HBASE-16317 revert all ESAPI changes

Revert "HBASE-15270 Use appropriate encoding for "filter" field in TaskMonitorTmpl.jamon." This reverts commit bba4f107c1. Revert "HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings (Samir Ahmic)" This reverts commit 68b300173f. Conflicts: hbase-server/pom.xml Revert "HBASE-15329 Cross-Site Scripting: Reflected in table.jsp (Samir Ahmic)" This reverts commit 4b3e38705c. Conflicts: hbase-server/src/main/resources/hbase-webapps/master/table.jsp Revert "HBASE-15369 Handle NPE in region.jsp (Samir Ahmic)" This reverts commit 3826894f89.
2016-08-01 22:08:50 -07:00 · 2016-08-01 22:08:50 -07:00 · 209b6f74c7
parent 81b06b3bdd
commit 209b6f74c7
10 changed files with 7 additions and 952 deletions
--- a/hbase-resource-bundle/src/main/resources/supplemental-models.xml
+++ b/hbase-resource-bundle/src/main/resources/supplemental-models.xml
@ -61,24 +61,6 @@ under the License.
      </licenses>
    </project>
  </supplement>
  <supplement>
    <project>
      <groupId>commons-beanutils</groupId>
      <artifactId>commons-beanutils-core</artifactId>
      <organization>
        <name>The Apache Software Foundation</name>
        <url>http://www.apache.org/</url>
      </organization>
      <licenses>
        <license>
          <name>Apache Software License, Version 2.0</name>
          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
          <distribution>repo</distribution>
        </license>
      </licenses>
    </project>
  </supplement>
 <!-- Artifacts with ambiguously named licenses in POM -->
  <supplement>
    <project>
@ -1213,22 +1195,4 @@ Copyright (c) 2007-2011 The JRuby project
      </licenses>
    </project>
  </supplement>
  <supplement>
    <project>
      <groupId>xalan</groupId>
      <artifactId>xalan</artifactId>
      <organization>
        <name>The Apache Software Foundation</name>
        <url>http://www.apache.org/</url>
      </organization>
      <licenses>
        <license>
          <name>The Apache Software License, Version 2.0</name>
          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
          <distribution>repo</distribution>
        </license>
      </licenses>
    </project>
  </supplement>
 </supplementalDataModels>
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@ -561,17 +561,6 @@
      <artifactId>bcprov-jdk16</artifactId>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>org.owasp.esapi</groupId>
      <artifactId>esapi</artifactId>
      <version>2.1.0.1</version>
      <exclusions>
        <exclusion>
          <artifactId>xercesImpl</artifactId>
          <groupId>xerces</groupId>
        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.apache.kerby</groupId>
      <artifactId>kerb-client</artifactId>
--- a/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/common/TaskMonitorTmpl.jamon
+++ b/hbase-server/src/main/jamon/org/apache/hadoop/hbase/tmpl/common/TaskMonitorTmpl.jamon
@ -20,22 +20,12 @@ limitations under the License.
