| | ESAPI configuration files not included in dist. | | | | | Unresolved | Nov 13, 2014 | Jan 4, 2015 | | |
| | User session just jumped from unknown to 0:0:0:0:0:0:0:1 | | | | | Unresolved | Nov 13, 2014 | Jan 4, 2015 | | |
| | EncryptedPropertiesUtils Switch for Adding Values | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | HTTPParameterValue | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | HttpParamtervalue for allowing Xml Data | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | -Log4JLogger.java doesn't output correct file & line number-Similar issue as reported in Issue 268 | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Performance | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Regex in ESAPI.properties is not considering few of the french characters | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | logger is gettin class cast exception | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Content Security Policy - Java Servlet Filter | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Log4j configuration with no root level causes NPE in Log4jLogger.java | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | setHeader blocks legitimate headers due to header name size limit being too low | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | AbstractAccessReferenceMap.addDirectReference not invariant | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | StringUtils.union broken which has minor impact on CSRF Protection and random file name generation | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Construct "&" in Validator.URL is simple character class, not reference to ampersand | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Patch for /trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | ClassCastException on SecurityWrapperResponse | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | ClassCastException during web application redeploy due to the grift logging classes | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | PolicyFactory Sanitize method weird output | | | | | Done | Nov 13, 2014 | Jan 5, 2015 | | |
| | RequestRateThrottleFilter may not work as expected with hits=1 or hits=2 | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Unsynchronized get method, synchronized set method | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Incorrect lazy initialization of static field instance | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Resource leak: FileInputStream is not closed on method exit | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Incorrect Equality test on floating point values | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Resource leak: This FileReader is not closed on method exit | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Deprecate current HttpUtilities.setRememberToken() and replace with one not requiring user password | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | ValidatorTest.testIsValidDate fails if default locale is not US | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | ESAPI.properties file not being built / deployed as part of production downloads | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Insecure default configuration for Executor.ApprovedExecutables in ESAPI.properties file | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Crypto MAC by-pass makes default ESAPI symmetric encrytion using CBC mode vulnerable to padding oracle attacks | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Double checked locking on Log4JLogFactory.getInstance() | | | | | Done | Nov 13, 2014 | Jan 5, 2015 | | |
| | Make HTMLValidationRule to look for antisamy-esapi.xml in classpaths | | | | | Unresolved | Nov 13, 2014 | Jan 5, 2015 | | |
| | Eliminate eclipse code warnings to improve quality | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | AuthenticatedUser isCredentialsNonExpired() have todo comment, but default return false; | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Issue with decodeFromURL method in the DefaultEncoder | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Canonicaling "&ESAPILEG-37;Device&ESAPILEG-37; changes the meaning of the input string | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | ClassCastException when using ESAPI logger | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | encodeForCSS brakes color values | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | HTMLEntityCodec destroys 32-bit CJK (Chinese, Japanese and Korean) characters | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | HTMLEntityCodec#decode incorrectly decodes upper-case accented letters as their lower-case counterparts | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | encodeForHTMLAttribute escapes the forward slash | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | non-BMP characters incorrectly encoded | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | isValidDate fails with patterns ending with "yyyy" | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Java 7 J2EE StandardSessionFacade is not comparable | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | ClassNotFoundException: org.owasp.esapi.reference.accesscontrol.DefaultAccessController AccessController class | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | CSS and images not working with ESAPIWebApplicationFirewallFilter | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | ESAPI validator isValidRedirectLocation does not work | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Config Error | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | Canoniclizing out of EncodeforLdap or EncodeForDN if contains specific characters like "(, ) #" etc. messes up the input. | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |
| | jsessionid validator regex in esapi.properties not applicable to ids generated by tomcat | | | | | Unresolved | Nov 13, 2014 | Nov 13, 2014 | | |