### Basic HTML Encoding Example Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md This example demonstrates how to use the Encode.forHtml() method to encode user data before embedding it within an HTML textarea. Ensure you import org.owasp.encoder.Encode. ```java PrintWriter out = ....; out.println(""); ``` -------------------------------- ### Body Onload Event Handler XSS Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This example demonstrates an XSS attack using the ONLOAD event handler in the BODY tag. It highlights that a space before the equals sign is permissible. ```html ``` -------------------------------- ### URL Evasion: URL Encoding Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Shows how URL encoding can be used to bypass filters that do not properly decode special characters. This example encodes 'www.google.com'. ```html XSS ``` -------------------------------- ### ESAPI Drop-in Integration with OWASP Java Encoder Source: https://context7.com/owasp/owasp-java-encoder/llms.txt This example demonstrates how to use the `ESAPIEncoder` which implements the ESAPI `Encoder` interface. It delegates common encoding methods to the OWASP Java Encoder for performance, falling back to ESAPI's `DefaultEncoder` for unsupported methods. Obtain the singleton via `ESAPIEncoder.getInstance()`. ```java import org.owasp.encoder.esapi.ESAPIEncoder; import org.owasp.esapi.Encoder; public class ESAPIIntegrationExample { // Obtain the high-performance OWASP-backed ESAPI encoder private static final Encoder ENCODER = ESAPIEncoder.getInstance(); public String renderUser(String name, String bio, String url) { // Uses Encode.forHtml() internally String safeName = ENCODER.encodeForHTML(name); // Uses Encode.forHtmlAttribute() internally String safeAttr = ENCODER.encodeForHTMLAttribute(bio); // Uses Encode.forJavaScript() internally String safeJs = ENCODER.encodeForJavaScript(name); // Uses Encode.forCssString() internally String safeCss = ENCODER.encodeForCSS(bio); // Uses Encode.forXml() / forXmlAttribute() internally String safeXml = ENCODER.encodeForXML(name); String safeXmlAttr = ENCODER.encodeForXMLAttribute(bio); // Falls back to ESAPI DefaultEncoder (not implemented in OWASP Java Encoder) // ENCODER.encodeForSQL(codec, value); // ENCODER.canonicalize(input); // ENCODER.encodeForBase64(bytes, wrap); return "
" + safeName + "
"; } } ``` -------------------------------- ### Maven Dependency Setup for OWASP Java Encoder Source: https://context7.com/owasp/owasp-java-encoder/llms.txt Add the appropriate dependency to your pom.xml based on your environment. The core encoder is required for servlet/plain Java usage; add the JSP artifact if using JSP tag libraries or EL functions. ```xml org.owasp.encoder encoder 1.4.0 ``` ```xml org.owasp.encoder encoder-jsp 1.4.0 ``` ```xml org.owasp.encoder encoder-jakarta-jsp 1.4.0 ``` ```xml org.owasp.encoder encoder-esapi 1.4.0 ``` -------------------------------- ### URL Evasion: Mixed Encoding with Tabs/Newlines Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt An example of mixed encoding techniques, including base encoding, tabs, and newlines, to bypass URL filters. This works when encapsulated within quotes. ```html XSS ``` -------------------------------- ### JavaScript Injection using ASCII Carriage Returns Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt An extreme example of injecting JavaScript using ASCII carriage returns, demonstrating a vector that bypasses filters by using control characters. ```HTML ``` -------------------------------- ### XSS using Locally Hosted XML Data Island Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This method leverages a locally hosted XML file containing the XSS payload, referenced by an XML data island. It's similar to the previous example but points to an external XML resource. ```HTML ``` -------------------------------- ### XSS Vector: ActionScript in Flash Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This example shows how ActionScript within a Flash movie can be used to obfuscate and execute an XSS vector. ```javascript a="get"; b="URL(\"”; c="javascript:"; d="alert('XSS');")"; eval(a+b+c+d); ``` -------------------------------- ### Script Tag Evasion with Attributes Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Demonstrates XSS attacks evading filters by using different quote types and attribute values within SCRIPT tags. These examples highlight the need for robust parsing of script tags. ```html ``` ```html ``` ```html ``` ```html ``` -------------------------------- ### Content Replace Attack Vector Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Illustrates an attack vector where programmatic replacement of a URL with nothing is exploited. This example uses character encoding to bypass filters that might otherwise catch the URL. ```html XSS ``` -------------------------------- ### Google 'Feeling Lucky' Protocol Bypass (Deprecated) Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt An example using Firefox's 'keyword:' protocol to redirect users, which was effective before Firefox 2.0. It relies on the browser's 'feeling lucky' function. ```html XSS ``` -------------------------------- ### XSS Vector: IMG STYLE