• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1## OWASP Java Encoder Project
2
3The OWASP Java Encoder Project is a collection of high-performance low-overhead
4contextual encoders, that when utilized correctly, is an effective tool in
5preventing Web Application security vulnerabilities such as Cross-Site
6Scripting (XSS).
7
8Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet)
9for more information on preventing XSS.
10
11### Usage
12
13In addition to the usage guidance below, more examples can be found on the [OWASP Java Encoder Project Wiki](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project).
14
15The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22).
16
17```xml
18<dependency>
19    <groupId>org.owasp.encoder</groupId>
20    <artifactId>encoder</artifactId>
21    <version>1.2.3</version>
22</dependency>
23```
24
25Utilize the encoder:
26
27```java
28import org.owasp.encoder.Encode;
29
30//...
31
32PrintWriter out = ....;
33out.println("<textarea>" + Encode.forHtml(userData) + "</textarea>");
34```
35
36### JSP Usage
37
38The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that
39includes tags and a set of JSP EL functions:
40
41```xml
42<dependency>
43    <groupId>org.owasp.encoder</groupId>
44    <artifactId>encoder-jsp</artifactId>
45    <version>1.2.3</version>
46</dependency>
47```
48
49```JSP
50<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %>
51
52<%-- ... --%>
53
54<p>Dynamic data via EL: ${e:forHtml(param.value)}</p>
55<p>Dynamic data via tag: <e:forHtml value="${param.value}" /></p>
56```
57