Add 2 properties associated w/ disabling stuff by default.

kwwall · kwwall · commit 40026bfc9212 · 2025-06-08T23:25:42.000-04:00
diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties
@@ -578,3 +578,37 @@ Validator.AcceptLenientDates=false
 #
 #Validator.HtmlValidationAction=clean
 Validator.HtmlValidationAction=throw
+
+########################################################################################
+# The following methods are now disabled in the default configuration and must
+# be explicity enabled. If you try to invoke a method disabled by default, ESAPI
+# will thrown a NotConfiguredByDefaultException.
+#
+# The reason for this varies, but ranges from they are not really suitable for
+# enterprise scale to that are only marginally tested (if at all) versus the are
+# unsafe for general use, although them may be fine when combined with other
+# security-in-depth techiques.
+#
+# The disabled-by-default methods are:
+#   org.owasp.esapi.reference.DefaultEncoder.encodeForSQL
+#   org.owasp.esapi.ESAPI.accessController  [FUTURE]
+#
+# The format is a comma-separated list of fully,Qualified.ClassNames.methodName
+#
+#   Note to ESAPI Devs: There is presently no way to specific which specific
+#                       method to indicate here when the method name alone,
+#                       absent from its signature, is ambiguous, so it is
+#                       best to avoid those if at all possible!
+#
+#                       An example of that would be something like:
+#                           org.owasp.esapi.reference.DefaultValidator.getValidPrintable
+#                       which has 4 interfaces so currently, there's no way to
+#                       specify a specific one.
+#       
+ESAPI.enableLegCannonModeAndGetMyAssFired.methodNames=org.owasp.esapi.reference.DefaultEncoder.encodeForSQL
+
+# Normally you would put some text here (that will be logged) that provides some
+# justification as to why you have enabled these functions. This can be
+# anythuing such as a Jira or ServiceNow ticket number, a security exception
+# reference, etc. If it is left empty, it will just like "Justification: none".`
+ESAPI.enableLegCannonModeAndGetMyAssFired.justification=blah,blah. Please don't fire my @$$. Ticket # 12345
