Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate out canonicalization from the Encoder component #18

Open
kwwall opened this issue Jul 30, 2023 · 1 comment
Open

Separate out canonicalization from the Encoder component #18

kwwall opened this issue Jul 30, 2023 · 1 comment

Comments

@kwwall
Copy link
Contributor

kwwall commented Jul 30, 2023

The ESAPI Validator component uses the various Encoder.canonicalize methods, which creates a tight coupling between the Validator and Encoder. We want to avoid that for ESAPI 3, therefore I am proposing to create a lightweight Canonicalizer component and move the Encoder.canonicalize methods to it. That should minimize dependencies for the Validator. ESAPI 3, since it is a major change and thus is permitted to break interfaces, would be a good time to do that.
@xeno6696
Copy link

I totally agree. As I was thinking about how to help Jeff's question, at one point I considered adjusting the sensitivity of the multiple encoding (I believe there's a parameter for that in esapi.properties) and then quickly realized that its a global setting.

No joy there.

@jeremiahjstacey In thinking about how to attack a canonicalizer in the future, I'm thinking that a builder pattern probably looks best? I know that's the path that the HTML Sanitizer uses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwwall @xeno6696