Contextual Output Encoding is a computer programming technique necessary to stop Cross-Site Scripting. This project is a Java 1.8+ simple-to-use drop-in high-performance encoder class with little baggage.
For more detailed documentation on the OWASP Java Encoder please visit https://owasp.org/www-project-java-encoder/.
You can download a JAR from Maven Central.
JSP tags and EL functions are available in the encoder-jsp, also available:
- encoder-jakarta-jsp - Servlet Spec 5.0
- encoder-jsp - Servlet Spec 3.0
The jars are also available in Central:
<dependency> <groupId>org.owasp.encoder</groupId> <artifactId>encoder</artifactId> <version>1.3.0</version> </dependency> <!-- using Servlet Spec 5 in the jakarta.servlet package use: --> <dependency> <groupId>org.owasp.encoder</groupId> <artifactId>encoder-jakarta-jsp</artifactId> <version>1.3.0</version> </dependency> <!-- using the Legacy Servlet Spec in the javax.servlet package use: --> <dependency> <groupId>org.owasp.encoder</groupId> <artifactId>encoder-jsp</artifactId> <version>1.3.0</version> </dependency>
The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.3.jar, import org.owasp.encoder.Encode and start using.
Example usage:
PrintWriter out = ....; out.println("<textarea>"+Encode.forHtml(userData)+"</textarea>");
Please look at the javadoc for Encode to see the variety of contexts for which you can encode.
Happy Encoding!
Due to test cases for the encoder-jakarta-jsp project Java 17 is required to package and test
the project. Simply run:
mvn package
To run the Jakarta JSP intgration test, to validate that the JSP Tags and EL work correctly run:
mvn verify -PtestJakarta
- Note that the above test may fail on modern Apple silicon.
| JAR | Module Name |
|---|---|
| encoder | owasp.encoder |
| encoder-jakarta-jsp | owasp.encoder.jakarta |
| encoder-jsp | owasp.encoder.jsp |
| encoder-espai | owasp.encoder.esapi |
| Lib | TagLib |
|---|---|
| encoder-jakarta-jsp | <%@taglib prefix="e" uri="owasp.encoder.jakarta"%> |
| encoder-jsp | <%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project"%> |
The team is happy to announce that version 1.3.1 has been released!
- fix: add OSGi related entries in the MANIFEST.MF file (#82).
- fix: java.lang.NoSuchMethodError when running on Java 8 (#80).
The team is happy to announce that version 1.3.0 has been released!
- Minimum JDK Requirement is now Java 8
- Requires Java 17 to build due to test case dependencies.
- Adds Java 9 Module name via Multi-Release Jars (#77).
- Fixed compilation errors with the ESAPI Thunk (#76).
- Adds support for Servlet Spec 5 using the
jakarta.servlet.*(#75).- taglib : <%@taglib prefix="e" uri="owasp.encoder.jakarta"%>
The team is happy to announce that version 1.2.3 has been released!
- Update to make the manifest OSGi-compliant (#39).
- Update to support ESAPI 2.2 and later (#37).
The team is happy to announce that version 1.2.2 has been released!
- This is a minor release fixing documentation and licensing issues.
The team is happy to announce that version 1.2.1 has been released!
- The CDATA Encoder was modified so that it does not emit intermediate characters between adjacent CDATA sections.
- The documentation on gh-pages has been improved.
OWASP Java Encoder has been moved to GitHub. Version 1.2 was also released!
Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to see detailed documentation and examples on each API use!
We're happy to announce that version 1.1.1 has been released. Along with a important bug fix, we added ESAPI integration to replace the legacy ESAPI encoders with the OWASP Java Encoder.
We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library.