updated maven site to use reflow
diff --git a/core/pom.xml b/core/pom.xml index 7fafdac..edd9bb5 100644 --- a/core/pom.xml +++ b/core/pom.xml
@@ -49,7 +49,7 @@ <artifactId>encoder</artifactId> <packaging>jar</packaging> - <name>OWASP Encoders</name> + <name>Java Encoder</name> <description> The OWASP Encoders package is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in
diff --git a/core/src/main/java/org/owasp/encoder/Encode.java b/core/src/main/java/org/owasp/encoder/Encode.java index 3e3dc59..1d3d406 100644 --- a/core/src/main/java/org/owasp/encoder/Encode.java +++ b/core/src/main/java/org/owasp/encoder/Encode.java
@@ -78,41 +78,40 @@ * <input value="<%=Encode.forHtml(unsafeData)%>" /> * </pre> * - * <table border="0" summary="Shows the input and results of encoding"> + * <table border="0" class="memberSummary" summary="Shows the input and results of encoding"> * <caption><b>Encoding Table</b></caption> * <thead> - * <tr bgcolor="#ccf"> - * <th align="left">Input</th> - * <th align="left">Result</th> + * <tr> + * <th align="left" class="colFirst">Input</th> + * <th align="left" class="colLast">Result</th> * </tr> * </thead> * <tbody> - * <tr> - * <td>“{@code &}”</td> - * <td>“{@code &}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code &}</td> + * <td class="colLast">{@code &}</td> * </tr> - * <tr> - * <td>“{@code <}”</td> - * <td>“{@code <}”</td> + * <tr class="rowColor"> + * <td class="colFirst">{@code <}</td> + * <td class="colLast">{@code <}</td> * </tr> - * <tr> - * <td>“{@code >}”</td> - * <td>“{@code >}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code >}</td> + * <td class="colLast">{@code >}</td> * </tr> - * <tr> - * <td>“{@code "}”</td> - * <td>“{@code "}”</td> + * <tr class="rowColor"> + * <td class="colFirst">{@code "}</td> + * <td class="colLast">{@code "}</td> * </tr> - * <tr> - * <td>“{@code '}”</td> - * <td>“{@code '}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code '}</td> + * <td class="colLast">{@code '}</td> * </tr> * </tbody> * </table> * - * <b>Additional Notes</b> + * <p><b>Additional Notes</b></p> * <ul> - * * <li>The encoding of the greater-than sign ({@code >}) is not * strictly required, but is included for maximum * compatibility.</li> @@ -132,7 +131,6 @@ * as they could lead to parsing errors. In particular only {@code #x9 * | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | * [#x10000-#x10FFFF]} are considered valid.</li> - * * </ul> * * @param input the data to encode @@ -164,33 +162,32 @@ * <pre> * <div><%=Encode.forHtmlContent(unsafeData)%></div> * </pre> - * <table border="0" summary="Shows the input and results of encoding"> + * <table border="0" class="memberSummary" summary="Shows the input and results of encoding"> * <caption><b>Encoding Table</b></caption> * <thead> - * <tr bgcolor="#ccf"> - * <th align="left">Input</th> - * <th align="left">Result</th> + * <tr> + * <th align="left" class="colFirst">Input</th> + * <th align="left" class="colLast">Result</th> * </tr> * </thead> * <tbody> - * <tr> - * <td>“{@code &}”</td> - * <td>“{@code &}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code &}</td> + * <td class="colLast">{@code &}</td> * </tr> - * <tr> - * <td>“{@code <}”</td> - * <td>“{@code <}”</td> + * <tr class="rowColor"> + * <td class="colFirst">{@code <}</td> + * <td class="colLast">{@code <}</td> * </tr> - * <tr> - * <td>“{@code >}”</td> - * <td>“{@code >}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code >}</td> + * <td class="colLast">{@code >}</td> * </tr> * </tbody> * </table> * - * <b>Additional Notes</b> + * <p><b>Additional Notes</b></p> * <ul> - * * <li>Single-quote character ({@code '}) and double-quote * character ({@code "}) do not require encoding in HTML * blocks, unlike other HTML contexts.</li> @@ -211,7 +208,6 @@ * as they could lead to parsing errors. In particular only {@code #x9 * | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | * [#x10000-#x10FFFF]} are considered valid.