Does Play Framework need ESAPI at all? It is pretty robust as it comes to automatic escaping of potential cross-site scripting vectors but if you don’t use Play templates to display data (but an AJAX API instead) you’ll need to do this separately. Play also offers a quite good validation framework but you still need to actually implement the validation functions for some types of content — and here’s where OWASP ESAPI comes handy. Assume, you have a new Play application directory structure created by play new play-esapi (Play tutorial). With added ESAPI files it will look mostly like this:
ESAPI will need the following files:
- esapi-2.1.0.jar — copy to lib/ (need to download the whole esapi-2.1.0-dist.zip, unpack JAR)
- antisamy-esapi.xml — copy to conf/
- validation.properties — copy to conf/
- ESAPI.properties — copy to conf/ (you always want to edit this file and at least change Encryptor.MasterKey and Encryptor.MasterSalt)
</ul>
Once added, you can start calling ESAPI in the application, as shown in the controller example below:
import org.owasp.esapi.ESAPI; public class Application extends Controller { public static Result index(){ DynamicForm requestData = Form.form().bindFromRequest(); String myname = ESAPI.encoder().encodeForHTML(requestData.get("whatever")); ... } } Full code example can be found on GitHub in play-esapi repo. If you run into trouble, always check ESAPI messages in application output. Most likely you're going to run into a typical problem where ESAPI is unable to find its configuration files and, as result, crashes the applicaiton on startup. In such case export _JAVA_OPTIONS=-Dorg.owasp.esapi.resources=/home/myusername/play-esapi/conf should help.