with expression hybrid Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt A hybrid XSS vector combining elements from previous examples, highlighting the difficulty in parsing STYLE tags and potentially causing infinite alert loops in IE. ```html exp/* ``` -------------------------------- ### Run Benchmarks Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md Execute benchmarks for the OWASP Java Encoder project. Note that benchmarks may require improvement. ```bash mvn verify -Pbenchmarks ``` -------------------------------- ### Build the Project with Maven Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md Run this command in your terminal to package the OWASP Java Encoder project. Java 17 is required for building and testing the encoder-jakarta-jsp module. ```shell mvn package ``` -------------------------------- ### Deploy a Release Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md Command to deploy a new release of the OWASP Java Encoder project using the central-publishing-maven-plugin. Ensure you have the necessary permissions and configurations. ```bash mvn mvn clean package deploy -DperformRelease=true ``` -------------------------------- ### JSP Usage with OWASP Encoder Source: https://github.com/owasp/owasp-java-encoder/blob/main/jsp/src/site/markdown/index.md Demonstrates how to use the OWASP JSP Encoder's TLD tags and EL functions for encoding dynamic data within JSP pages. Ensure the taglib is imported correctly. ```JSP <%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> <%-- ... --%>

Dynamic data via EL: ${e:forHtml(param.value)}

Dynamic data via tag:

``` -------------------------------- ### Servlet HTML and URI Encoding with Encode.forXxx(Writer) Source: https://context7.com/owasp/owasp-java-encoder/llms.txt Use writer overloads for efficient encoding directly into a servlet's PrintWriter, avoiding intermediate String objects. Ensure correct content type and character encoding are set for the response. ```java import org.owasp.encoder.Encode; import javax.servlet.http.HttpServletResponse; import java.io.PrintWriter; import java.io.IOException; public class WriterEncodingServlet { public void doGet(HttpServletResponse response, String name, String query) throws IOException { response.setContentType("text/html; charset=UTF-8"); PrintWriter out = response.getWriter(); out.write("

Hello, "); Encode.forHtml(out, name); // no intermediate String out.write("

\n"); Encode.forHtmlContent(out, query); // then HTML-encode the link text out.write(""); } } ``` -------------------------------- ### Run Jakarta JSP Integration Test Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md Execute this command to run the integration tests for the Jakarta JSP module, validating the functionality of JSP Tags and EL expressions. ```shell mvn verify -PtestJakarta ``` -------------------------------- ### XSS Vector: Anonymous HTML with STYLE attribute Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This vector demonstrates that browsers like IE6 and Netscape 8.1 (in IE mode) will render malformed HTML tags if they start with '<' and a letter, allowing STYLE attribute XSS. ```html ``` -------------------------------- ### XSS using PHP Echo Statements Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This PHP snippet uses 'echo' statements to output JavaScript code, bypassing filters that might block direct script tag injection. It requires PHP to be installed and executable on the server. ```PHP alert("XSS")'); ?> ``` -------------------------------- ### URL Evasion: Removing 'www.' for DNS Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Demonstrates saving bytes by removing 'www.' from a domain name, assuming the server is configured to handle this. This can bypass filters looking for specific subdomains. ```html XSS ``` -------------------------------- ### URL Evasion: IP Address vs Hostname Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Demonstrates bypassing URL filters by using an IP address instead of a hostname. This can be effective if filters only check for specific domain names. ```html XSS ``` -------------------------------- ### Protocol Resolution Bypass with Slashes Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Demonstrates bypassing URL filters by using '//' which translates to 'http://', saving characters and evading regex patterns like '(ht|f)tp(s)?://'. ```html XSS ``` -------------------------------- ### Image XSS using JavaScript Directive Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Demonstrates XSS using the JavaScript directive within an IMG tag. Note that IE7.0 may not support this in image contexts, but the principle applies to other tags. ```html ``` -------------------------------- ### XSS with Spaces and Meta Characters Before JavaScript Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Illustrates using spaces and meta characters (like ) before 'javascript:' to bypass pattern matching filters that don't account for such characters. ```HTML ``` -------------------------------- ### Encode User Data for HTML Output Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/site/markdown/index.md Use Encode.forHtml() to safely encode user-provided data before embedding