ESAPI
diff --git a/‎src/main/javascript/core.js‎
Lines changed: 17 additions & 4 deletions b/‎src/main/javascript/core.js‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎src/main/javascript/org/owasp/esapi/HTTPUtilities.js‎
Lines changed: 105 additions & 9 deletions b/‎src/main/javascript/org/owasp/esapi/HTTPUtilities.js‎
Lines changed: 105 additions & 9 deletions
diff --git a/‎src/main/javascript/org/owasp/esapi/i18n/ObjectResourceBundle.js‎
Lines changed: 30 additions & 0 deletions b/‎src/main/javascript/org/owasp/esapi/i18n/ObjectResourceBundle.js‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎src/main/javascript/org/owasp/esapi/i18n/ResourceBundle.js‎
Lines changed: 0 additions & 38 deletions b/‎src/main/javascript/org/owasp/esapi/i18n/ResourceBundle.js‎
Lines changed: 0 additions & 38 deletions
diff --git a/‎src/main/javascript/org/owasp/esapi/net/Cookie.js‎
Lines changed: 97 additions & 0 deletions b/‎src/main/javascript/org/owasp/esapi/net/Cookie.js‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎src/main/javascript/org/owasp/esapi/reference/validation/DefaultValidator.js‎
Lines changed: 1 addition & 1 deletion b/‎src/main/javascript/org/owasp/esapi/reference/validation/DefaultValidator.js‎
Lines changed: 1 addition & 1 deletion
@@ -23,6 +23,12 @@ var $namespace = function(name, separator, container){
   return o;
 };
 
+var $type = function( oVar, oType ) {
+    if ( !oVar instanceof oType ) {
+        throw new SyntaxError();
+    }
+};
+
 if (!$) {
     var $ = function( sElementID ) {
         return document.getElementById( sElementID );
@@ -280,21 +286,22 @@ org.owasp.esapi.ESAPI = function( oProperties ) {
     var _validator = null;
     var _logFactory = null;
     var _resourceBundle = null;
+    var _httputilities = null;
 
     return {
         properties: _properties,
 
         encoder: function() {
-            if (!_properties.encoder.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.encoder.Implementation object not found.');
             if (!_encoder) {
+                if (!_properties.encoder.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.encoder.Implementation object not found.');
                 _encoder = new _properties.encoder.Implementation();
             }
             return _encoder;
         },
 
         logFactory: function() {
-            if (!_properties.logging.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.logging.Implementation object not found.');
             if ( !_logFactory ) {
+                if (!_properties.logging.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.logging.Implementation object not found.');
                 _logFactory = new _properties.logging.Implementation();
             }
             return _logFactory;
@@ -310,17 +317,23 @@ org.owasp.esapi.ESAPI = function( oProperties ) {
 
         resourceBundle: function() {
             if (!_resourceBundle) {
-                _resourceBundle = org.owasp.esapi.i18n.ResourceBundle.getResourceBundle( _properties.localization.StandardResourceBundle, this.locale() );
+                if(!_properties.localization.StandardResourceBundle) throw new RuntimeException("Configuration Error - $ESAPI.properties.localization.StandardResourceBundle not found.");
+                _resourceBundle = new org.owasp.esapi.i18n.ObjectResourceBundle( _properties.localization.StandardResourceBundle );
             }
             return _resourceBundle;
         },
 
         validator: function() {
-            if (!_properties.validation.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.validation.Implementation object not found.');
             if (!_validator) {
+                if (!_properties.validation.Implementation) throw new RuntimeException('Configuration Error - $ESAPI.properties.validation.Implementation object not found.');
                 _validator = new _properties.validation.Implementation();
             }
             return _validator;
+        },
+
+        httpUtilities: function() {
+            if (!_httputilities) _httputilities = new org.owasp.esapi.HTTPUtilities();
+            return _httputilities;
         }
     };
 };
 
@@ -14,14 +14,110 @@
 $namespace('org.owasp.esapi');
 
