Fix DefaultEncoder so that by default, it will use the value of the property Encoder.DefaultCodecList instead of having hard-coded codecs.

kwwall · kwwall · commit 8b726454f540 · 2022-05-02T20:47:00.000-04:00
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
@@ -99,14 +99,18 @@ public static Encoder getInstance() {
     
     
     /**
-     * Instantiates a new DefaultEncoder
+     * Instantiates a new {@code DefaultEncoder} based on the property {@code Encoder.DefaultCodecList}
+     * from the {@code ESAPI.properties} file.
      */
     private DefaultEncoder() {
-        codecs.add( htmlCodec );
-        codecs.add( percentCodec );
-        codecs.add( javaScriptCodec );
+        this( ESAPI.securityConfiguration().getDefaultCanonicalizationCodecs() );
     }
     
+    /**
+     * Instantiates a new {@code DefaultEncoder} based on the specified list of
+     * codec names. Unqualified codec names are assumed to belong to the package
+     * "org.owasp.esapi.codecs".
+     */
     public DefaultEncoder( List<String> codecNames ) {
         for ( String clazz : codecNames ) {
             try {
