Skip to content

Java

The OWASP Java Encoder and OWASP Java HTML Sanitizer projects are security libraries for Java web applications that provide output encoding and HTML input sanitization.

The OWASP JSON Sanitizer Java library is used to ensure both JSON input and output are reasonably safe for Java applications.

What are they?

Java Encoder package provides the Java application with contextual output encoding of HTML. It provides individual methods for HTML, URLs, JavaScript and CSS.

Java HTML Sanitizer is used to sanitize untrusted HTML so that it can be safely handled within a Java application. The JAR file is included in a Java application and then a policy is defined for it.

These are both established projects with a regular release history stretching back to 2013.

The JSON Sanitizer is a Java component that will transform arbitrary JSON to well-formed JSON as defined by RFC 4627. This can be used to accept JSON input from an untrusted source and then safely output JSON to other processes.

JSON Sanitizer is a widely used library provided by OWASP, and it is a direct dependents for many 1000s of other libraries and in many more applications. It is a project that was transferred to OWASP in 2021 by github user mikesamuel and so this OWASP library is identified as com.mikesamuel:json-sanitizer.

Why use the libraries?

The use of both Java Encoder and Java HTML Sanitizer is part of a defense in depth approach to preventing cross site scripting (XSS) and other attacks. They are well established OWASP projects with 'Lab' status.

The OWASP JSON Sanitizer Java library is widely used, for example it is a direct dependency for literally 1000s of Java components, and should be considered for JSON specific output normalization and input validation. It is less well supported than the Java Encoder or Java HTML Sanitizer, version 1.2.2 was released in January 2021, but it is still stable and (really) useful.

How to use the libraries

Include the Java Encoder package into a Java application via Maven. The 'How to Use the OWASP Java Encoder' documentation explains how to use it in various contexts, such as HTML, URLs, JavaScript and CSS.

Follow the examples provided by Java HTML Sanitizer to include the utility and configure it with policy.

The JSON Sanitizer JAR file can be fetched from Maven Central, follow the Getting Started guide:

import com.google.json.JsonSanitizer;
String wellFormedJson = JsonSanitizer.sanitize(myJsonLikeString);

References

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.