org.owasp.esapi
Interface Encoder

All Known Implementing Classes:
DefaultEncoder

public interface Encoder

The Encoder interface contains a number of methods for decoding input and encoding output so that it will be safe for a variety of interpreters. To prevent double-encoding, callers should make sure input does not already contain encoded characters by calling canonicalize. Validator implementations should call canonicalize on user input before validating to prevent encoded attacks.

All of the methods must use a "whitelist" or "positive" security model. For the encoding methods, this means that all characters should be encoded, except for a specific list of "immune" characters that are known to be safe.

The Encoder performs two key functions, encoding and decoding. These functions rely on a set of codecs that can be found in the org.owasp.esapi.codecs package. These include:

Since:
June 1, 2007
Author:
Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security

Field Summary
static char[] CHAR_ALPHANUMERICS
          Deprecated. Use EncoderConstants.CHAR_ALPHANUMERICS instead
static char[] CHAR_DIGITS
          Deprecated. Use EncoderConstants.CHAR_DIGITS instead
static char[] CHAR_LETTERS
          Deprecated. Use EncoderConstants.CHAR_LETTERS instead
static char[] CHAR_LOWERS
          Deprecated. Use EncoderConstants.CHAR_LOWERS instead
static char[] CHAR_PASSWORD_DIGITS
          Deprecated. Use EncoderConstants.CHAR_PASSWORD_DIGITS instead
static char[] CHAR_PASSWORD_LETTERS
          Deprecated. Use EncoderConstants.CHAR_PASSWORD_LETTERS instead
static char[] CHAR_PASSWORD_LOWERS
          Deprecated. Use EncoderConstants.CHAR_PASSWORD_LOWERS instead
static char[] CHAR_PASSWORD_SPECIALS
          Deprecated. Use EncoderConstants.CHAR_PASSWORD_SPECIALS instead
static char[] CHAR_PASSWORD_UPPERS
          Deprecated. Use EncoderConstants.CHAR_PASSWORD_UPPERS instead
static char[] CHAR_SPECIALS
          Deprecated. Use EncoderConstants.CHAR_SPECIALS instead
static char[] CHAR_UPPERS
          Deprecated. Use EncoderConstants.CHAR_UPPERS instead
 
Method Summary
 java.lang.String canonicalize(java.lang.String input)
          This method is equivalent to calling
 java.lang.String canonicalize(java.lang.String input, boolean strict)
          Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form.
 byte[] decodeFromBase64(java.lang.String input)
          Decode data encoded with BASE-64 encoding.
 java.lang.String decodeFromURL(java.lang.String input)
          Decode from URL.
 java.lang.String encodeForBase64(byte[] input, boolean wrap)
          Encode for Base64.
 java.lang.String encodeForCSS(java.lang.String input)
          Encode data for use in Cascading Style Sheets (CSS) content.
 java.lang.String encodeForDN(java.lang.String input)
          Encode data for use in an LDAP distinguished name.
 java.lang.String encodeForHTML(java.lang.String input)
          Encode data for use in HTML using HTML entity encoding
 java.lang.String encodeForHTMLAttribute(java.lang.String input)
          Encode data for use in HTML attributes.
 java.lang.String encodeForJavaScript(java.lang.String input)
          Encode data for insertion inside a data value in JavaScript.
 java.lang.String encodeForLDAP(java.lang.String input)
          Encode data for use in LDAP queries.
 java.lang.String encodeForOS(Codec codec, java.lang.String input)
          Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).
 java.lang.String encodeForSQL(Codec codec, java.lang.String input)
          Encode input for use in a SQL query, according to the selected codec (appropriate codecs include the MySQLCodec and OracleCodec).
 java.lang.String encodeForURL(java.lang.String input)
          Encode for use in a URL.
 java.lang.String encodeForVBScript(java.lang.String input)
          Encode data for insertion inside a data value in a Visual Basic script.
 java.lang.String encodeForXML(java.lang.String input)
          Encode data for use in an XML element.
 java.lang.String encodeForXMLAttribute(java.lang.String input)
          Encode data for use in an XML attribute.
 java.lang.String encodeForXPath(java.lang.String input)
          Encode data for use in an XPath query.
 java.lang.String normalize(java.lang.String input)
          Reduce all non-ascii characters to their ASCII form so that simpler validation rules can be applied.
 