 org.owasp.esapi.HTTPUtilities = function() {
+    var log = $ESAPI.logger("HTTPUtilities");
+    var resourceBundle = $ESAPI.resourceBundle();
+    var EventType = org.owasp.esapi.Logger.EventType;
+
     return {
-        addCookie: false,
-        getSessionID: false,
-        getCookie: false,
-        killAllCookies: false,
-        killCookie: false,
-        logHTTPRequest: false,
-        sendForward: false,
-        getRequestParameter: false
+        addCookie: function( oCookie ) {
+            $type(oCookie,org.owasp.esapi.net.Cookie);
+
+            if ( window.top.location.protocol != 'http:' || window.top.location.protocol != 'https:' )
+                throw new RuntimeException(resourceBundle.getString( "HTTPUtilities.Cookie.Protocol", {"protocol":window.top.location.protocol}));
+
+            var name = oCookie.getName(),
+                value = oCookie.getValue(),
+                maxAge = oCookie.getMaxAge(),
+                domain = oCookie.getDomain(),
+                path = oCookie.getPath(),
+                secure = oCookie.getSecure();
+
+            var validationErrors = new org.owasp.esapi.ValidationErrorList();
+            var cookieName = $ESAPI.validator().getValidInput("cookie name", name, "HttpCookieName", 50, false, validationErrors );
+            var cookieValue = $ESAPI.validator().getValidInput("cookie value", value, "HttpCookieValue", 5000, false, validationErrors );
+
+            if (validationErrors.size() == 0) {
+                var header = name+'='+escape(value);
+                header += maxAge?";expires=" + ( new Date( ( new Date() ).getTime() + ( 1000 * maxAge ) ).toGMTString() ) : "";
+                header += path?";path="+path:"";
+                header += domain?";domain="+domain:"";
+                header += secure||$ESAPI.properties.httputilities.cookies.ForceSecure?";secure":"";
+                document.cookie=header;
+            }
+            else
+            {
+                log.warning(EventType.SECURITY_FAILURE, resourceBundle.getString("HTTPUtilities.Cookie.UnsafeData", { 'name':name, 'value':value } ) );
+            }
+        },
+
+        /**
+         * Returns a {@link org.owasp.esapi.net.Cookie} containing the name and value of the requested cookie.
+         *
+         * IMPORTANT: The value of the cookie is not sanitized at this level. It is the responsibility of the calling
+         * code to sanitize the value for proper output encoding prior to using it.
+         *
+         * @param sName {String} The name of the cookie to retrieve
+         * @return {org.owasp.esapi.net.Cookie}
+         */
+        getCookie: function(sName) {
+            var cookieJar = document.cookie.split("; ");
+            for(var i=0,len=cookieJar.length;i<len;i++) {
+                var cookie = cookieJar[i].split("=");
+                if (cookie[0] == escape(sName)) {
+                    return new org.owasp.esapi.net.Cookie( sName, cookie[1]?unescape(cookie[1]):'' );
+                }
+            }
+            return null;
+        },
+
+        /**
+         * Will attempt to kill any cookies associated with the current request (domain,path,secure). If a cookie cannot
+         * be deleted, a RuntimeException will be thrown.
+         *
+         * @throws RuntimeException if one of the cookies cannot be deleted.
+         */
+        killAllCookies: function() {
+            var cookieJar = document.cookie.split("; ");
+            for(var i=0,len=cookieJar.length;i<len;i++) {
+                var cookie = cookieJar[i].split("=");
+                var name = unescape(cookie[0]);
+                // RuntimeException will bubble through if the cookie cannot be deleted
+                if (!this.killCookie(name)) {
+                    // Something is wrong - cookieJar contains a cookie that is inaccesible using getCookie
+                    throw new RuntimeException(resourceBundle.getString("HTTPUtilities.Cookie.CantKill", {"name":name}));
+                }
+            }
+        },
+
+        /**
+         * Will kill a single cookie. If that cookie cannot be deleted a RuntimeException will be thrown
+         * @param sName {String} The name of the cookie
+         */
+        killCookie: function(sName) {
+            var c = this.getCookie(sName);
+            if ( c ) {
+                c.setMaxAge( -10 );
+                this.addCookie(c);
+                if (this.getCookie(sName)) {
+                    throw new RuntimeException(resourceBundle.getString("HTTPUtilities.Cookie.CantKill", {"name":sName}));
+                }
+                return true;
+            }
+            return false;
+        },
+
+        /**
+         * This only works for GET parameters and is meerly a convenience method for accessing that information if need be
+         * @param sName {String} The name of the parameter to retrieve
+         */
+        getRequestParameter: function( sName ) {
+            var url = window.top.location.search.substring(1);
+            var pIndex = url.indexOf(sName);
+            if (pIndex<0) return null;
+            pIndex=pIndex+sName.length;
+            var lastIndex=url.indexOf("&",pIndex);
+            if (lastIndex<0) lastIndex=url.length;
+            return unescape(url.substring(pIndex,lastIndex));
+        }
     };
-}
+};
@@ -0,0 +1,30 @@
+/*
+ * OWASP Enterprise Security API (ESAPI)
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2008 - The OWASP Foundation
+ *
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ */
+
+$namespace('org.owasp.esapi.i18n');
+
+org.owasp.esapi.i18n.ObjectResourceBundle = function( oResource, oParent ) {
+    var _super = new org.owasp.esapi.i18n.ResourceBundle( oResource.name, org.owasp.esapi.i18n.Locale.getLocale(oResource.locale), oParent );
+
+    var messages = oResource.messages;
+
+    return {
+        getParent: _super.getParent,
+        getLocale: _super.getLocale,
+        getName: _super.getName,
+        getString: _super.getString,
+        getMessage: function(sKey) {
+            return messages[sKey];
+        }
+    };
+};
@@ -87,44 +87,6 @@ org.owasp.esapi.i18n.ResourceBundle.getResourceBundle = function(sResource, oLoc
 };
 
