I don't see where you imported esapi in the jsp.
Try this:
<%@ page language="java" %>
<%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>
<%@ taglib uri="/WEB-INF/struts-tiles.tld" prefix="tiles" %>
<%@ page import="java.net.*, org.owasp.esapi.ESAPI, org.owasp.esapi.Validator" %>
<script type="text/javascript" language="javascript">
function validateForm()
{
var userURL = "http://www.google.com";
var isValidURL = <% ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false); %>
if (isValidURL) {
alert("true");
} else {
alert("false");
}
}
</script>
Also note, I'd highly suggest doing the validation in the receiving controller and not in the jsp... the overhead for JSP compilation is murder without adding the overhead of parsing input. The other warning I'll give you is that if you note esapi documentation, calling isValidInput()
ignores canonicalization which is absolutely critical. You'll want to use getValidInput()
instead. If you feel you need to use isValidInput()
then you'll want to ensure you make a manual call to canonicalize()
which is a method in the Encoder
class. Also, please note that this line:
var isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
is making a critical mistake in that ESAPI is not a JavaScript
library. This call should look like this:
var isValidURL = <% ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false); %>
And in general, as stated above, you want to do this validation on the controller that will be using this jsp as input, not on the jsp itself. (Scriptlets are slow and should be avoided.)