Encode/Decode

Used to prevent XSS, these functions use the ESAPI (Enterprise Security API) library to safely handle user input.

Functions

  • Canonicalize() Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack
  • DecodeForHtml() Decodes the given encoded string.
  • DecodeFromURL() Decodes a string that has been encoded in the URL using the encodeForURL. this function is deprecated, use function ESAPIDecode('url',...) instead.
  • EncodeForCSS() Encodes the given string for safe output in CSS to reduce the risk of Cross Site Scripting attacks.
  • EncodeForDN() Encodes the given string for safe output in LDAP Distinguished Names.
  • EncodeForHTML() Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
  • EncodeForHTMLAttribute() Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
  • EncodeForJavaScript() Encodes the given string for safe output in JavaScript to reduce the risk of Cross Site Scripting attacks.
  • EncodeForLDAP() Encodes the given string for safe output in LDAP queries.
  • EncodeForSQL() Encodes the given string for safe output in a query to reduce the risk of SQL Injection attacks. _This method is not recommended_ - the use of query parameters are strongly encouraged as a stronger alternative.
  • EncodeForURL() Encodes the given string for safe output in a URL.
  • EncodeForXML() Encodes the given string for safe output in XML to reduce the risk of Cross Site Scripting attacks.
  • EncodeForXMLAttribute() Encodes the given string for safe output in XMLAttribute to reduce the risk of Cross Site Scripting attacks.
  • EncodeForXPath() Encodes the given string for safe use in an XPath Query.
  • ESAPIDecode() Decodes a string that has been encoded with ESAPIEncode.
  • ESAPIEncode() Encodes the given string for safe output to reduce the risk of Cross Site Scripting attacks.
  • HTMLEditFormat() Replaces special characters in a string with their HTML-escaped equivalents. [version] HTML version to use. currently ignored. -1: The latest implementation of HTML 2.0: HTML 2.0 (Default) 3.2: HTML 3.2 4.0: HTML 4.0
  • SanitizeHtml() Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc. See also https://github.com/OWASP/java-html-sanitizer
  • URLDecode() Decodes a URL-encoded string.
  • URLEncode() Encodes a string to be URL-safe according to the application/x-www-form-urlencoded MIME format
  • URLEncodedFormat() Generates a URL-encoded string. For example, it replaces spaces with %20, and non-alphanumeric characters with equivalent hexadecimal escape sequences. Passes arbitrary strings within a URL.

Methods

  • string.decodeForHTML() Decodes the given encoded string.
  • string.decodeFromURL() Decodes a string that has been encoded in the URL using the encodeForURL. this function is deprecated, use function ESAPIDecode('url',...) instead.
  • string.encodeForCSS() Encodes the given string for safe output in CSS to reduce the risk of Cross Site Scripting attacks.
  • string.encodeForDN() Encodes the given string for safe output in LDAP Distinguished Names.
  • string.encodeForHTML() Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
  • string.encodeForHTMLAttribute() Encodes the given string for safe output in HTML to reduce the risk of Cross Site Scripting attacks.
  • string.encodeForJavascript() Encodes the given string for safe output in JavaScript to reduce the risk of Cross Site Scripting attacks.
  • string.encodeForLDAP() Encodes the given string for safe output in LDAP queries.
  • string.encodeForSQL() Encodes the given string for safe output in a query to reduce the risk of SQL Injection attacks. _This method is not recommended_ - the use of query parameters are strongly encouraged as a stronger alternative.
  • string.encodeForURL() Encodes the given string for safe output in a URL.
  • string.encodeForXML() Encodes the given string for safe output in XML to reduce the risk of Cross Site Scripting attacks.
  • string.encodeForXMLAttribute() Encodes the given string for safe output in XMLAttribute to reduce the risk of Cross Site Scripting attacks.
  • string.encodeForXPath() Encodes the given string for safe use in an XPath Query.
  • string.sanitizeHTML() Sanitizes unsafe HTML input and removes elements and attributes like JavaScript, onclick, etc. See also https://github.com/OWASP/java-html-sanitizer