that throws an IntrusionException if it receives anything not single-encoded with a single scheme. This is configurable in ESAPI.properties using the properties:

 Encoder.AllowMultipleEncoding=false
 Encoder.AllowMixedEncoding=false
 

This method allows you to override the default behavior by directly specifying whether to restrict multiple or mixed encoding. Even if you disable restrictions, you'll still get warning messages in the log about each multiple encoding and mixed encoding received.

     // disabling strict mode to allow mixed encoding
     String url = ESAPI.encoder().canonicalize( request.getParameter("url"), false, false);
 

Specified by:

canonicalize in interface Encoder

Parameters:

input - the text to canonicalize

restrictMultiple - true if checking for multiple encoding is desired, false otherwise

restrictMixed - true if checking for mixed encoding is desired, false otherwise

Returns:

a String containing the canonicalized text

See Also:

W3C specifications

encodeForHTML

public java.lang.String encodeForHTML(java.lang.String input)

Encode data for use in HTML using HTML entity encoding

Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F

cannot be used in HTML.

Specified by:

encodeForHTML in interface Encoder

Parameters:

input - the text to encode for HTML

Returns:

input encoded for HTML

See Also:

HTML Encodings [wikipedia.org], SGML Specification [w3.org], XML Specification [w3.org]

decodeForHTML

public java.lang.String decodeForHTML(java.lang.String input)

Decodes HTML entities.

Specified by:

decodeForHTML in interface Encoder

Parameters:

input - the String to decode

Returns:

the newly decoded String

encodeForHTMLAttribute

public java.lang.String encodeForHTMLAttribute(java.lang.String input)

Encode data for use in HTML attributes.

Specified by:

encodeForHTMLAttribute in interface Encoder

Parameters:

input - the text to encode for an HTML attribute

Returns:

input encoded for use as an HTML attribute

encodeForCSS

public java.lang.String encodeForCSS(java.lang.String input)

Encode data for use in Cascading Style Sheets (CSS) content.

Specified by:

encodeForCSS in interface Encoder

Parameters:

input - the text to encode for CSS

Returns:

input encoded for CSS

See Also:

CSS Syntax [w3.org]

encodeForJavaScript

public java.lang.String encodeForJavaScript(java.lang.String input)

Encode data for insertion inside a data value or function argument in JavaScript. Including user data directly inside a script is quite dangerous. Great care must be taken to prevent including user data directly into script code itself, as no amount of encoding will prevent attacks there. Please note there are some JavaScript functions that can never safely receive untrusted data as input – even if the user input is encoded. For example:

  <script>
      window.setInterval('<%= EVEN IF YOU ENCODE UNTRUSTED DATA YOU ARE XSSED HERE %>');
  </script>
 

Specified by:

encodeForJavaScript in interface Encoder

Parameters:

input - the text to encode for JavaScript

Returns:

input encoded for use in JavaScript

encodeForVBScript

public java.lang.String encodeForVBScript(java.lang.String input)

Encode data for insertion inside a data value in a Visual Basic script. Putting user data directly inside a script is quite dangerous. Great care must be taken to prevent putting user data directly into script code itself, as no amount of encoding will prevent attacks there. This method is not recommended as VBScript is only supported by Internet Explorer

Specified by:

encodeForVBScript in interface Encoder

Parameters:

input - the text to encode for VBScript

Returns:

input encoded for use in VBScript

encodeForSQL

public java.lang.String encodeForSQL(Codec codec,
                                     java.lang.String input)

Encode input for use in a SQL query, according to the selected codec (appropriate codecs include the MySQLCodec and OracleCodec). This method is not recommended. The use of the PreparedStatement interface is the preferred approach. However, if for some reason this is impossible, then this method is provided as a weaker alternative. The best approach is to make sure any single-quotes are double-quoted. Another possible approach is to use the {escape} syntax described in the JDBC specification in section 1.5.6. However, this syntax does not work with all drivers, and requires modification of all queries.

