### Basic HTML Encoding Example Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md This example demonstrates how to use the Encode.forHtml() method to encode user data before embedding it within an HTML textarea. Ensure you import org.owasp.encoder.Encode. ```java PrintWriter out = ....; out.println(""); ``` -------------------------------- ### Body Onload Event Handler XSS Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This example demonstrates an XSS attack using the ONLOAD event handler in the BODY tag. It highlights that a space before the equals sign is permissible. ```html
``` -------------------------------- ### URL Evasion: URL Encoding Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Shows how URL encoding can be used to bypass filters that do not properly decode special characters. This example encodes 'www.google.com'. ```html XSS ``` -------------------------------- ### ESAPI Drop-in Integration with OWASP Java Encoder Source: https://context7.com/owasp/owasp-java-encoder/llms.txt This example demonstrates how to use the `ESAPIEncoder` which implements the ESAPI `Encoder` interface. It delegates common encoding methods to the OWASP Java Encoder for performance, falling back to ESAPI's `DefaultEncoder` for unsupported methods. Obtain the singleton via `ESAPIEncoder.getInstance()`. ```java import org.owasp.encoder.esapi.ESAPIEncoder; import org.owasp.esapi.Encoder; public class ESAPIIntegrationExample { // Obtain the high-performance OWASP-backed ESAPI encoder private static final Encoder ENCODER = ESAPIEncoder.getInstance(); public String renderUser(String name, String bio, String url) { // Uses Encode.forHtml() internally String safeName = ENCODER.encodeForHTML(name); // Uses Encode.forHtmlAttribute() internally String safeAttr = ENCODER.encodeForHTMLAttribute(bio); // Uses Encode.forJavaScript() internally String safeJs = ENCODER.encodeForJavaScript(name); // Uses Encode.forCssString() internally String safeCss = ENCODER.encodeForCSS(bio); // Uses Encode.forXml() / forXmlAttribute() internally String safeXml = ENCODER.encodeForXML(name); String safeXmlAttr = ENCODER.encodeForXMLAttribute(bio); // Falls back to ESAPI DefaultEncoder (not implemented in OWASP Java Encoder) // ENCODER.encodeForSQL(codec, value); // ENCODER.canonicalize(input); // ENCODER.encodeForBase64(bytes, wrap); return "Dynamic data via EL: ${e:forHtml(param.value)}
Dynamic data via tag:
`, `