OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
483 stars 112 forks source link

Automatic module name not included in manifest #66

Closed afloarea closed 1 month ago

afloarea commented 1 year ago

Hello,

I have tried using the core encoder in a project with java9+ modules but the automatic module name is missing from the jar manifest, version 1.2.3, (even though I saw some configuration in the pom.xml for the automatic module name manifest entry):

Manifest-Version: 1.0
Bundle-Description: The OWASP Encoders package is a collection of high
 -performance low-overhead        contextual encoders, that when utili
 zed correctly, is an effective tool in        preventing Web Applicat
 ion security vulnerabilities such as Cross-Site        Scripting.
Bundle-License: http://www.opensource.org/licenses/BSD-3-Clause
Bundle-SymbolicName: org.owasp.encoder
Built-By: jeremy
Bnd-LastModified: 1604861240860
Bundle-ManifestVersion: 2
Bundle-DocURL: https://www.owasp.org/
Bundle-Vendor: OWASP (Open Web-Application Security Project)
Tool: Bnd-3.3.0.201609221906
Originally-Created-By: Apache Maven Bundle Plugin
Export-Package: org.owasp.encoder;version="1.2.3"
Bundle-Name: Java Encoder
Bundle-Version: 1.2.3
Created-By: Apache Maven Bundle Plugin
Build-Jdk: 1.8.0_212

Extra: Have you considered using multi-release jars to include module-info.java file for java9+? It seems straightforward (for the core subproject at least) since it only has 1 package and no dependencies (and requires using a jdk9+). I might be missing something regarding OSGi though. Diff

In any case, thank you for maintaning this project.

jeremylong commented 1 month ago

@kwwall see https://github.com/OWASP/owasp-java-encoder/pull/77 - does ESAPI have a java 9 module name we need to add a requires for?

kwwall commented 1 month ago

@kwwall see #77 - does ESAPI have a java 9 module name we need to add a requires for?

@jeremylong - Sorry for the late reply. I was AFKB over the weekend to attend a funeral. ESAPI supports JDK 8 as the minimal JDK, so we didn't think it made sense to specify a module-info.java and a module name. So, no; there is nothing you need to add for ESAPI.