Field Detail

CHAR_LOWERS

@Deprecated
static final char[] CHAR_LOWERS
Deprecated. Use EncoderConstants.CHAR_LOWERS instead

CHAR_UPPERS

@Deprecated
static final char[] CHAR_UPPERS
Deprecated. Use EncoderConstants.CHAR_UPPERS instead

CHAR_DIGITS

@Deprecated
static final char[] CHAR_DIGITS
Deprecated. Use EncoderConstants.CHAR_DIGITS instead

CHAR_SPECIALS

@Deprecated
static final char[] CHAR_SPECIALS
Deprecated. Use EncoderConstants.CHAR_SPECIALS instead

CHAR_LETTERS

@Deprecated
static final char[] CHAR_LETTERS
Deprecated. Use EncoderConstants.CHAR_LETTERS instead

CHAR_ALPHANUMERICS

@Deprecated
static final char[] CHAR_ALPHANUMERICS
Deprecated. Use EncoderConstants.CHAR_ALPHANUMERICS instead

CHAR_PASSWORD_LOWERS

@Deprecated
static final char[] CHAR_PASSWORD_LOWERS
Deprecated. Use EncoderConstants.CHAR_PASSWORD_LOWERS instead
Password character set, is alphanumerics (without l, i, I, o, O, and 0) selected specials like + (bad for URL encoding, | is like i and 1, etc...)


CHAR_PASSWORD_UPPERS

@Deprecated
static final char[] CHAR_PASSWORD_UPPERS
Deprecated. Use EncoderConstants.CHAR_PASSWORD_UPPERS instead

CHAR_PASSWORD_DIGITS

@Deprecated
static final char[] CHAR_PASSWORD_DIGITS
Deprecated. Use EncoderConstants.CHAR_PASSWORD_DIGITS instead

CHAR_PASSWORD_SPECIALS

@Deprecated
static final char[] CHAR_PASSWORD_SPECIALS
Deprecated. Use EncoderConstants.CHAR_PASSWORD_SPECIALS instead

CHAR_PASSWORD_LETTERS

@Deprecated
static final char[] CHAR_PASSWORD_LETTERS
Deprecated. Use EncoderConstants.CHAR_PASSWORD_LETTERS instead
Method Detail

canonicalize

java.lang.String canonicalize(java.lang.String input)
                              throws EncodingException
This method is equivalent to calling
Encoder.canonicalize(input, true);

Parameters:
input - the text to canonicalize
Returns:
a String containing the canonicalized text
Throws:
EncodingException - if canonicalization fails
See Also:
W3C specifications

canonicalize

java.lang.String canonicalize(java.lang.String input,
                              boolean strict)
                              throws EncodingException
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack.

Everyone says you shouldn't do validation without canonicalizing the data first. This is easier said than done. The canonicalize method can be used to simplify just about any input down to its most basic form. Note that canonicalize doesn't handle Unicode issues, it focuses on higher level encoding and escaping schemes. In addition to simple decoding, canonicalize also handles:

Using canonicalize is simple. The default is just...

 
     String clean = ESAPI.encoder().canonicalize( request.getParameter("input"));
 
You need to decode untrusted data so that it's safe for ANY downstream interpreter or decoder. For example, if your data goes into a Windows command shell, then into a database, and then to a browser, you're going to need to decode for all of those systems. You can build a custom encoder to canonicalize for your application like this...
 