</li> - * * </ul> * * @param input the input to encode @@ -243,37 +239,36 @@ * <div><%=Encode.forHtml(unsafeData)%></div> * </pre> * - * <table border="0" summary="Shows the input and results of encoding"> + * <table border="0" class="memberSummary" summary="Shows the input and results of encoding"> * <caption><b>Encoding Table</b></caption> * <thead> - * <tr bgcolor="#ccf"> - * <th align="left">Input</th> - * <th align="left">Result</th> + * <tr> + * <th align="left" class="colFirst">Input</th> + * <th align="left" class="colLast">Result</th> * </tr> * </thead> * <tbody> - * <tr> - * <td>“{@code &}”</td> - * <td>“{@code &}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code &}</td> + * <td class="colLast">{@code &}</td> * </tr> - * <tr> - * <td>“{@code <}”</td> - * <td>“{@code <}”</td> + * <tr class="rowColor"> + * <td class="colFirst">{@code <}</td> + * <td class="colLast">{@code <}</td> * </tr> - * <tr> - * <td>“{@code "}”</td> - * <td>“{@code "}”</td> + * <tr class="altColor"> + * <td class="colFirst">{@code "}</td> + * <td class="colLast">{@code "}</td> * </tr> - * <tr> - * <td>“{@code '}”</td> - * <td>“{@code '}”</td> + * <tr class="rowColor"> + * <td class="colFirst">{@code '}</td> + * <td class="colLast">{@code '}</td> * </tr> * </tbody> * </table> * - * <b>Additional Notes</b> + * <p><b>Additional Notes</b></p> * <ul> - * * <li>Both the single-quote character ({@code '}) and the * double-quote character ({@code "}) are encoded so this is safe * for HTML attributes with either enclosing character.</li> @@ -296,7 +291,6 @@ * as they could lead to parsing errors. In particular only {@code #x9 * | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | * [#x10000-#x10FFFF]} are considered valid.</li> - * * </ul> * * @param input the input to encode @@ -344,46 +338,45 @@ * <input value=<%=Encode.forHtmlUnquotedAttribute(input)%> > * </pre> * - * <table border="0" summary="Shows the input and results of encoding"> + * <table border="0" class="memberSummary" summary="Shows the input and results of encoding"> * <caption><b>Encoding Table</b></caption> * <thead> - * <tr bgcolor="#ccf"> - * <th align="left">Input</th> - * <th align="left">Result</th> + * <tr> + * <th align="left" class="colFirst">Input</th> + * <th align="left" class="colLast">Result</th> * </tr> * </thead> * <tbody> - * <tr><td>{@code U+0009} (horizontal tab)</td><td>“{@code 	}”</td></tr> - * <tr><td>{@code U+000A} (line feed)</td><td>“{@code }”</td></tr> - * <tr><td>{@code U+000C} (form feed)</td><td>“{@code }”</td></tr> - * <tr><td>{@code U+000D} (carriage return)</td><td>“{@code }”</td></tr> - * <tr><td>{@code U+0020} (space)</td><td>“{@code  }”</td></tr> - * <tr><td>“{@code &}”</td><td>“{@code &}”</td></tr> - * <tr><td>“{@code <}”</td><td>“{@code <}”</td></tr> - * <tr><td>“{@code >}”</td><td>“{@code >}”</td></tr> - * <tr><td>“{@code "}”</td><td>“{@code "}”</td></tr> - * <tr><td>“{@code '}”</td><td>“{@code '}”</td></tr> - * <tr><td>“{@code /}”</td><td>“{@code /}”</td></tr> - * <tr><td>“{@code =}”</td><td>“{@code =}”</td></tr> - * <tr><td>“{@code `}”</td><td>“{@code `}”</td></tr> - * <tr><td>{@code U+0085} (next line)</td><td>“{@code …}”</td></tr> - * <tr><td>{@code U+2028} (line separator)</td><td>“{@code 
}”</td></tr> - * <tr><td>{@code U+2029} (paragraph separator)</td><td>“{@code 