 with(org.owasp.esapi.i18n) {
-    messages = {
-        "Test"                              : "This is test #{testnumber}",
-        "CreditCard.Required.Usr"           : "{context}: Input credit card required",
-        "CreditCard.Required.Log"           : "Input credit card required: context={context}, input={input}",
-        "CreditCard.Invalid.Usr"            : "{context}: Invalid credit card input",
-        "CreditCard.Invalid.Log"            : "Invalid credit card input: context={context}, input={input}",
-        "Date.Required.Usr"                 : "{context}: Input date required in {format} format",
-        "Date.Required.Log"                 : "Date required: context={context}, input={input}, format={format}",
-        "Date.Invalid.Usr"                  : "{context}: Invalid date, please use {format} format",
-        "Date.Invalid.Log"                  : "Invalid date: context={context}, input={input}, format={format}",
-        "Integer.Required.Usr"              : "{context}: Input number required",
-        "Integer.Required.Log"              : "Input number required: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Integer.NaN.Usr"                   : "{context}: Invalid number",
-        "Integer.NaN.Log"                   : "Invalid number: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Integer.MinValue.Usr"              : "{context}: Invalid number - Must be greater than {minValue}",
-        "Integer.MinValue.Log"              : "Invalid number: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Integer.MaxValue.Usr"              : "{context}: Invalid number - Must be less than {maxValue}",
-        "Integer.MaxValue.Log"              : "Invalid number: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Number.Required.Usr"               : "{context}: Input number required",
-        "Number.Required.Log"               : "Input number required: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Number.NaN.Usr"                    : "{context}: Invalid number",
-        "Number.NaN.Log"                    : "Invalid number: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Number.MinValue.Usr"               : "{context}: Invalid number - Must be greater than {minValue}",
-        "Number.MinValue.Log"               : "Invalid number: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "Number.MaxValue.Usr"               : "{context}: Invalid number - Must be less than {maxValue}",
-        "Number.MaxValue.Log"               : "Invalid number: context={context}, input={input}, minValue={minValue}, maxValue={maxValue}",
-        "String.Required.Usr"               : "{context}: Input required",
-        "String.Required.Log"               : "Input required: context={context}, input={input}, original={orig}",
-        "String.Whitelist.Usr"              : "{context}: Invalid input - Conform to regex {pattern}",
-        "String.Whitelist.Log"              : "Invalid input - Whitelist validation failed: context={context}, input={input}, original={orig}, pattern={pattern}",
-        "String.Blacklist.Usr"              : "{context}: Invalid input - Dangerous input matching {pattern} detected",
-        "String.Blacklist.Log"              : "Invalid input - Blacklist validation failed: context={context}, input={input}, original={orig}, pattern={pattern}",
-        "String.MinLength.Usr"              : "{context}: Invalid input - Minimum length is {minLength}",
-        "String.MinLength.Log"              : "Invalid input - Too short: context={context}, input={input}, original={orig}, minLength={minLength}",
-        "String.MaxLength.Usr"              : "{context}: Invalid input - Maximum length is {maxLength}",
-        "String.MaxLength.Log"              : "Invalid input - Too long: context={context}, input={input}, original={orig}, maxLength={maxLength}"
-    };
-
     ResourceBundle.ESAPI_Standard = "ESAPI_Standard";
     ResourceBundle.ESAPI_Standard_en_US = new ArrayResourceBundle( 'ESAPI Standard Messaging - US English', Locale.US, messages );
 }
@@ -0,0 +1,97 @@
+/*
+ * OWASP Enterprise Security API (ESAPI)
+ *
+ * This file is part of the Open Web Application Security Project (OWASP)
+ * Enterprise Security API (ESAPI) project. For details, please see
+ * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
+ *
+ * Copyright (c) 2008 - The OWASP Foundation
+ *
