ESAPI implementation for spring form tags

Question

How can we implement ESAPI output encoding in an application using java and spring-mvc.

Read many posts and saw this:

<%@ page import="org.owasp.esapi.*" %>
<input type="hidden" name="hidden" value="<%out.print(ESAPI.encoder().encodeForHTML(content));%>"/>

But, in my application all the jsps use spring form tags like the following,

<td>Number: 
        <form:input path="someNo" size="20" maxlength="18" id="firstfield" onkeypress="return PressAButton('submithidden');"/></td>

How can I have ESAPI implementation for above code? is there any other way of implementing output encoding like creating a filter or something? Any suggestions are greatly appreciated!

Answer 1

After researching spring tags a bit, it appears that the data-binding happens in framework code thus preventing you from applying any escaping in the jsp.

One, semi-quick win could be defaulting all output to escape HTML. Add this entry in web.xml:

<context-param>
  <param-name>defaultHtmlEscape</param-name>
  <param-value>true</param-value>
</context-param>

The only problem here is that output-escaping is a BIG pain... the rules for html escaping are different when your value is going to be passed as data to an HTML attribute or a Javascript function. And there could be some parts of your application where you DO NOT want to html escape, but you should be able to override those with the form tag attribute htmlEscape="false" when you need to.

What you need is to be able to hook the part of Spring tags where it is binding the HTML to the form, but you need to be able to do it so you can escape based on where its being placed. Escaping rules are different for an HTMLAttribute as opposed to plain HTML and if the value is going to be passed as data to a javascript function. So Spring's solution only defends one category of attack.

These are the only ways out I see, all of them will require work:

1. Use JSTL tags instead of Spring tags so you can write your variables with ${thisSyntax} and wrap them in esapi tags like this:

   <c:out value="<esapi:encodeForHTML>${variable}</esapi:encodeForHTML>"/>

2. Follow a solution like what @A. Paul put forward, where you do your context escaping back on the controller side. I'm aware you feel that this isn't an option, but the next solution I'm putting forward is untested.

3. Implement your own tag library that subclasses [org.springframework.web.servlet.tags.form.InputTag][1], specifically the method writeValue. While esapi prevents alot, I would recommend looking at owasp's new Encoder project to show you exactly how tricky output encoding is. Ideally your tag library will allow you to utilize either esapi's Encoder or this new API.

Answer 2

Just a thought not sure if this is what you are looking for.

Can you use the below code in Java and change the data in the bean itself and then send in the user interface.

if ( ESAPI.securityConfiguration().getLogEncodingRequired() ) {
    data = ESAPI.encoder().encodeForHTML(message);
}

You can check the below url. http://www.jtmelton.com/tag/esapi/