}”</td></tr> + * <tr class="altColor"><td class="colFirst">{@code U+0009} (horizontal tab)</td><td class="colLast">{@code 	}</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code U+000A} (line feed)</td><td class="colLast">{@code }</td></tr> + * <tr class="altColor"><td class="colFirst">{@code U+000C} (form feed)</td><td class="colLast">{@code }</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code U+000D} (carriage return)</td><td class="colLast">{@code }</td></tr> + * <tr class="altColor"><td class="colFirst">{@code U+0020} (space)</td><td class="colLast">{@code  }</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code &}</td><td class="colLast">{@code &}</td></tr> + * <tr class="altColor"><td class="colFirst">{@code <}</td><td class="colLast">{@code <}</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code >}</td><td class="colLast">{@code >}</td></tr> + * <tr class="altColor"><td class="colFirst">{@code "}</td><td class="colLast">{@code "}</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code '}</td><td class="colLast">{@code '}</td></tr> + * <tr class="altColor"><td class="colFirst">{@code /}</td><td class="colLast">{@code /}</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code =}</td><td class="colLast">{@code =}</td></tr> + * <tr class="altColor"><td class="colFirst">{@code `}</td><td class="colLast">{@code `}</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code U+0085} (next line)</td><td class="colLast">{@code …}</td></tr> + * <tr class="altColor"><td class="colFirst">{@code U+2028} (line separator)</td><td class="colLast">{@code 
}</td></tr> + * <tr class="rowColor"><td class="colFirst">{@code U+2029} (paragraph separator)</td><td class="colLast">{@code 
}</td></tr> * </tbody> * </table> * - * <b>Additional Notes</b> + * <p><b>Additional Notes</b></p> * <ul> - * * <li>The following characters are <i>not</i> encoded: - * {@code 0-9, a-z, A-Z}, “{@code !}”, “{@code - * #}”, “{@code $}”, “{@code %}”, - * “{@code (}”, “{@code )}”, “{@code - * *}”, “{@code +}”, “{@code ,}”, - * “{@code -}”, “{@code .}”, “{@code - * [}”, “{@code \}”, “{@code ]}”, - * “{@code ^}”, “{@code _}”, “{@code - * }}”.</li> + * {@code 0-9, a-z, A-Z}, {@code !}, {@code + * #}, {@code $}, {@code %}, + * {@code (}, {@code )}, {@code + * *}, {@code +}, {@code ,}, + * {@code -}, {@code .}, {@code + * [}, {@code \}, {@code ]}, + * {@code ^}, {@code _}, {@code + * }}.</li> * * <li>Surrogate pairs are passed through only if valid. Invalid * surrogate pairs are replaced by a hyphen (-).</li> @@ -393,7 +386,6 @@ * hyphen (-) character.</li> * * <li>Unicode "non-characters" are replaced by hyphens (-).</li> - * * </ul> * * @param input the attribute value to be encoded. @@ -450,15 +442,15 @@ * * <li>The following characters are encoded using hexidecimal * encodings: {@code U+0000} - {@code U+001f}, - * “{@code "}”, - * “{@code '}”, - * “{@code \}”, - * “{@code <}”, - * “{@code &}”, - * “{@code (}”, - * “{@code )}”, - * “{@code /}”, - * “{@code >}”, + * {@code "}, + * {@code '}, + * {@code \}, + * {@code <}, + * {@code &}, + * {@code (}, + * {@code )}, + * {@code /}, + * {@code >}, * {@code U+007f}, * line separator ({@code U+2028}), * paragraph separator ({@code U+2029}).</li> @@ -528,13 +520,13 @@ * * <li>The following characters are encoded using hexidecimal * encodings: {@code U+0000} - {@code U+001f}, - * “{@code "}”, - * “{@code '}”, - * “{@code \}”, - * “{@code <}”, - * “{@code &}”, - * “{@code /}”, - * “{@code >}”, + * {@code "}, + * {@code '}, + * {@code \}, + * {@code <}, + * {@code &}, + * {@code /}, + * {@code >}, * {@code U+007f}, * line separator ({@code U+2028}), * paragraph separator ({@code U+2029}).</li> @@ -584,13 +576,13 @@ } /** - * Performs percent-encoding of a URL according to RFC 3986. The provided + * <p>Performs percent-encoding of a URL according to RFC 3986. The provided * URL is assumed to a valid URL. This method does not do any checking on * the quality or safety of the URL itself. In many applications it may * be better to use {@link java.net.URI} instead. Note: this is a * particularly dangerous context to put untrusted content in, as for * example a "javascript:" URL provided by a malicious user would be - * "properly" escaped, and still execute. + * "properly" escaped, and still execute.