 java.util.*;
 org.apache.hadoop.hbase.monitoring.*;
 org.apache.hadoop.util.StringUtils;
 org.owasp.esapi.ESAPI;
 org.owasp.esapi.errors.EncodingException;
 </%import>
 <%args>
 TaskMonitor taskMonitor = TaskMonitor.get();
 String filter = "general";
 String format = "html";
 </%args>
 <%class>
    public String encodeFilter() {
    try {
    return ESAPI.encoder().encodeForURL(filter);
    }catch(EncodingException e) {}
    return ESAPI.encoder().encodeForHTML(filter);
    }
 </%class>
 <%java>
 List<? extends MonitoredTask> tasks = taskMonitor.getTasks();
 Iterator<? extends MonitoredTask> iter = tasks.iterator();
@ -72,7 +62,7 @@ boolean first = true;
    <li <%if filter.equals("handler")%>class="active"</%if>><a href="?filter=handler">Show All RPC Handler Tasks</a></li>
    <li <%if filter.equals("rpc")%>class="active"</%if>><a href="?filter=rpc">Show Active RPC Calls</a></li>
    <li <%if filter.equals("operation")%>class="active"</%if>><a href="?filter=operation">Show Client Operations</a></li>
-    <li><a href="?format=json&filter=<% encodeFilter() %>">View as JSON</a></li>
+    <li><a href="?format=json&filter=<% filter %>">View as JSON</a></li>
  </ul>
  <%if tasks.isEmpty()%>
    <p>No tasks currently running on this node.</p>
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java
@ -35,7 +35,6 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.hbase.http.HttpServer;
 import org.apache.hadoop.hbase.util.JSONBean;
 import org.owasp.esapi.ESAPI;
 /*
 * This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has
@ -168,7 +167,7 @@ public class JMXJsonServlet extends HttpServlet {
        jsonpcb = request.getParameter(CALLBACK_PARAM);
        if (jsonpcb != null) {
          response.setContentType("application/javascript; charset=utf8");
-          writer.write(encodeJS(jsonpcb) + "(");
+          writer.write(jsonpcb + "(");
        } else {
          response.setContentType("application/json; charset=utf8");
        }
@ -221,9 +220,4 @@ public class JMXJsonServlet extends HttpServlet {
      response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
    }
  }
  private String encodeJS(String inputStr) {
    return ESAPI.encoder().encodeForJavaScript(inputStr);
