X Tutup
Skip to content

Commit 070d2eb

Browse files
dschadowdschadow
committed
Added CSS, updated dependencies, added more output escaping samples
1 parent c67cd15 commit 070d2eb

File tree

5 files changed

+44
-12
lines changed

5 files changed

+44
-12
lines changed

Ch04_OutputEscaping/pom.xml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
<name>Ch04_OutputEscaping</name>
99
<description>Chapter 4 Output Escaping sample project. Requires a server like Apache Tomcat.
1010

11-
Open the web application in your browser at http://localhost:8080/OutputEscaping/</description>
11+
Open the web application in your browser at http://localhost:8080/Ch04_OutputEscaping</description>
1212
<url>https://github.com/dschadow/JavaWebAppSecurity</url>
1313

1414
<properties>
@@ -20,11 +20,17 @@ Open the web application in your browser at http://localhost:8080/OutputEscaping
2020
<groupId>org.owasp.esapi</groupId>
2121
<artifactId>esapi</artifactId>
2222
<version>2.0.1</version>
23+
<exclusions>
24+
<exclusion>
25+
<groupId>javax.servlet</groupId>
26+
<artifactId>servlet-api</artifactId>
27+
</exclusion>
28+
</exclusions>
2329
</dependency>
2430
</dependencies>
2531

2632
<build>
27-
<finalName>OutputEscaping</finalName>
33+
<finalName>Ch04_OutputEscaping</finalName>
2834
<plugins>
2935
<plugin>
3036
<artifactId>maven-compiler-plugin</artifactId>

Ch04_OutputEscaping/src/main/webapp/index.jsp

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
<html>
44
<head>
55
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
6+
<link rel="stylesheet" type="text/css" href="styles.css" />
67
<title>Output-Escaping</title>
78
</head>
89
<body>
@@ -13,9 +14,9 @@
1314
<form name="noOutputEscaping" method="post" action="noOutputEscaping.jsp">
1415
<table>
1516
<tr>
16-
<td>Name</td>
17-
<td><input type="text" name="name"></td>
18-
<td><input type="submit" value="Submit"></td>
17+
<td><label for="unprotected" title="Name">Name</label></td>
18+
<td><input type="text" id="unprotected" name="unprotected" /></td>
19+
<td><input type="submit" value="Submit" /></td>
1920
</tr>
2021
</table>
2122
</form>
@@ -25,9 +26,9 @@
2526
<form name="withOutputEscaping" method="post" action="withOutputEscaping.jsp">
2627
<table>
2728
<tr>
28-
<td>Name</td>
29-
<td><input type="text" name="name"></td>
30-
<td><input type="submit" name="submit" value="Submit"></td>
29+
<td><label for="protected" title="Name">Name</label></td>
30+
<td><input type="text" id="protected" name="protected" /></td>
31+
<td><input type="submit" name="submit" value="Submit" /></td>
3132
</tr>
3233
</table>
3334
</form>

Ch04_OutputEscaping/src/main/webapp/noOutputEscaping.jsp

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,11 @@
33
<html>
44
<head>
55
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
6+
<link rel="stylesheet" type="text/css" href="styles.css" />
67
<title>Without Output-Escaping</title>
78
</head>
89
<body>
9-
<strong>Hello</strong> <%= request.getParameter("name") %>
10+
<h1>Without Output-Escaping</h1>
11+
<strong>Hello</strong> <%= request.getParameter("unprotected") %>
1012
</body>
1113
</html>

Ch04_OutputEscaping/src/main/webapp/styles.css

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
.text-input {
2+
width: 250px;
3+
}
4+
5+
.send-button {
6+
font-size: 115%;
7+
}
8+
9+
h1 {
10+
font-size: 150%;
11+
}
12+
13+
h2 {
14+
font-size: 125%;
15+
}
16+
17+
td {
18+
font-size: 115%;
19+
}

Ch04_OutputEscaping/src/main/webapp/withOutputEscaping.jsp

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,15 @@
33
<html>
44
<head>
55
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
6-
<title>With Output-Escaping</title>
6+
<link rel="stylesheet" type="text/css" href="styles.css" />
7+
<title>With ESAPI Output-Escaping</title>
78
</head>
89
<body>
9-
<h1>ESAPI</h1>
10+
<h1>With ESAPI Output-Escaping</h1>
1011
<%@ page import="org.owasp.esapi.ESAPI" %>
11-
<strong>Hello</strong> <%= ESAPI.encoder().encodeForHTML(request.getParameter("name")) %>
12+
<p>(html) <strong>Hello</strong> <%= ESAPI.encoder().encodeForHTML(request.getParameter("protected")) %></p>
13+
<p>(html attribute) <strong>Hello</strong> <%= ESAPI.encoder().encodeForHTMLAttribute(request.getParameter("protected")) %></p>
14+
<p>(css) <strong>Hello</strong> <%= ESAPI.encoder().encodeForCSS(request.getParameter("protected")) %></p>
15+
<p>(xml) <strong>Hello</strong> <%= ESAPI.encoder().encodeForXML(request.getParameter("protected")) %></p>
1216
</body>
1317
</html>

0 commit comments

Comments
 (0)
X Tutup