</p> * * <b>Encoding Table</b> * <p>The following characters are <i>not</i> encoded:</p> @@ -928,78 +920,78 @@ * </script> * </pre> * - * <table cellspacing="1" cellpadding="1" border="0"> + * <table cellspacing="1" class="memberSummary" cellpadding="1" border="0"> * <caption><b>Encoding Description</b></caption> * <thead> - * <tr bgcolor="#ccf"> - * <th align="left" colspan="2">Input Character</th> - * <th align="left">Encoded Result</th> - * <th align="left">Notes</th> + * <tr> + * <th align="left" colspan="2" class="colFirst">Input Character</th> + * <th align="left" class="colLast">Encoded Result</th> + * <th align="left" class="colLast">Notes</th> * </tr> * </thead> * <tbody> - * <tr> - * <td>U+0008</td><td><i>BS</i></td> - * <td><code>\b</code></td> - * <td>Backspace character</td> + * <tr class="altColor"> + * <td class="colFirst">U+0008</td><td><i>BS</i></td> + * <td class="colLast"><code>\b</code></td> + * <td class="colLast">Backspace character</td> * </tr> - * <tr> - * <td>U+0009</td><td><i>HT</i></td> - * <td><code>\t</code></td> - * <td>Horizontal tab character</td> + * <tr class="rowColor"> + * <td class="colFirst">U+0009</td><td><i>HT</i></td> + * <td class="colLast"><code>\t</code></td> + * <td class="colLast">Horizontal tab character</td> * </tr> - * <tr> - * <td>U+000A</td><td><i>LF</i></td> - * <td><code>\n</code></td> - * <td>Line feed character</td> + * <tr class="altColor"> + * <td class="colFirst">U+000A</td><td><i>LF</i></td> + * <td class="colLast"><code>\n</code></td> + * <td class="colLast">Line feed character</td> * </tr> - * <tr> - * <td>U+000C</td><td><i>FF</i></td> - * <td><code>\f</code></td> - * <td>Form feed character</td> + * <tr class="rowColor"> + * <td class="colFirst">U+000C</td><td><i>FF</i></td> + * <td class="colLast"><code>\f</code></td> + * <td class="colLast">Form feed character</td> * </tr> - * <tr> - * <td>U+000D</td><td><i>CR</i></td> - * <td><code>\r</code></td> - * <td>Carriage return character</td> + * <tr class="altColor"> + * <td class="colFirst">U+000D</td><td><i>CR</i></td> + * <td class="colLast"><code>\r</code></td> + * <td class="colLast">Carriage return character</td> * </tr> - * <tr> - * <td>U+0022</td><td><code>"</code></td> - * <td><code>\x22</code></td> - * <td>The encoding <code>\"</code> is not used here because + * <tr class="rowColor"> + * <td class="colFirst">U+0022</td><td><code>"</code></td> + * <td class="colLast"><code>\x22</code></td> + * <td class="colLast">The encoding <code>\"</code> is not used here because * it is not safe for use in HTML attributes. (In HTML * attributes, it would also be correct to use * "\&quot;".)</td> * </tr> - * <tr> - * <td>U+0026</td><td><code>&</code></td> - * <td><code>\x26</code></td> - * <td>Ampersand character</td> + * <tr class="altColor"> + * <td class="colFirst">U+0026</td><td><code>&</code></td> + * <td class="colLast"><code>\x26</code></td> + * <td class="colLast">Ampersand character</td> * </tr> - * <tr> - * <td>U+0027</td><td><code>'</code></td> - * <td><code>\x27</code></td> - * <td>The encoding <code>\'</code> is not used here because + * <tr class="rowColor"> + * <td class="colFirst">U+0027</td><td><code>'</code></td> + * <td class="colLast"><code>\x27</code></td> + * <td class="colLast">The encoding <code>\'</code> is not used here because * it is not safe for use in HTML attributes. (In HTML * attributes, it would also be correct to use * "\&#39;".)</td> * </tr> - * <tr> - * <td>U+002F</td><td><code>/</code></td> - * <td><code>\/</code></td> - * <td>This encoding is used to avoid an input sequence + * <tr class="altColor"> + * <td class="colFirst">U+002F</td><td><code>/</code></td> + * <td class="colLast"><code>\/</code></td> + * <td class="colLast">This encoding is used to avoid an input sequence * "</" from prematurely terminating a </script> * block.