# # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version # # This file is part of the Open Worldwide Application Security Project (OWASP) # Enterprise Security API (ESAPI) project. For details, please see # https://owasp.org/www-project-enterprise-security-api/ # # Copyright (c) 2008,2009 - The OWASP Foundation # # DISCUSS: This may cause a major backwards compatibility issue, etc. but # from a name space perspective, we probably should have prefaced # all the property names with ESAPI or at least OWASP. Otherwise # there could be problems is someone loads this properties file into # the System properties. We could also put this file into the # esapi.jar file (perhaps as a ResourceBundle) and then allow an external # ESAPI properties be defined that would overwrite these defaults. # That keeps the application's properties relatively simple as usually # they will only want to override a few properties. If looks like we # already support multiple override levels of this in the # DefaultSecurityConfiguration class, but I'm suggesting placing the # defaults in the esapi.jar itself. That way, if the jar is signed, # we could detect if those properties had been tampered with. (The # code to check the jar signatures is pretty simple... maybe 70-90 LOC, # but off course there is an execution penalty (similar to the way # that the separate sunjce.jar used to be when a class from it was # first loaded). Thoughts? ############################################################################### # # WARNING: Operating system protection should be used to lock down the .esapi # resources directory and all the files inside and all the directories all the # way up to the root directory of the file system. Note that if you are using # file-based implementations, that some files may need to be read-write as they # get updated dynamically. # #=========================================================================== # ESAPI Configuration # # If true, then print all the ESAPI properties set here when they are loaded. # If false, they are not printed. Useful to reduce output when running JUnit tests. # If you need to troubleshoot a properties related problem, turning this on may help. # This is 'false' in the src/test/resources/.esapi version. It is 'true' by # default for reasons of backward compatibility with earlier ESAPI versions. ESAPI.printProperties=true # ESAPI is designed to be easily extensible. You can use the reference implementation # or implement your own providers to take advantage of your enterprise's security # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: # # String ciphertext = # ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 # CipherText cipherText = # ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred # # Below you can specify the classname for the provider that you wish to use in your # application. The only requirement is that it implement the appropriate ESAPI interface. # This allows you to switch security implementations in the future without rewriting the # entire application. # # ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController # FileBasedAuthenticator requires users.txt file in .esapi directory ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory # To use the new SLF4J logger in ESAPI (see GitHub issue #129), set # ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory # and do whatever other normal SLF4J configuration that you normally would do for your application. ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator #=========================================================================== # ESAPI Authenticator # Authenticator.AllowedLoginAttempts=3 Authenticator.MaxOldPasswordHashes=13 Authenticator.UsernameParameterName=username Authenticator.PasswordParameterName=password # RememberTokenDuration (in days) Authenticator.RememberTokenDuration=14 # Session Timeouts (in minutes) Authenticator.IdleTimeoutDuration=20 Authenticator.AbsoluteTimeoutDuration=120 #=========================================================================== # ESAPI Encoder # # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. # Failure to canonicalize input is a very common mistake when implementing validation schemes. # Canonicalization is automatic when using the ESAPI Validator, but you can also use the # following code to canonicalize data. # # ESAPI.Encoder().canonicalize( "%22hello world"" ); # # Multiple encoding is when a single encoding format is applied multiple times. Allowing # multiple encoding is strongly discouraged. Encoder.AllowMultipleEncoding=false # Mixed encoding is when multiple different encoding formats are applied, or when # multiple formats are nested. Allowing multiple encoding is strongly discouraged. Encoder.AllowMixedEncoding=false # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec #=========================================================================== # ESAPI Encryption # # The ESAPI Encryptor provides basic cryptographic functions with a simplified API. # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor # There is not currently any support for key rotation, so be careful when changing your key and salt as it # will invalidate all signed, encrypted, and hashed data. # # WARNING: Not all combinations of algorithms and key lengths are supported. # If you choose to use a key length greater than 128, you MUST download the # unlimited strength policy files and install in the lib directory of your