Using ESAPI with Play Framework

Does Play Framework need ESAPI at all? It is pretty robust as it comes to automatic escaping of potential cross-site scripting vectors but if you don't use Play templates to display data (but an AJAX API instead) you'll need to do this separately. Play also offers a quite good validation framework but you still need to actually implement the validation functions for some types of content — and here's where OWASP ESAPI comes handy.

Assume, you have a new Play application directory structure created by play new play-esapi (Play tutorial). With added ESAPI files it will look mostly like this:

ESAPI will need the following files:

Once added, you can start calling ESAPI in the application, as shown in the controller example below:

import org.owasp.esapi.ESAPI;
 
public class Application extends Controller {
 
    public static Result index(){
        DynamicForm requestData = Form.form().bindFromRequest();
        String myname = ESAPI.encoder().encodeForHTML(requestData.get("whatever"));
    ...
    }
}

Full code example can be found on GitHub in play-esapi repo.

If you run into trouble, always check ESAPI messages in application output. Most likely you're going to run into a typical problem where ESAPI is unable to find its configuration files and, as result, crashes the applicaiton on startup. In such case export _JAVA_OPTIONS=-Dorg.owasp.esapi.resources=/home/myusername/play-esapi/conf should help.