</td> * </tr> - * <tr> - * <td>U+005C</td><td><code>\</code></td> - * <td><code>\\</code></td> - * <td></td> + * <tr class="rowColor"> + * <td class="colFirst">U+005C</td><td><code>\</code></td> + * <td class="colLast"><code>\\</code></td> + * <td class="colLast"></td> * </tr> - * <tr> - * <td nowrap="nowrap" colspan="2">U+0000 to U+001F</td> - * <td><code>\x##</code></td> - * <td>Hexadecimal encoding is used for characters in this + * <tr class="altColor"> + * <td class="colFirst" colspan="2">U+0000 to U+001F</td> + * <td class="colLast"><code>\x##</code></td> + * <td class="colLast">Hexadecimal encoding is used for characters in this * range that were not already mentioned in above.</td> * </tr> * </tbody> diff --git a/core/src/site/markdown/index.md b/core/src/site/markdown/index.md new file mode 100644 index 0000000..e3f8f99 --- /dev/null +++ b/core/src/site/markdown/index.md
@@ -0,0 +1,35 @@ +## OWASP Java Encoder + +The OWASP Java Encoder is a collection of high-performance low-overhead +contextual encoders that, when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +For use within JSP pages consider using the [JSP Encoder](../encoder-jsp/index.html) as it +provides a TLD to make the use of the core encoders easier. + +### Usage + +The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). + +```xml +<dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> +</dependency> +``` + +Utilize the encoder: + +```java +import org.owasp.encoder.Encode; + +//... + +PrintWriter out = ....; +out.println("<textarea>" + Encode.forHtml(userData) + "</textarea>"); +``` diff --git a/core/src/site/site.xml b/core/src/site/site.xml index df4ef60..1b3cb62 100644 --- a/core/src/site/site.xml +++ b/core/src/site/site.xml
@@ -36,22 +36,6 @@ --> <project name="Encoder"> - <bannerLeft> - <name>OWASP Java Encoder Project: CORE</name> - <title>OWASP Java Encoder Project: CORE</title> - <alt>OWASP Java Encoder Project: CORE</alt> - <src>../images/owasp.jpg</src> - <height>107</height> - <width>300</width> - </bannerLeft> <body> - <breadcrumbs> - <item name="OWASP Java Encoder Project" href="../index.html"/> - </breadcrumbs> - <!--menu name="Getting Started"> - <item name="Installation" href="installation.html"/> - <item name="Usage" href="usage.html"/> - </menu--> - <menu ref="reports" /> </body> </project> \ No newline at end of file
diff --git a/esapi/pom.xml b/esapi/pom.xml index def23df..c3f9c7c 100644 --- a/esapi/pom.xml +++ b/esapi/pom.xml
@@ -49,7 +49,7 @@ <artifactId>encoder-esapi</artifactId> <packaging>jar</packaging> - <name>OWASP Encoders ESAPI Thunk</name> + <name>ESAPI Thunk</name> <description> The OWASP Encoders ESAPI Thunk provides an easy way to plugin the Encoder Projects API into an implementation of ESAPI.
diff --git a/esapi/src/site/site.xml b/esapi/src/site/site.xml index 65ffdba..743ef44 100644 --- a/esapi/src/site/site.xml +++ b/esapi/src/site/site.xml
@@ -36,22 +36,6 @@ --> <project name="ESAPI"> - <bannerLeft> - <name>OWASP Java Encoder Project: ESAPI</name> - <title>OWASP Java Encoder Project: ESAPI</title> - <alt>OWASP Java Encoder Project: ESAPI</alt> - <src>../images/owasp.jpg</src> - <height>107</height> - <width>300</width> - </bannerLeft> <body> - <breadcrumbs> - <item name="OWASP Java Encoder Project" href="../index.html"/> - </breadcrumbs> - <!--menu name="Getting Started"> - <item name="Installation" href="installation.html"/> - <item name="Usage" href="usage.html"/> - </menu--> - <menu ref="reports" /> - </body> + </body> </project> \ No newline at end of file
diff --git a/jsp/pom.xml b/jsp/pom.xml index 1609f91..74a6efa 100644 --- a/jsp/pom.xml +++ b/jsp/pom.xml
@@ -49,7 +49,7 @@ <artifactId>encoder-jsp</artifactId> <packaging>jar</packaging> - <name>OWASP Encoders JSP tags and EL functions</name> + <name>JSP Encoder</name> <description> The OWASP Encoder JSP package contains JSP tag definitions and TLDs to allow easy use of the OWASP Encoder Project's core API. The TLDs contain both tag
diff --git a/jsp/src/site/markdown/index.md b/jsp/src/site/markdown/index.md new file mode 100644 index 0000000..cc3b6f2 --- /dev/null +++ b/jsp/src/site/markdown/index.md