JRE/JDK. # See http://java.sun.com/javase/downloads/index.jsp for more information. # # ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** # To calculate these values, you can run: # java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor # #Encryptor.MasterKey= #Encryptor.MasterSalt= # Provides the default JCE provider that ESAPI will "prefer" for its symmetric # encryption and hashing. (That is it will look to this provider first, but it # will defer to other providers if the requested algorithm is not implemented # by this provider.) If left unset, ESAPI will just use your Java VM's current # preferred JCE provider, which is generally set in the file # "$JAVA_HOME/jre/lib/security/java.security". # # The main intent of this is to allow ESAPI symmetric encryption to be # used with a FIPS 140-2 compliant crypto-module. For details, see the section # "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in # the ESAPI 2.0 Symmetric Encryption User Guide, at: # http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html # However, this property also allows you to easily use an alternate JCE provider # such as "Bouncy Castle" without having to make changes to "java.security". # See Javadoc for SecurityProviderLoader for further details. If you wish to use # a provider that is not known to SecurityProviderLoader, you may specify the # fully-qualified class name of the JCE provider class that implements # java.security.Provider. If the name contains a '.', this is interpreted as # a fully-qualified class name that implements java.security.Provider. # # NOTE: Setting this property has the side-effect of changing it in your application # as well, so if you are using JCE in your application directly rather than # through ESAPI (you wouldn't do that, would you? ;-), it will change the # preferred JCE provider there as well. # # Default: Keeps the JCE provider set to whatever JVM sets it to. Encryptor.PreferredJCEProvider= # AES is the most widely used and strongest encryption algorithm. This # should agree with your Encryptor.CipherTransformation property. # Warning: This property does not control the default reference implementation for # ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped # in the future. # @deprecated Encryptor.EncryptionAlgorithm=AES # For ESAPI Java 2.0 - New encrypt / decrypt methods use this. Encryptor.CipherTransformation=AES/CBC/PKCS5Padding # Applies to ESAPI 2.0 and later only! # Comma-separated list of cipher modes that provide *BOTH* # confidentiality *AND* message authenticity. (NIST refers to such cipher # modes as "combined modes" so that's what we shall call them.) If any of these # cipher modes are used then no MAC is calculated and stored # in the CipherText upon encryption. Likewise, if one of these # cipher modes is used with decryption, no attempt will be made # to validate the MAC contained in the CipherText object regardless # of whether it contains one or not. Since the expectation is that # these cipher modes support support message authenticity already, # injecting a MAC in the CipherText object would be at best redundant. # # Note that as of JDK 1.5, the SunJCE provider does not support *any* # of these cipher modes. Of these listed, only GCM and CCM are currently # NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports # GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other # padding modes. Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC # Applies to ESAPI 2.0 and later only! # Additional cipher modes allowed for ESAPI 2.0 encryption. These # cipher modes are in _addition_ to those specified by the property # 'Encryptor.cipher_modes.combined_modes'. # DISCUSS: Better name? Encryptor.cipher_modes.additional_allowed=CBC # Default key size to use for cipher specified by Encryptor.EncryptionAlgorithm. # Note that this MUST be a valid key size for the algorithm being used # (as specified by Encryptor.EncryptionAlgorithm). So for example, if AES is used, # it must be 128, 192, or 256. If DESede is chosen, then it must be either 112 or 168. # # Note that 128-bits is almost always sufficient and for AES it appears to be more # somewhat more resistant to related key attacks than is 256-bit AES.) # # Defaults to 128-bits if left blank. # # NOTE: If you use a key size > 128-bits, then you MUST have the JCE Unlimited # Strength Jurisdiction Policy files installed!!! # Encryptor.EncryptionKeyLength=128 # This is the _minimum_ key size (in bits) that we allow with ANY symmetric # cipher for doing encryption. (There is no minimum for decryption.) # # Generally, if you only use one algorithm, this should be set the same as # the Encryptor.EncryptionKeyLength property. Encryptor.MinEncryptionKeyLength=128 # Because 2.x uses CBC mode by default, it requires an initialization vector (IV). # (All cipher modes except ECB require an IV.) Previously there were two choices: we can either # use a fixed IV known to both parties or allow ESAPI to choose a random IV. The # former was deprecated in ESAPI 2.2 and removed in ESAPI 2.3. It was not secure # because the Encryptor (as are all the other major ESAPI components) is a # singleton and thus the same IV would get reused each time. It was not a # well-thought out plan. (To do it correctly means we need to add a setIV() method # and get rid of the Encryptor singleton, thus it will not happen until 3.0.) # However, while the IV does not need to be hidden from adversaries, it is important that the # adversary not be allowed to choose it. Thus for now, ESAPI just chooses a random IV. # Originally there was plans to allow a developer to provide a class and method # name to define a custom static method to generate an IV, but that is just # trouble waiting to happen. Thus in effect, the ONLY acceptable property value # for this property is "random". In the not too distant future (possibly the # next release), I will be removing it, but for now I am leaving this and # checking for it so a ConfigurationException can be thrown if anyone using # ESAPI ignored the deprecation warning message and still has it set to "fixed". # # Valid values: random Encryptor.ChooseIVMethod=random # Whether or not CipherText should use a message authentication code (MAC) with it. # This prevents an adversary from altering the IV as well as allowing a more # fool-proof way of determining the decryption failed because of an incorrect # key being supplied. This refers to the "separate" MAC calculated and stored # in CipherText, not part of any MAC that is calculated as a result of a # "combined mode" cipher mode. # # If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also # set this property to false. That is because ESAPI takes the master key and # derives 2 keys from it--a key for the MAC and a key for encryption--and # because ESAPI is not itself FIPS 140-2 verified such intermediary aterations # to keys from FIPS approved sources would have the effect of making your FIPS # approved key generation and thus your FIPS approved JCE provider unapproved! # More details in # documentation/esapi4java-core-2.0-readme-crypto-changes.html # documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html # You have been warned. Encryptor.CipherText.useMAC=true # Whether or not the PlainText object may be overwritten and then marked # eligible for garbage collection. If not set, this is still treated as 'true'. Encryptor.PlainText.overwrite=true # Do not use DES except in a legacy situations. 56-bit is way too small key size. #Encryptor.EncryptionKeyLength=56 #Encryptor.MinEncryptionKeyLength=56 #Encryptor.EncryptionAlgorithm=DES # TripleDES is considered strong enough for most purposes. # Note: There is also a 112-bit version of DESede. Using the 168-bit version # requires downloading the special jurisdiction policy from Sun. #Encryptor.EncryptionKeyLength=168 #Encryptor.MinEncryptionKeyLength=112 #Encryptor.EncryptionAlgorithm=DESede Encryptor.HashAlgorithm=SHA-512 Encryptor.HashIterations=1024 # Was 'SHA1withDSA', but that won't support 2048 key sizes. Change back for # backward compatibility. Encryptor.DigitalSignatureAlgorithm=SHA256withDSA # Was 1024. Change this back if you require backward compatibility. Encryptor.DigitalSignatureKeyLength=2048 # SHA1 is fine as a CSRNG; no need to use anything else. Encryptor.RandomAlgorithm=SHA1PRNG Encryptor.CharacterEncoding=UTF-8 # This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function # (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and # *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for # the MAC, mostly to keep the overall size at a minimum.) # # Currently supported choices for JDK 1.5 and 1.6 are: # HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and # HmacSHA512 (512 bits). # Note that HmacMD5 is *not* supported for the PRF used by the KDF even though # the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide # further details. Encryptor.KDF.PRF=HmacSHA256 #=========================================================================== # ESAPI HttpUtilties # # The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods # protect against malicious data from attackers, such as unprintable characters, escaped characters, # and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies, # headers, and CSRF tokens. # # Default file upload location (remember to escape backslashes with \\) # HttpUtilities.UploadDir=C:\\ESAPI\\testUpload HttpUtilities.UploadTempDir=C:\\temp # Force flags on cookies, if you use HttpUtilities to set cookies HttpUtilities.ForceHttpOnlySession=false HttpUtilities.ForceSecureSession=false HttpUtilities.ForceHttpOnlyCookies=true HttpUtilities.ForceSecureCookies=true # Maximum size of HTTP header key--the validator regex may have additional values. HttpUtilities.MaxHeaderNameSize=256 # Maximum size of HTTP header value--the validator regex may have additional values. HttpUtilities.MaxHeaderValueSize=4096 # Maximum size of JSESSIONID for the application--the validator regex may have additional values. HttpUtilities.HTTPJSESSIONIDLENGTH=50 # Maximum length of a URL (see https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers) HttpUtilities.URILENGTH=2000 # Maximum length of a redirect HttpUtilities.maxRedirectLength=512 # Maximum length for an http scheme HttpUtilities.HTTPSCHEMELENGTH=10 # Maximum length for an http host HttpUtilities.HTTPHOSTLENGTH=100 # Maximum length for an http path HttpUtilities.HTTPPATHLENGTH=150 #Maximum length for a context path HttpUtilities.contextPathLength=150 #Maximum length for an httpServletPath HttpUtilities.HTTPSERVLETPATHLENGTH=100 #Maximum length for an http query parameter name HttpUtilities.httpQueryParamNameLength=100 #Maximum length for an http query parameter -- old default was 2000, but that's the max length for a URL... HttpUtilities.httpQueryParamValueLength=500 # File upload configuration HttpUtilities.ApprovedUploadExtensions=.pdf,.doc,.docx,.ppt,.pptx,.xls,.xlsx,.rtf,.txt,.jpg,.png