Issues

User session just jumped from unknown to 0:0:0:0:0:0:0:1

EncryptedPropertiesUtils Switch for Adding Values

HTTPParameterValue

HttpParamtervalue for allowing Xml Data

-Log4JLogger.java doesn't output correct file & line number-Similar issue as reported in Issue 268

Performance

Regex in ESAPI.properties is not considering few of the french characters

logger is gettin class cast exception

Content Security Policy - Java Servlet Filter

Log4j configuration with no root level causes NPE in Log4jLogger.java

setHeader blocks legitimate headers due to header name size limit being too low

AbstractAccessReferenceMap.addDirectReference not invariant

StringUtils.union broken which has minor impact on CSRF Protection and random file name generation

Construct "&" in Validator.URL is simple character class, not reference to ampersand

Patch for /trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java

ClassCastException on SecurityWrapperResponse

ClassCastException during web application redeploy due to the grift logging classes

PolicyFactory Sanitize method weird output

RequestRateThrottleFilter may not work as expected with hits=1 or hits=2

Unsynchronized get method, synchronized set method

Incorrect lazy initialization of static field instance

Resource leak: FileInputStream is not closed on method exit

Incorrect Equality test on floating point values

Resource leak: This FileReader is not closed on method exit

Deprecate current HttpUtilities.setRememberToken() and replace with one not requiring user password

ValidatorTest.testIsValidDate fails if default locale is not US

ESAPI.properties file not being built / deployed as part of production downloads

Insecure default configuration for Executor.ApprovedExecutables in ESAPI.properties file

Crypto MAC by-pass makes default ESAPI symmetric encrytion using CBC mode vulnerable to padding oracle attacks

Double checked locking on Log4JLogFactory.getInstance()

Make HTMLValidationRule to look for antisamy-esapi.xml in classpaths

Eliminate eclipse code warnings to improve quality

AuthenticatedUser isCredentialsNonExpired() have todo comment, but default return false;

Issue with decodeFromURL method in the DefaultEncoder

Canonicaling "&ESAPILEG-37;Device&ESAPILEG-37; changes the meaning of the input string

ClassCastException when using ESAPI logger

encodeForCSS brakes color values

HTMLEntityCodec destroys 32-bit CJK (Chinese, Japanese and Korean) characters

HTMLEntityCodec#decode incorrectly decodes upper-case accented letters as their lower-case counterparts

encodeForHTMLAttribute escapes the forward slash

non-BMP characters incorrectly encoded

isValidDate fails with patterns ending with "yyyy"

Java 7 J2EE StandardSessionFacade is not comparable

ClassNotFoundException: org.owasp.esapi.reference.accesscontrol.DefaultAccessController AccessController class

CSS and images not working with ESAPIWebApplicationFirewallFilter

ESAPI validator isValidRedirectLocation does not work

Config Error

Canoniclizing out of EncodeforLdap or EncodeForDN if contains specific characters like "(, ) #" etc. messes up the input.

jsessionid validator regex in esapi.properties not applicable to ids generated by tomcat