Have been following the esapi4java-core-2.0-install-guide.pdf for Eclipse and applying it in a Websphere 7.5 environment.
Step 1 - I added the esapi.jar in the libraries (Project > Properties > Java Build Path > Libraries tab > Add External JARs).
Step 2- I located the esapi & validation .properties files in a folder on my machine.
Step 3 - I selected to add esapi for all run configurations (Windows > Preferences > Java > Installed JREs). I highlighted WebSphere Application Server v7.0 JRE, selected "Edit" and added esapi.jar to that library list. On that same form, I added the -Dorg.owasp.esapi.resources="/path/to/.esapi" argument to the Default VM Arguments prompt, the path to where my esapi & validation .properties files are located.
Here's the code on the JSP page that fails:
<%@ page language="java" %>
<%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>
<%@ taglib uri="/WEB-INF/struts-tiles.tld" prefix="tiles" %>
<%@ page import="java.net.*" %>
<script type="text/javascript" language="javascript">
function validateForm()
{
var userURL = "http://www.google.com";
var isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
alert("true");
} else {
alert("false");
}
}
</script>
Upon executing this bit of code, I get the error: 'ESAPI' is undefined (which happens on the var isValidURL statement).
What am I missing?
I don't see where you imported esapi in the jsp.
Try this:
<%@ page language="java" %>
<%@ taglib uri="/WEB-INF/struts-bean.tld" prefix="bean" %>
<%@ taglib uri="/WEB-INF/struts-html.tld" prefix="html" %>
<%@ taglib uri="/WEB-INF/struts-tiles.tld" prefix="tiles" %>
<%@ page import="java.net.*, org.owasp.esapi.ESAPI, org.owasp.esapi.Validator" %>
<script type="text/javascript" language="javascript">
function validateForm()
{
var userURL = "http://www.google.com";
var isValidURL = <% ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false); %>
if (isValidURL) {
alert("true");
} else {
alert("false");
}
}
</script>
Also note, I'd highly suggest doing the validation in the receiving controller and not in the jsp... the overhead for JSP compilation is murder without adding the overhead of parsing input. The other warning I'll give you is that if you note esapi documentation, calling isValidInput()
ignores canonicalization which is absolutely critical. You'll want to use getValidInput()
instead. If you feel you need to use isValidInput()
then you'll want to ensure you make a manual call to canonicalize()
which is a method in the Encoder
class. Also, please note that this line:
var isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
is making a critical mistake in that ESAPI is not a JavaScript
library. This call should look like this:
var isValidURL = <% ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false); %>
And in general, as stated above, you want to do this validation on the controller that will be using this jsp as input, not on the jsp itself. (Scriptlets are slow and should be avoided.)