+ * The ESAPI is published by OWASP under the BSD license. You should read and accept the
+ * LICENSE before you use, modify, and/or redistribute this software.
+ */
+
+$namespace('org.owasp.esapi.net');
+
+/**
+ * Constructs a cookie with a specified name and value.
+ * <p/>
+ * The name must conform to RFC 2109. That means it can contain only ASCII alphanumeric characters and cannot contain
+ * commas, semicolons, or white space or begin with a $ character. The cookie's name cannot be changed after creation.
+ * <p/>
+ * The value can be anything the server chooses to send. Its value is probably of interest only to the server. The
+ * cookie's value can be changed after creation with the setValue method.
+ * <p/>
+ * By default, cookies are created according to the Netscape cookie specification. The version can be changed with the
+ * {@link #setVersion} method.
+ *
+ * @constructor
+ * @param sName {String} a <code>String</code> specifying the name of the cookie
+ * @param sValue {String} a <code>String</code> specifying the value of the cookie
+ * @throws  IllegalArgumentException
+ *          if the cookie name contains illegal characters (for example, a comma, space, or semicolon) or it is one of
+ *          the tokens reserved for use by the cookie protocol
+ */
+org.owasp.esapi.net.Cookie = function( sName, sValue ) {
+    var name;       // NAME= ... "$Name" style is reserved
+    var value;      // value of NAME
+
+    var comment;    // ;Comment=VALUE ... describes the cookies use
+    var domain;     // ;Domain=VALUE ... domain that sees the cookie
+    var maxAge;     // ;Max-Age=VALUE ... cookies auto-expire
+    var path;       // ;Path=VALUE ... URLs that see the cookie
+    var secure;     // ;Secure ... e.g. use SSL
+    var version;    // ;Version=1 ... means RFC-2109++ style
+
+    var _resourceBundle = $ESAPI.resourceBundle();
+
+    var tSpecials = ",; ";
+
+    var isToken = function(sValue) {
+        for(var i=0,len=sValue.length;i<len;i++) {
+            var cc = sValue.charCodeAt(i),c=sValue.charAt(i);
+            if (cc<0x20||cc>=0x7F||tSpecials.indexOf(c)!=-1) {
+                return false;
+            }
+        }
+        return true;
+    };
+
+    if ( !isToken(sName)
+            || sName.toLowerCase() == 'comment'
+            || sName.toLowerCase() == 'discard'
+            || sName.toLowerCase() == 'domain'
+            || sName.toLowerCase() == 'expires'
+            || sName.toLowerCase() == 'max-age'
+            || sName.toLowerCase() == 'path'
+            || sName.toLowerCase() == 'secure'
+            || sName.toLowerCase() == 'version'
+            || sName.charAt(0) == '$' ) {
+        var errMsg = _resourceBundle.getString( "Cookie.Name", { 'name':sName } );
+        throw new IllegalArgumentException(errMsg);
+    }
+
+    name = sName;
+    value = sValue;
+
+    return {
+        setComment: function(purpose) { comment = purpose; },
+        getComment: function() { return comment; },
+        setDomain: function(sDomain) { domain = sDomain.toLowerCase(); },
+        getDomain: function() { return domain; },
+        setMaxAge: function(nExpirey) { maxAge = nExpirey; },
+        getMaxAge: function() { return maxAge; },
+        setPath: function(sPath) { path = sPath; },
+        getPath: function() { return path; },
+        setSecure: function(bSecure) { secure = bSecure; },
+        getSecure: function() { return secure; },
+        getName: function() { return name; },
+        setValue: function(sValue) { value = sValue; },
+        getValue: function() { return value; },
+        setVersion: function(nVersion) {
+            if(nVersion<0||nVersion>1)throw new IllegalArgumentException(_resourceBundle.getString("Cookie.Version", { 'version':nVersion } ) );
+            version = nVersion;
+        },
+        getVersion: function() { return version; }
+    };
+};
@@ -39,7 +39,7 @@ org.owasp.esapi.reference.validation.DefaultValidator = function( oEncoder, oLoc
         },
 
         getValidInput: function( sContext, sInput, sType, nMaxLength, bAllowNull, oValidationErrorList ) {
-            var rvr = new p.StringValidationRule( sType, encoder, locale );
+            var rvr = new org.owasp.esapi.reference.validation.StringValidationRule( sType, encoder, locale );
             var p = new RegExp($ESAPI.properties.validation[sType]);
             if ( p && p instanceof RegExp ) {
                 rvr.addWhitelistPattern( p );