@@ -0,0 +1,31 @@ +## OWASP JSP + +The OWASP JSP Encoder is a collection of high-performance low-overhead +contextual encoders that, when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml +<dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder-jsp</artifactId> + <version>1.2.1</version> +</dependency> +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +<p>Dynamic data via EL: ${e:forHtml(param.value)}</p> +<p>Dynamic data via tag: <e:forHtml value="${param.value}" /></p> +``` diff --git a/jsp/src/site/site.xml b/jsp/src/site/site.xml index a16f931..dde2b60 100644 --- a/jsp/src/site/site.xml +++ b/jsp/src/site/site.xml
@@ -36,22 +36,6 @@ --> <project name="JSP"> - <bannerLeft> - <name>OWASP Java Encoder Project: JSP</name> - <title>OWASP Java Encoder Project: JSP</title> - <alt>OWASP Java Encoder Project: JSP</alt> - <src>../images/owasp.jpg</src> - <height>107</height> - <width>300</width> - </bannerLeft> <body> - <breadcrumbs> - <item name="OWASP Java Encoder Project" href="../index.html"/> - </breadcrumbs> - <!--menu name="Getting Started"> - <item name="Installation" href="installation.html"/> - <item name="Usage" href="usage.html"/> - </menu--> - <menu ref="reports" /> </body> </project> \ No newline at end of file
diff --git a/pom.xml b/pom.xml index 3985299..1cb08dd 100755 --- a/pom.xml +++ b/pom.xml
@@ -45,7 +45,7 @@ <version>1.2.1-SNAPSHOT</version> <packaging>pom</packaging> - <name>OWASP Encoders Parent</name> + <name>OWASP Java Encoder Project</name> <description> The OWASP Encoders package is a collection of high-performance low-overhead contextual encoders, that when utilized correctly, is an effective tool in @@ -183,7 +183,7 @@ <plugin> <groupId>org.codehaus.mojo</groupId> <artifactId>cobertura-maven-plugin</artifactId> - <version>2.7</version> + <version>2.6</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> @@ -208,7 +208,26 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> - <version>3.5.1</version> + <!-- upgrading beyond 3.4 may break the reflow skin --> + <version>3.4</version> + <dependencies> + <dependency> + <groupId>lt.velykis.maven.skins</groupId> + <artifactId>reflow-velocity-tools</artifactId> + <version>1.1.1</version> + </dependency> + <!-- Reflow skin requires Velocity >= 1.7 --> + <dependency> + <groupId>org.apache.velocity</groupId> + <artifactId>velocity</artifactId> + <version>1.7</version> + </dependency> + <dependency> + <groupId>org.apache.maven.doxia</groupId> + <artifactId>doxia-module-markdown</artifactId> + <version>1.6</version> + </dependency> + </dependencies> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> @@ -308,21 +327,6 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> - <dependencies> - <dependency> - <groupId>org.apache.maven.doxia</groupId> - <artifactId>doxia-core</artifactId> - <version>1.7</version> - </dependency> - <dependency> - <groupId>org.apache.maven.doxia</groupId> - <artifactId>doxia-module-markdown</artifactId> - <version>1.7</version> - </dependency> - </dependencies> - <configuration> - <skipDeploy>true</skipDeploy> - </configuration> </plugin> </plugins> </build>
diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md new file mode 100644 index 0000000..1be294d --- /dev/null +++ b/src/site/markdown/index.md
@@ -0,0 +1,56 @@ +## OWASP Java Encoder Project + +The OWASP Java Encoder Project is a collection of high-performance low-overhead +contextual encoders, that when utilized correctly, is an effective tool in +preventing Web Application security vulnerabilities such as Cross-Site +Scripting (XSS). + +Please see the [OWASP XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) +for more information on preventing XSS. + +### Usage + +In addition to the usage guidance below, more examples can be found on the [OWASP Java Encoder Project Wiki](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project). + +The