Using ESAPI with Play Framework

2014-03-26 00:00:00 +0000

Does Play Framework need ESAPI at all? It is pretty robust as it comes to automatic escaping of potential cross-site scripting vectors but if you don’t use Play templates to display data (but an AJAX API instead) you’ll need to do this separately. Play also offers a quite good validation framework but you still need to actually implement the validation functions for some types of content — and here’s where OWASP ESAPI comes handy. Assume, you have a new Play application directory structure created by play new play-esapi (Play tutorial). With added ESAPI files it will look mostly like this:

ESAPI will need the following files: