ESAPI Issues

On my latest project I’m trying to make use of the [ESAPI](https://www.owasp.org/index.php/--- categories:OWASP_Enterprise_Security_API) (The OWASP Enterprise Security API) library which is built into the latest versions of ColdFusion (9.01 and 10).

I was originally trying to sanitize some form inputs with the ESAPI encoders. (The uform:option is used in cfUniform which I’ll be blogging more about soon).

<uform:option display="#rc.esapi.encodeForHTMLAttribute(category.getCategoryName())#" value="rc.esapi.encodeForHTMLAttribute(category.getCategoryID())#"/>

But this failed with an error:

Either there are no methods with the specified method name and argument types or the encodeForHTMLAttribute method is overloaded with argument types that ColdFusion cannot decipher reliably. ColdFusion found 0 methods that match the provided arguments. If this is a Java object and you verified that the method exists, use the javacast function to reduce ambiguity.

I originally thought maybe something was going on under the hood with cfUniform so I simplied my code and still got an error:

:::cfm
<cfloop array="#rc.sections#" index="section">
#rc.esapi.encodeForHTML( section.getSectionID() )#
,#rc.esapi.encodeForHTML( section.getSectionName() )#<br>
</cfloop>

But this worked fine:

:::cfm
<cfloop array="#rc.sections#" index="section">
#rc.esapi.encodeForHTML( 1 )#
,#rc.esapi.encodeForHTML( section.getSectionName() )#<br>
</cfloop>

Hmmmm…

I pinged Jason Dean (security guru) who came up with the solution:

:::cfm
rc.esapi.encodeForHTML( javaCast("string", section.getSectionID()) )#

It appears the encodeForHTML() method (and I assume the other encoder methods) is expecting a string!