JARs can be found in [Maven Central](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22). + +```xml +<dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder</artifactId> + <version>1.2.1</version> +</dependency> +``` + +Utilize the encoder: + +```java +import org.owasp.encoder.Encode; + +//... + +PrintWriter out = ....; +out.println("<textarea>" + Encode.forHtml(userData) + "</textarea>"); +``` + +### JSP Usage + +The JSP Encoder makes the use of the Java Encoder within JSP simple via a TLD that +includes tags and a set of JSP EL functions: + +```xml +<dependency> + <groupId>org.owasp.encoder</groupId> + <artifactId>encoder-jsp</artifactId> + <version>1.2.1</version> +</dependency> +``` + +```JSP +<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project" %> + +<%-- ... --%> + +<p>Dynamic data via EL: ${e:forHtml(param.value)}</p> +<p>Dynamic data via tag: <e:forHtml value="${param.value}" /></p> +``` diff --git a/src/site/site.xml b/src/site/site.xml index 2df1953..f1d4a83 100644 --- a/src/site/site.xml +++ b/src/site/site.xml
@@ -37,51 +37,56 @@ --> <project name="OWASP Java Encoder Project"> <skin> - <groupId>org.apache.maven.skins</groupId> - <artifactId>maven-fluido-skin</artifactId> - <version>1.6</version> + <groupId>lt.velykis.maven.skins</groupId> + <artifactId>reflow-maven-skin</artifactId> + <version>1.1.1</version> </skin> - <custom> - <fluidoSkin> - <sourceLineNumbersEnabled>true</sourceLineNumbersEnabled> - <sideBarEnabled>true</sideBarEnabled> - <gitHub> - <projectId>owasp/owasp-java-encoder</projectId> - <ribbonOrientation>right</ribbonOrientation> - <ribbonColor>gray</ribbonColor> - </gitHub> - <googlePlusOne /> - </fluidoSkin> - </custom> - <bannerLeft> + <publishDate position="none" /> + <version position="none" /> + <bannerLeft> <name>OWASP Java Encoder Project</name> <title>OWASP Java Encoder Project</title> <alt>OWASP Java Encoder Project</alt> <src>./images/owasp.jpg</src> <height>107</height> <width>300</width> - </bannerLeft> + </bannerLeft> + <custom> + <reflowSkin> + <theme>default</theme> + <highlightJs>true</highlightJs> + <highlightJsTheme>github</highlightJsTheme> + <brand> + <name>${project.name}</name> + <href>https://www.owasp.org/index.php/OWASP_Java_Encoder_Project</href> + </brand> + <skinAttribution>false</skinAttribution> + <toc>top</toc> + <tocTopMax>6</tocTopMax> + <topNav>Modules|Maven Documentation</topNav> + <bottomNav maxSpan="6" > + <column>Modules</column> + <column>Contribute</column> + <column>Maven Documentation</column> + </bottomNav> + <pages> + <index project="encoder" combine.self="override"></index> + </pages> + </reflowSkin> + </custom> - <publishDate position="right" /> - <version position="right" /> - <poweredBy> - <logo name="Maven" href="http://maven.apache.org/" - title="built with maven" - alt="built with maven" - img="/images/logos/build-by-maven-white.png"/> - </poweredBy> <body> - <head><![CDATA[ - ]]></head> - <breadcrumbs> - <item name=" " href="#"/> - </breadcrumbs> - <menu ref="reports" /> - <menu name="Modules"> - <item name="Encoder" href="./encoder/index.html" /> - <item name="JSP" href="./encoder-jsp/index.html" /> - <item name="ESAPI Thunk" href="./encoder-esapi/index.html" /> - </menu> + <menu name="Modules" inherit="bottom"> + <item name="OWASP Encoders" href="./index.html" /> + <item name="Java Encoder" href="./encoder/index.html" /> + <item name="JSP Encoder" href="./encoder-jsp/index.html" /> + <item name="ESAPI Thunk" href="./encoder-esapi/index.html" /> + </menu> + <menu name="Maven Documentation" ref="reports" inherit="bottom" /> + <menu name="Contribute" inherit="bottom"> + <item name="Issues" href="https://github.com/OWASP/owasp-java-encoder/issues" /> + <item name="Fork on GitHub" href="https://github.com/OWASP/owasp-java-encoder" /> + </menu> <footer>Copyright © 2011-2017 OWASP. All Rights Reserved.</footer> </body> </project> 