     ArrayList list = new ArrayList();
     list.add( new WindowsCodec() );
     list.add( new MySQLCodec() );
     list.add( new PercentCodec() );
     Encoder encoder = new DefaultEncoder( list );
     String clean = encoder.canonicalize( request.getParameter( "input" ));
 
In ESAPI, the Validator uses the canonicalize method before it does validation. So all you need to do is to validate as normal and you'll be protected against a host of encoded attacks.
     String input = request.getParameter( "name" );
     String name = ESAPI.validator().isValidInput( "test", input, "FirstName", 20, false);
 
However, the default canonicalize() method only decodes HTMLEntity, percent (URL) encoding, and JavaScript encoding. If you'd like to use a custom canonicalizer with your validator, that's pretty easy too.
 
     ... setup custom encoder as above
     Validator validator = new DefaultValidator( encoder );
     String input = request.getParameter( "name" );
     String name = validator.isValidInput( "test", input, "name", 20, false);
 
Although ESAPI is able to canonicalize multiple, mixed, or nested encoding, it's safer to not accept this stuff in the first place. In ESAPI, the default is "strict" mode that throws an IntrusionException if it receives anything not single-encoded with a single scheme. Currently this is not configurable in ESAPI.properties, but it probably should be. Even if you disable "strict" mode, you'll still get warning messages in the log about each multiple encoding and mixed encoding received.
     // disabling strict mode to allow mixed encoding
     String url = ESAPI.encoder().canonicalize( request.getParameter("url"), false);
 

Parameters:
input - the text to canonicalize
strict - true if checking for double encoding is desired, false otherwise
Returns:
a String containing the canonicalized text
Throws:
EncodingException - if canonicalization fails
See Also:
W3C specifications

normalize

java.lang.String normalize(java.lang.String input)
Reduce all non-ascii characters to their ASCII form so that simpler validation rules can be applied. For example, an accented-e character will be changed into a regular ASCII e character.

Parameters:
input - the text to normalize
Returns:
a normalized String

encodeForCSS

java.lang.String encodeForCSS(java.lang.String input)
Encode data for use in Cascading Style Sheets (CSS) content.

Parameters:
input - the text to encode for CSS
Returns:
input encoded for CSS
See Also:
CSS Syntax [w3.org]

encodeForHTML

java.lang.String encodeForHTML(java.lang.String input)
Encode data for use in HTML using HTML entity encoding

Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F

cannot be used in HTML.

Parameters:
input - the text to encode for HTML
Returns:
input encoded for HTML
See Also:
HTML Encodings [wikipedia.org], SGML Specification [w3.org], XML Specification [w3.org]

encodeForHTMLAttribute

java.lang.String encodeForHTMLAttribute(java.lang.String input)
Encode data for use in HTML attributes.

Parameters:
input - the text to encode for an HTML attribute
Returns:
input encoded for use as an HTML attribute

encodeForJavaScript

java.lang.String encodeForJavaScript(java.lang.String input)
Encode data for insertion inside a data value in JavaScript. Putting user data directly inside a script is quite dangerous. Great care must be taken to prevent putting user data directly into script code itself, as no amount of encoding will prevent attacks there.

Parameters:
input - the text to encode for JavaScript
Returns:
input encoded for use in JavaScript

encodeForVBScript

java.lang.String encodeForVBScript(java.lang.String input)
Encode data for insertion inside a data value in a Visual Basic script. Putting user data directly inside a script is quite dangerous. Great care must be taken to prevent putting user data directly into script code itself, as no amount of encoding will prevent attacks there. This method is not recommended as VBScript is only supported by Internet Explorer

Parameters:
input - the text to encode for VBScript
Returns:
input encoded for use in VBScript

encodeForSQL

java.lang.String encodeForSQL(Codec codec,
                              java.lang.String input)
Encode input for use in a SQL query, according to the selected codec (appropriate codecs include the MySQLCodec and OracleCodec). This method is not recommended. The use of the PreparedStatement interface is the preferred approach. However, if for some reason this is impossible, then this method is provided as a weaker alternative. The best approach is to make sure any single-quotes are double-quoted. Another possible approach is to use the {escape} syntax described in the JDBC specification in section 1.5.6. However, this syntax does not work with all drivers, and requires modification of all queries.

