slocumbf / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

DefaultEncoder does not use custom codecs #16

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Call the DefaultEncoder constructor with List of Codecs as parameter and
pass a list containing a customized JavaScriptCodec that implements Codec
interface
2. Then call the encodeForJavascript method and pass a string.
3. The encoding performed on the string is the default encoding and not the
intended custom encoding as per the codec object passed in the codecs list
that is passed to the constructor

What is the expected output? What do you see instead?
The encoding should be done as per the customized encodeCharacter method
but it is done using the default encodeCharacter method (belonging to the
org.owasp.esapi.codecs.JavaScriptCodec class)

What version of the product are you using? On what operating system?
Using owasp-esapi-full-java-1.4.jar, Windows XP. 

Please provide any additional information below.
I saw the DefaultEncoder code and in the DefaultEncoder(List list) at line
70, I see that codecs member is being updated but then the private Codec
variables are not being updated with the ones that are contained the codec
list. 
Fix in my opinion:
I think the codec list should be looped through and based on the codec
objects contained, the corresponding private codec memebers should be
updated. For eg: If the codecs list passed has a JavaScriptCodec object,
the private memeber javaScriptCodec should be updated with the object in
the codecs list so that eventually, its encodeCharacter will be called
instead of the method from the default value (to the
org.owasp.esapi.codecs.JavaScriptCodec class)

Original issue reported on code.google.com by rpal...@gmail.com on 21 May 2009 at 4:51

Attachments:

GoogleCodeExporter commented 9 years ago
While the documentation does not indicate this, what's going on here is that the
constructor for the DefaultEncoder is designed to take in a list of codecs for
*canonicalization*, not for regular encodeFor...() methods.

I don't see any information in the interface doc about this constructor
functionality, which is problem #1. I guess we just made this up for the 
Default :-)

Problem #2 is that if someone wants to do something reasonable like you are 
doing,
just replace a specific codec, they must also replace DefaultEncoder with their 
own
implementation to press the new codec into use. I think it would be much better 
to
move to a plug-in architecture where plug-ins register themselves with the 
encoder
with a specific target ('javascript'), and the encoder, when called, can hand 
the
request off to whichever plug-in is registered with the appropriate target.

Such a plug-in system wouldn't need to modify the API, and would make the
DefaultEncoder much easier to extend.

Original comment by cyounk...@gmail.com on 22 Jul 2009 at 3:52

GoogleCodeExporter commented 9 years ago
This should be resolved with the Encoder API Cleanup - Issue 68
http://code.google.com/p/owasp-esapi-java/issues/detail?id=68

If this does not address the problem fully, please reopen this issue, for the 
time
being I am marking this as a duplicate and closing.

Original comment by chrisisbeef on 2 Dec 2009 at 7:53