题
Does OWASP Java Encoder Project escape all XSS? by methods
https://stackoverflow.com/questions/21093003
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianEncode.forHtmlContent(value)
Encode.forJavaScript(value)
Encode.forXml(value)
or better to use other solutions?
What OWASP solution you are advise for Java app?
解决方案
ESAPI is no longer a flagship project for OWASP. There has been no releases since 2013, which means the project is stale.
If all you need is output escaping, use the encoder project. That one is maintained.
No single solution can be guaranteed to sanitize all XSS. You have to allow that a clever attacker might be able to exploit a bug in the HTML sanitizer.
其他提示
Yes, I think if you are looking for encoding API to stop XSS then OWASP Java Encoder is best option. For context based encoding to stooping XSS, I would prefer java encoder over ESAPI