  }
 }
--- a/hbase-server/src/main/resources/ESAPI.properties
+++ b/hbase-server/src/main/resources/ESAPI.properties
@ -1,431 +0,0 @@
 #
 # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
 #
 # This file is part of the Open Web Application Security Project (OWASP)
 # Enterprise Security API (ESAPI) project. For details, please see
 # http://www.owasp.org/index.php/ESAPI.
 #
 # Copyright (c) 2008,2009 - The OWASP Foundation
 #
 # DISCUSS: This may cause a major backwards compatibility issue, etc. but
 #           from a name space perspective, we probably should have prefaced
 #           all the property names with ESAPI or at least OWASP. Otherwise
 #           there could be problems is someone loads this properties file into
 #           the System properties.  We could also put this file into the
 #           esapi.jar file (perhaps as a ResourceBundle) and then allow an external
 #           ESAPI properties be defined that would overwrite these defaults.
 #           That keeps the application's properties relatively simple as usually
 #           they will only want to override a few properties. If looks like we
 #           already support multiple override levels of this in the
 #           DefaultSecurityConfiguration class, but I'm suggesting placing the
 #           defaults in the esapi.jar itself. That way, if the jar is signed,
 #           we could detect if those properties had been tampered with. (The
 #           code to check the jar signatures is pretty simple... maybe 70-90 LOC,
 #           but off course there is an execution penalty (similar to the way
 #           that the separate sunjce.jar used to be when a class from it was
 #           first loaded). Thoughts?
 ###############################################################################
 #
 # WARNING: Operating system protection should be used to lock down the .esapi
 # resources directory and all the files inside and all the directories all the
 # way up to the root directory of the file system.  Note that if you are using
 # file-based implementations, that some files may need to be read-write as they
 # get updated dynamically.
 #
 # Before using, be sure to update the MasterKey and MasterSalt as described below.
 # N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
 #        you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
 #        re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
 #        able to decrypt your data with ESAPI 2.0.
 #
 #        YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
 #
 #===========================================================================
 # ESAPI Configuration
 #
 # If true, then print all the ESAPI properties set here when they are loaded.
 # If false, they are not printed. Useful to reduce output when running JUnit tests.
 # If you need to troubleshoot a properties related problem, turning this on may help.
 # This is 'false' in the src/test/resources/.esapi version. It is 'true' by
 # default for reasons of backward compatibility with earlier ESAPI versions.
 ESAPI.printProperties=true
 # ESAPI is designed to be easily extensible. You can use the reference implementation
 # or implement your own providers to take advantage of your enterprise's security
 # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
 #
 #    String ciphertext =
 #        ESAPI.encryptor().encrypt("Secret message");   // Deprecated in 2.0
 #    CipherText cipherText =
 #        ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
 #
 # Below you can specify the classname for the provider that you wish to use in your
 # application. The only requirement is that it implement the appropriate ESAPI interface.
 # This allows you to switch security implementations in the future without rewriting the
 # entire application.
 #
 # ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
 ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
 # FileBasedAuthenticator requires users.txt file in .esapi directory
 ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
 ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
 ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
 ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
 ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
 ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
 # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
 ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
 #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
 ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
 ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
 #===========================================================================
 # ESAPI Authenticator
 #
 Authenticator.AllowedLoginAttempts=3
 Authenticator.MaxOldPasswordHashes=13
 Authenticator.UsernameParameterName=username
 Authenticator.PasswordParameterName=password
 # RememberTokenDuration (in days)
 Authenticator.RememberTokenDuration=14
 # Session Timeouts (in minutes)
 Authenticator.IdleTimeoutDuration=20
 Authenticator.AbsoluteTimeoutDuration=120
 #===========================================================================
 # ESAPI Encoder
 #
 # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
 # Failure to canonicalize input is a very common mistake when implementing validation schemes.
 # Canonicalization is automatic when using the ESAPI Validator, but you can also use the
 # following code to canonicalize data.
 #
 #      ESAPI.Encoder().canonicalize( "%22hello world&#x22;" );
 #
 # Multiple encoding is when a single encoding format is applied multiple times, multiple
 # different encoding formats are applied, or when multiple formats are nested. Allowing
 # multiple encoding is strongly discouraged.
 Encoder.AllowMultipleEncoding=false
 #
 # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
 # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
 # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
 Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
 #===========================================================================
 # ESAPI Encryption
 #
 # The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
 # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
 # There is not currently any support for key rotation, so be careful when changing your key and salt as it
 # will invalidate all signed, encrypted, and hashed data.
 #
 # WARNING: Not all combinations of algorithms and key lengths are supported.
 # If you choose to use a key length greater than 128, you MUST download the
 # unlimited strength policy files and install in the lib directory of your JRE/JDK.
 # See http://java.sun.com/javase/downloads/index.jsp for more information.
 #
 # Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
 # methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
 # possible, these methods should be avoided as they use ECB cipher mode, which in almost
 # all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
 # for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0.  In general, you
 # should only use this compatibility setting if you have persistent data encrypted with
 # version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
 # you have decrypted all of your old encrypted data and then re-encrypted it with
 # ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
 # with the new 2.0 methods, make sure that you use the same cipher algorithm for both
 # (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
 # more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
 # where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
 # that requires downloading the special jurisdiction policy files mentioned above.)
 #
 #        ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
 # To calculate these values, you can run:
 #        java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
 #
 Encryptor.MasterKey=
 Encryptor.MasterSalt=
 # Provides the default JCE provider that ESAPI will "prefer" for its symmetric
 # encryption and hashing. (That is it will look to this provider first, but it
 # will defer to other providers if the requested algorithm is not implemented
 # by this provider.) If left unset, ESAPI will just use your Java VM's current
 # preferred JCE provider, which is generally set in the file
 # "$JAVA_HOME/jre/lib/security/java.security".
 #
 # The main intent of this is to allow ESAPI symmetric encryption to be
 # used with a FIPS 140-2 compliant crypto-module. For details, see the section
 # "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
 # the ESAPI 2.0 Symmetric Encryption User Guide, at:
 # http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
 # However, this property also allows you to easily use an alternate JCE provider
 # such as "Bouncy Castle" without having to make changes to "java.security".
 # See Javadoc for SecurityProviderLoader for further details. If you wish to use
 # a provider that is not known to SecurityProviderLoader, you may specify the
 # fully-qualified class name of the JCE provider class that implements
 # java.security.Provider. If the name contains a '.', this is interpreted as
 # a fully-qualified class name that implements java.security.Provider.
 #
 # NOTE: Setting this property has the side-effect of changing it in your application
 #       as well, so if you are using JCE in your application directly rather than
 #       through ESAPI (you wouldn't do that, would you? ;-), it will change the
 #       preferred JCE provider there as well.
 #
 # Default: Keeps the JCE provider set to whatever JVM sets it to.
 Encryptor.PreferredJCEProvider=
 # AES is the most widely used and strongest encryption algorithm. This
 # should agree with your Encryptor.CipherTransformation property.
 # By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
 # very weak. It is essentially a password-based encryption key, hashed
 # with MD5 around 1K times and then encrypted with the weak DES algorithm
 # (56-bits) using ECB mode and an unspecified padding (it is
 # JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
 # "AES/CBC/PKCSPadding". If you want to change these, change them here.
 # Warning: This property does not control the default reference implementation for
 #           ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
 #           in the future.
 # @deprecated
 Encryptor.EncryptionAlgorithm=AES
 #        For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
 Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
 # Applies to ESAPI 2.0 and later only!
 # Comma-separated list of cipher modes that provide *BOTH*
 # confidentiality *AND* message authenticity. (NIST refers to such cipher
 # modes as "combined modes" so that's what we shall call them.) If any of these
 # cipher modes are used then no MAC is calculated and stored
 # in the CipherText upon encryption. Likewise, if one of these
 # cipher modes is used with decryption, no attempt will be made
 # to validate the MAC contained in the CipherText object regardless
 # of whether it contains one or not. Since the expectation is that
 # these cipher modes support support message authenticity already,
 # injecting a MAC in the CipherText object would be at best redundant.
 #
 # Note that as of JDK 1.5, the SunJCE provider does not support *any*
 # of these cipher modes. Of these listed, only GCM and CCM are currently
 # NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
 # GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
 # padding modes.
 Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
 # Applies to ESAPI 2.0 and later only!
 # Additional cipher modes allowed for ESAPI 2.0 encryption. These
 # cipher modes are in _addition_ to those specified by the property
 # 'Encryptor.cipher_modes.combined_modes'.
 # Note: We will add support for streaming modes like CFB & OFB once
 # we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
 # (probably in ESAPI 2.1).
 # DISCUSS: Better name?
 Encryptor.cipher_modes.additional_allowed=CBC
 # 128-bit is almost always sufficient and appears to be more resistant to
 # related key attacks than is 256-bit AES. Use '_' to use default key size
 # for cipher algorithms (where it makes sense because the algorithm supports
 # a variable key size). Key length must agree to what's provided as the
 # cipher transformation, otherwise this will be ignored after logging a
 # warning.
 #
 # NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
 Encryptor.EncryptionKeyLength=128
 # Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
 # (All cipher modes except ECB require an IV.) There are two choices: we can either
 # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
 # the IV does not need to be hidden from adversaries, it is important that the
 # adversary not be allowed to choose it. Also, random IVs are generally much more
 # secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
 # such as CFB and OFB use a different IV for each encryption with a given key so
 # in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
 # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
 # uncomment the Encryptor.fixedIV.
 #
 # Valid values:        random|fixed|specified        'specified' not yet implemented; planned for 2.1
 Encryptor.ChooseIVMethod=random