HttpUtilities.MaxUploadFileBytes=500000000 # Maximum # of files that can be uploaded per HTTP request. # Set to -1 for no maximum. Related to CVE-2023-24998. HttpUtilities.MaxUploadFileCount=20 # Allowing anonymous users to do file uploads via HTTPUtilities.getFileUploads # can make it easier for DoS attacks via uploading files easier. (See Security Bulletin #11, # https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin11.pdf # for details). # # By default, we allow anonymous users to upload files because we can only rely on # ESAPI.authenticator().getCurrentUser() to determine if a user associated # with the current HTTP session is authenticated and almost no one uses the # ESAPI Authenticator because the reference implementation is just a toy # implementation and is not enterprise scalable. # # If you are using the ESAPI Authenticator (the ESAPI reference implementation # or you've implemented your own custom one), then you can set this property value # to 'false' to disallow anonymous (i.e., unauthenticated) users to upload # files. However, if you are not using the ESAPI Authenticator, then you should # probably leave this set to 'false', otherwise you will completely prevent the # use of HTTPUtilities.getFileUploads methods. # HttpUtilities.FileUploadAllowAnonymousUser=true # Using UTF-8 throughout your stack is highly recommended. That includes your database driver, # container, and any other technologies you may be using. Failure to do this may expose you # to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. HttpUtilities.ResponseContentType=text/html; charset=UTF-8 # This is the name of the cookie used to represent the HTTP session # Typically this will be the default "JSESSIONID" HttpUtilities.HttpSessionIdName=JSESSIONID #Sets whether or not we will overwrite http status codes to 200. HttpUtilities.OverwriteStatusCodes=true #Sets the application's base character encoding. This is forked from the Java Encryptor property. HttpUtilities.CharacterEncoding=UTF-8 #=========================================================================== # ESAPI Executor # CHECKME - This should be made OS independent. Don't use unsafe defaults. # # Examples only -- do NOT blindly copy! # For Windows: # Executor.WorkingDirectory=C:\\Windows\\Temp # Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe # For *nux, MacOS: # Executor.WorkingDirectory=/tmp # Executor.ApprovedExecutables=/bin/bash Executor.WorkingDirectory= Executor.ApprovedExecutables= #=========================================================================== # ESAPI Logging # Set the application name if these logs are combined with other applications Logger.ApplicationName=ExampleApplication # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true Logger.LogEncodingRequired=false # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. Logger.LogApplicationName=true # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. Logger.LogServerIP=true # Determines whether ESAPI should log the user info. Logger.UserInfo=true # Determines whether ESAPI should log the session id and client IP. Logger.ClientInfo=true # Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME]. # If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used Logger.LogPrefix=true #=========================================================================== # ESAPI Intrusion Detection # # Each event has a base to which .count, .interval, and .action are added # The IntrusionException will fire if we receive "count" events within "interval" seconds # The IntrusionDetector is configurable to take the following actions: log, logout, and disable # (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable # # Custom Events # Names must start with "event." as the base # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here # You can also disable intrusion detection completely by changing # the following parameter to true # IntrusionDetector.Disable=false # IntrusionDetector.event.test.count=2 IntrusionDetector.event.test.interval=10 IntrusionDetector.event.test.actions=disable,log # Exception Events # All EnterpriseSecurityExceptions are registered automatically # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException # Use the fully qualified classname of the exception as the base # any intrusion is an attack IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout # for test purposes # CHECKME: Shouldn't there be something in the property name itself that designates # that these are for testing??? IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout # rapid validation errors indicate scans or attacks in progress # org.owasp.esapi.errors.ValidationException.count=10 # org.owasp.esapi.errors.ValidationException.interval=10 # org.owasp.esapi.errors.ValidationException.actions=log,logout # sessions jumping between hosts indicates session hijacking IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout #=========================================================================== # ESAPI Validation # # The ESAPI Validator works on regular expressions with defined names. You can define names # either here, or you may define application specific patterns in a separate file defined below. # This allows enterprises to specify both organizational standards as well as application specific # validation rules. # # Use '\p{L}' (without the quotes) within the character class to match # any Unicode LETTER. You can also use a range, like: \u00C0-\u017F # You can also use any of the regex flags as documented at # https://docs.oracle.com/javase/tutorial/essential/regex/pattern.html, e.g. (?u) # Validator.ConfigurationFile=validation.properties # Validators used by ESAPI Validator.AccountName=^[a-zA-Z0-9]{3,20}$ Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ Validator.RoleName=^[a-z]{1,20}$ #the word TEST below should be changed to your application #name - only relative URL's are supported Validator.Redirect=^\\/test.