Specified by:

encodeForSQL in interface Encoder

Parameters:

codec - a Codec that declares which database 'input' is being encoded for (ie. MySQL, Oracle, etc.)

input - the text to encode for SQL

Returns:

input encoded for use in SQL

See Also:

JDBC Specification

encodeForOS

public java.lang.String encodeForOS(Codec codec,
                                    java.lang.String input)

Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec). Please note the following recommendations before choosing to use this method: 1) It is strongly recommended that applications avoid making direct OS system calls if possible as such calls are not portable, and they are potentially unsafe. Please use language provided features if at all possible, rather than native OS calls to implement the desired feature. 2) If an OS call cannot be avoided, then it is recommended that the program to be invoked be invoked directly (e.g., System.exec("nameofcommand" + "parameterstocommand");) as this avoids the use of the command shell. The "parameterstocommand" should of course be validated before passing them to the OS command. 3) If you must use this method, then we recommend validating all user supplied input passed to the command shell as well, in addition to using this method in order to make the command shell invocation safe. An example use of this method would be: System.exec("dir " + ESAPI.encodeForOS(WindowsCodec, "parameter(s)tocommandwithuserinput");

Specified by:

encodeForOS in interface Encoder

Parameters:

codec - a Codec that declares which operating system 'input' is being encoded for (ie. Windows, Unix, etc.)

input - the text to encode for the command shell

Returns:

input encoded for use in command shell

encodeForLDAP

public java.lang.String encodeForLDAP(java.lang.String input)

Encode data for use in LDAP queries.

Specified by:

encodeForLDAP in interface Encoder

Parameters:

input - the text to encode for LDAP

Returns:

input encoded for use in LDAP

encodeForDN

public java.lang.String encodeForDN(java.lang.String input)

Encode data for use in an LDAP distinguished name.

Specified by:

encodeForDN in interface Encoder

Parameters:

input - the text to encode for an LDAP distinguished name

Returns:

input encoded for use in an LDAP distinguished name

encodeForXPath

public java.lang.String encodeForXPath(java.lang.String input)

Encode data for use in an XPath query. NB: The reference implementation encodes almost everything and may over-encode. The difficulty with XPath encoding is that XPath has no built in mechanism for escaping characters. It is possible to use XQuery in a parameterized way to prevent injection. For more information, refer to this article which specifies the following list of characters as the most dangerous: ^&"*';<>(). This paper suggests disallowing ' and " in queries.

Specified by:

encodeForXPath in interface Encoder

Parameters:

input - the text to encode for XPath

Returns:

input encoded for use in XPath

See Also:

XPath Injection [ibm.com], Blind XPath Injection [packetstormsecurity.org]

encodeForXML

public java.lang.String encodeForXML(java.lang.String input)

Encode data for use in an XML element. The implementation should follow the XML Encoding Standard from the W3C.

The use of a real XML parser is strongly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so.

Specified by:

encodeForXML in interface Encoder

Parameters:

input - the text to encode for XML

Returns:

input encoded for use in XML

See Also:

XML Encoding Standard

encodeForXMLAttribute

public java.lang.String encodeForXMLAttribute(java.lang.String input)

Encode data for use in an XML attribute. The implementation should follow the XML Encoding Standard from the W3C.

The use of a real XML parser is highly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so.

Specified by:

encodeForXMLAttribute in interface Encoder

Parameters:

input - the text to encode for use as an XML attribute

Returns:

input encoded for use in an XML attribute

See Also:

XML Encoding Standard

encodeForURL

public java.lang.String encodeForURL(java.lang.String input)
                              throws EncodingException

Encode for use in a URL. This method performs URL encoding on the entire string.

Specified by:

encodeForURL in interface Encoder

Parameters:

input - the text to encode for use in a URL

Returns:

input encoded for use in a URL

Throws:

EncodingException - if encoding fails

See Also:

URL encoding

decodeFromURL

public java.lang.String decodeFromURL(java.lang.String input)
                               throws EncodingException

Decode from URL. Implementations should first canonicalize and detect any double-encoding. If this check passes, then the data is decoded using URL decoding.

Specified by:

decodeFromURL in interface Encoder

Parameters:

input - the text to decode from an encoded URL

Returns:

the decoded URL value

Throws:

EncodingException - if decoding fails

encodeForBase64

public java.lang.String encodeForBase64(byte[] input,
                                        boolean wrap)

Encode for Base64.

Specified by:

encodeForBase64 in interface Encoder

Parameters:

input - the text to encode for Base64

wrap - the encoder will wrap lines every 64 characters of output

Returns:

input encoded for Base64

decodeFromBase64

public byte[] decodeFromBase64(java.lang.String input)
                        throws java.io.IOException

Decode data encoded with BASE-64 encoding.

Specified by:

decodeFromBase64 in interface Encoder

Parameters:

input - the Base64 text to decode

Returns:

input decoded from Base64

Throws:

java.io.IOException