Parameters:
codec - a Codec that declares which database 'input' is being encoded for (ie. MySQL, Oracle, etc.)
input - the text to encode for SQL
Returns:
input encoded for use in SQL
See Also:
JDBC Specification

encodeForOS

java.lang.String encodeForOS(Codec codec,
                             java.lang.String input)
Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).

Parameters:
codec - a Codec that declares which operating system 'input' is being encoded for (ie. Windows, Unix, etc.)
input - the text to encode for the command shell
Returns:
input encoded for use in command shell

encodeForLDAP

java.lang.String encodeForLDAP(java.lang.String input)
Encode data for use in LDAP queries.

Parameters:
input - the text to encode for LDAP
Returns:
input encoded for use in LDAP

encodeForDN

java.lang.String encodeForDN(java.lang.String input)
Encode data for use in an LDAP distinguished name.

Parameters:
input - the text to encode for an LDAP distinguished name
Returns:
input encoded for use in an LDAP distinguished name

encodeForXPath

java.lang.String encodeForXPath(java.lang.String input)
Encode data for use in an XPath query. NB: The reference implementation encodes almost everything and may over-encode. The difficulty with XPath encoding is that XPath has no built in mechanism for escaping characters. It is possible to use XQuery in a parameterized way to prevent injection. For more information, refer to this article which specifies the following list of characters as the most dangerous: ^&"*';<>(). This paper suggests disallowing ' and " in queries.

Parameters:
input - the text to encode for XPath
Returns:
input encoded for use in XPath
See Also:
XPath Injection [ibm.com], Blind XPath Injection [packetstormsecurity.org]

encodeForXML

java.lang.String encodeForXML(java.lang.String input)
Encode data for use in an XML element. The implementation should follow the XML Encoding Standard from the W3C.

The use of a real XML parser is strongly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so.

Parameters:
input - the text to encode for XML
Returns:
input encoded for use in XML
See Also:
XML Encoding Standard

encodeForXMLAttribute

java.lang.String encodeForXMLAttribute(java.lang.String input)
Encode data for use in an XML attribute. The implementation should follow the XML Encoding Standard from the W3C.

The use of a real XML parser is highly encouraged. However, in the hopefully rare case that you need to make sure that data is safe for inclusion in an XML document and cannot use a parse, this method provides a safe mechanism to do so.

Parameters:
input - the text to encode for use as an XML attribute
Returns:
input encoded for use in an XML attribute
See Also:
XML Encoding Standard

encodeForURL

java.lang.String encodeForURL(java.lang.String input)
                              throws EncodingException
Encode for use in a URL. This method performs URL encoding on the entire string.

Parameters:
input - the text to encode for use in a URL
Returns:
input encoded for use in a URL
Throws:
EncodingException - if encoding fails
See Also:
URL encoding

decodeFromURL

java.lang.String decodeFromURL(java.lang.String input)
                               throws EncodingException
Decode from URL. Implementations should first canonicalize and detect any double-encoding. If this check passes, then the data is decoded using URL decoding.

Parameters:
input - the text to decode from an encoded URL
Returns:
the decoded URL value
Throws:
EncodingException - if decoding fails

encodeForBase64

java.lang.String encodeForBase64(byte[] input,
                                 boolean wrap)
Encode for Base64.

Parameters:
input - the text to encode for Base64
wrap - the encoder will wrap lines every 64 characters of output
Returns:
input encoded for Base64

decodeFromBase64

byte[] decodeFromBase64(java.lang.String input)
                        throws java.io.IOException
Decode data encoded with BASE-64 encoding.

Parameters:
input - the Base64 text to decode
Returns:
input decoded from Base64
Throws:
java.io.IOException