*$ # Global HTTP Validation Rules # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] Validator.HTTPScheme=^(http|https)$ Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$ # Note that headerName and Value length is also configured in the HTTPUtilities section Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$ Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ Validator.HTTPURL=^.*$ Validator.HTTPJSESSIONID=^[A-Z0-9]{10,32}$ # Contributed by Fraenku@gmx.ch # Github Issue 126 https://github.com/ESAPI/esapi-java-legacy/issues/126 Validator.HTTPParameterName=^[a-zA-Z0-9_\\-]{1,32}$ Validator.HTTPParameterValue=^[-\\p{L}\\p{N}./+=_ !$*?@]{0,1000}$ Validator.HTTPContextPath=^/[a-zA-Z0-9.\\-_]*$ Validator.HTTPQueryString=^([a-zA-Z0-9_\\-]{1,32}=[\\p{L}\\p{N}.\\-/+=_ !$*?@%]*&?)*$ Validator.HTTPURI=^/([a-zA-Z0-9.\\-_]*/?)*$ # Validation of file related input Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ # Validation of dates. Controls whether or not 'lenient' dates are accepted. # See DataFormat.setLenient(boolean flag) for further details. Validator.AcceptLenientDates=false # ~~~~~ Important Note ~~~~~ # This is a workaround to make sure that a commit to address GitHub issue #509 # doesn't accidentally break someone's production code. So essentially what we # are doing is to reverting back to the previous possibly buggy (by # documentation intent at least), but, by now, expected legacy behavior. # Prior to the code changes for issue #509, if invalid / malicious HTML input was # observed, AntiSamy would simply attempt to sanitize (cleanse) it and it would # only be logged. However, the code change made ESAPI comply with its # documentation, which stated that a ValidationException should be thrown in # such cases. Unfortunately, changing this behavior--especially when no one is # 100% certain that the documentation was correct--could break existing code # using ESAPI so after a lot of debate, issue #521 was created to restore the # previous behavior, but still allow the documented behavior. (We did this # because it wasn't really causing an security issues since AntiSamy would clean # it up anyway and we value backward compatibility as long as it doesn't clearly # present security vulnerabilities.) # More defaults about this are written up under GitHub issue #521 and # the pull request it references. Future major releases of ESAPI (e.g., ESAPI 3.x) # will not support this previous behavior, but it will remain for ESAPI 2.x. # Set this to 'throw' if you want the originally intended behavior of throwing # that was fixed via issue #509. Set to 'clean' if you want want the HTML input # sanitized instead. # # Possible values: # clean -- Use the legacy behavior where unsafe HTML input is logged and the # sanitized (i.e., clean) input as determined by AntiSamy and your # AntiSamy rules is returned. This is the default behavior if this # new property is not found. # throw -- The new, presumably correct and originally intended behavior where # a ValidationException is thrown when unsafe HTML input is # encountered. # #Validator.HtmlValidationAction=clean Validator.HtmlValidationAction=throw # With the fix for #310 to enable loading antisamy-esapi.xml from the classpath # also an enhancement was made to be able to use a different filename for the configuration. # You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml. # This is the default behaviour of ESAPI. # #Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml ######################################################################################## # The following methods are now disabled in the default configuration and must # be explicity enabled. If you try to invoke a method disabled by default, ESAPI # will thrown a NotConfiguredByDefaultException. # # The reason for this varies, but ranges from they are not really suitable for # enterprise scale to that are only marginally tested (if at all) versus the are # unsafe for general use, although them may be fine when combined with other # security-in-depth techiques. # # The disabled-by-default methods are: # org.owasp.esapi.reference.DefaultEncoder.encodeForSQL # org.owasp.esapi.ESAPI.accessController [FUTURE; will correspond to deprecation notice] # # Mote details to explain this may be found in the ESAPI GitHub wiki article at # https://github.com/ESAPI/esapi-java-legacy/wiki/Reducing-the-ESAPI-Library's-Attack-Surface ########### # The format is a comma-separated list of fully.Qualified.ClassName.methodName; # all class names must begin with "org.owasp.esapi.". ESAPI.dangerouslyAllowUnsafeMethods.methodNames= ########### # Normally you would put some text here (that will be logged) that provides some # justification as to why you have enabled these functions. This can be # anythuing such as a Jira or ServiceNow ticket number, a security exception # reference, etc. If it is left empty, it will just like "Justification: none".` ESAPI.dangerouslyAllowUnsafeMethods.justification=