it within HTML content, preventing XSS attacks. Ensure the 'org.owasp.encoder.Encode' class is imported. ```java import org.owasp.encoder.Encode; //... PrintWriter out = .... out.println(""); ``` -------------------------------- ### Dynamic Encoder Lookup with Encoders.forName() Source: https://context7.com/owasp/owasp-java-encoder/llms.txt Use Encoders.forName() to obtain an Encoder instance by context name at runtime. This is useful in template engines. Ensure the context name is valid to avoid UnsupportedContextException. For string encoding, use Encode.encode() or EncodedWriter. ```java import org.owasp.encoder.Encoder; import org.owasp.encoder.Encoders; import org.owasp.encoder.UnsupportedContextException; public class DynamicEncoderExample { public String encode(String contextName, String value) { try { Encoder encoder = Encoders.forName(contextName); // encoder.encode(input, output, endOfInput) — low-level NIO buffer API // For string encoding, wrap with Encode.encode() or use EncodedWriter return org.owasp.encoder.Encode.encode(encoder, value); // package-private shortcut via reflection not recommended; use EncodedWriter instead } catch (UnsupportedContextException e) { throw new IllegalArgumentException("Unknown encoding context: " + contextName, e); } } // Typical runtime dispatch pattern public void writeField(java.io.Writer out, String context, String value) throws Exception { try (EncodedWriter ew = new EncodedWriter(out, context)) { ew.write(value); ew.flush(); } } } ``` ```java // Available context name constants: // Encoders.HTML "html" // Encoders.HTML_CONTENT "html-content" // Encoders.HTML_ATTRIBUTE "html-attribute" // Encoders.HTML_UNQUOTED_ATTRIBUTE "html-attribute-unquoted" // Encoders.XML "xml" // Encoders.XML_CONTENT "xml-content" // Encoders.XML_ATTRIBUTE "xml-attribute" // Encoders.XML_COMMENT "xml-comment" // Encoders.XML_11 "xml-1.1" // Encoders.XML_11_CONTENT "xml-1.1-content" // Encoders.XML_11_ATTRIBUTE "xml-1.1-attribute" // Encoders.CDATA "cdata" // Encoders.CSS_STRING "css-string" // Encoders.CSS_URL "css-url" // Encoders.JAVASCRIPT "javascript" // Encoders.JAVASCRIPT_ATTRIBUTE "javascript-attribute" // Encoders.JAVASCRIPT_BLOCK "javascript-block" // Encoders.JAVASCRIPT_SOURCE "javascript-source" // Encoders.URI "uri" (deprecated) // Encoders.URI_COMPONENT "uri-component" // Encoders.JAVA "java" ``` -------------------------------- ### Remote Style Sheet via Moz Binding Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This method binds a XUL file to the parent page, allowing for XSS execution in Gecko rendering engines. It leverages the '-moz-binding' CSS property. ```html ``` -------------------------------- ### URL Evasion: Dword Encoding Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Illustrates Dword encoding for IP addresses, a technique that represents IP addresses in a different numerical base. This can bypass filters not recognizing this encoding. ```html XSS ``` -------------------------------- ### DIV Background-Image with JavaScript Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Executes JavaScript by setting the 'background-image' style property of a DIV element to a JavaScript URI. ```html
``` -------------------------------- ### Maven Dependencies for OWASP Java Encoder Source: https://github.com/owasp/owasp-java-encoder/blob/main/README.md Include these dependencies in your Maven project to use the OWASP Java Encoder library. Choose the appropriate artifact based on your Servlet Specification. ```xml org.owasp.encoder encoder 1.4.0 org.owasp.encoder encoder-jakarta-jsp 1.4.0 org.owasp.encoder encoder-jsp 1.4.0 ``` -------------------------------- ### Remote Style Sheet via STYLE Tag Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Injecting a remote stylesheet using a STYLE tag can execute JavaScript. This method works similarly to using a LINK tag. ```html ``` -------------------------------- ### URL Evasion: Hex Encoding Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt Demonstrates bypassing URL filters using hexadecimal encoding for IP addresses. This method can evade simple string matching filters. ```html XSS ``` -------------------------------- ### XSS using Server Side Includes (SSI) Source: https://github.com/owasp/owasp-java-encoder/blob/main/core/src/test/resources/org/owasp/encoder/benchmark-data-1.txt This vector requires SSI to be enabled on the server. It uses multiple SSI 'exec' directives to construct and execute a JavaScript payload, demonstrating a server-level vulnerability. ```SSI ``` -------------------------------- ### Encode.forHtmlContent(String input) and Encode.forHtmlAttribute(String input) Source: https://context7.com/owasp/owasp-java-encoder/llms.txt Provides targeted HTML encoding. `forHtmlContent` is for element text bodies only, while `forHtmlAttribute` is for quoted HTML attribute values. These can offer slight performance benefits when the context is precisely known. ```APIDOC ## Encode.forHtmlContent(String input) and Encode.forHtmlAttribute(String input) ### Description `forHtmlContent` encodes for HTML element text bodies only — it does **not** encode `"` or `'`, making it slightly more efficient than `forHtml` inside `
`, `

`, `