 # If you choose to use a fixed IV, then you must place a fixed IV here that
 # is known to all others who are sharing your secret key. The format should
 # be a hex string that is the same length as the cipher block size for the
 # cipher algorithm that you are using. The following is an example for AES
 # from an AES test vector for AES-128/CBC as described in:
 # NIST Special Publication 800-38A (2001 Edition)
 # "Recommendation for Block Cipher Modes of Operation".
 # (Note that the block size for AES is 16 bytes == 128 bits.)
 #
 Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
 # Whether or not CipherText should use a message authentication code (MAC) with it.
 # This prevents an adversary from altering the IV as well as allowing a more
 # fool-proof way of determining the decryption failed because of an incorrect
 # key being supplied. This refers to the "separate" MAC calculated and stored
 # in CipherText, not part of any MAC that is calculated as a result of a
 # "combined mode" cipher mode.
 #
 # If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
 # set this property to false.
 Encryptor.CipherText.useMAC=true
 # Whether or not the PlainText object may be overwritten and then marked
 # eligible for garbage collection. If not set, this is still treated as 'true'.
 Encryptor.PlainText.overwrite=true
 # Do not use DES except in a legacy situations. 56-bit is way too small key size.
 #Encryptor.EncryptionKeyLength=56
 #Encryptor.EncryptionAlgorithm=DES
 # TripleDES is considered strong enough for most purposes.
 #    Note:    There is also a 112-bit version of DESede. Using the 168-bit version
 #            requires downloading the special jurisdiction policy from Sun.
 #Encryptor.EncryptionKeyLength=168
 #Encryptor.EncryptionAlgorithm=DESede
 Encryptor.HashAlgorithm=SHA-512
 Encryptor.HashIterations=1024
 Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
 Encryptor.DigitalSignatureKeyLength=1024
 Encryptor.RandomAlgorithm=SHA1PRNG
 Encryptor.CharacterEncoding=UTF-8
 #===========================================================================
 # ESAPI HttpUtilties
 #
 # The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
 # protect against malicious data from attackers, such as unprintable characters, escaped characters,
 # and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
 # headers, and CSRF tokens.
 #
 # Default file upload location (remember to escape backslashes with \\)
 HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
 HttpUtilities.UploadTempDir=C:\\temp
 # Force flags on cookies, if you use HttpUtilities to set cookies
 HttpUtilities.ForceHttpOnlySession=false
 HttpUtilities.ForceSecureSession=false
 HttpUtilities.ForceHttpOnlyCookies=true
 HttpUtilities.ForceSecureCookies=true
 # Maximum size of HTTP headers
 HttpUtilities.MaxHeaderSize=4096
 # File upload configuration
 HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
 HttpUtilities.MaxUploadFileBytes=500000000
 # Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
 # container, and any other technologies you may be using. Failure to do this may expose you
 # to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
 HttpUtilities.ResponseContentType=text/html; charset=UTF-8
 #===========================================================================
 # ESAPI Executor
 # CHECKME - Not sure what this is used for, but surely it should be made OS independent.
 Executor.WorkingDirectory=C:\\Windows\\Temp
 Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
 #===========================================================================
 # ESAPI Logging
 # Set the application name if these logs are combined with other applications
 Logger.ApplicationName=ExampleApplication
 # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
 Logger.LogEncodingRequired=false
 # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
 Logger.LogApplicationName=true
 # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
 Logger.LogServerIP=true
 # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
 # want to place it in a specific directory.
 Logger.LogFileName=ESAPI_logging_file
 # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
 Logger.MaxLogFileSize=10000000
 #===========================================================================
 # ESAPI Intrusion Detection
 #
 # Each event has a base to which .count, .interval, and .action are added
 # The IntrusionException will fire if we receive "count" events within "interval" seconds
 # The IntrusionDetector is configurable to take the following actions: log, logout, and disable
 #  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
 #
 # Custom Events
 # Names must start with "event." as the base
 # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
 # You can also disable intrusion detection completely by changing
 # the following parameter to true
 #
 IntrusionDetector.Disable=false
 #
 IntrusionDetector.event.test.count=2
 IntrusionDetector.event.test.interval=10
 IntrusionDetector.event.test.actions=disable,log
 # Exception Events
 # All EnterpriseSecurityExceptions are registered automatically
 # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
 # Use the fully qualified classname of the exception as the base
 # any intrusion is an attack
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
 # for test purposes
 # CHECKME: Shouldn't there be something in the property name itself that designates
 #           that these are for testing???
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
 # rapid validation errors indicate scans or attacks in progress
 # org.owasp.esapi.errors.ValidationException.count=10
 # org.owasp.esapi.errors.ValidationException.interval=10
 # org.owasp.esapi.errors.ValidationException.actions=log,logout
 # sessions jumping between hosts indicates session hijacking
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
 #===========================================================================
 # ESAPI Validation
 #
 # The ESAPI Validator works on regular expressions with defined names. You can define names
 # either here, or you may define application specific patterns in a separate file defined below.
 # This allows enterprises to specify both organizational standards as well as application specific
 # validation rules.
 #
 Validator.ConfigurationFile=validation.properties
 # Validators used by ESAPI
 Validator.AccountName=^[a-zA-Z0-9]{3,20}$
 Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
 Validator.RoleName=^[a-z]{1,20}$
 #the word TEST below should be changed to your application
 #name - only relative URL's are supported
 Validator.Redirect=^\\/test.*$
 # Global HTTP Validation Rules
 # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
 Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPContextPath=^[a-zA-Z0-9.\\-\\/_]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
 Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
 Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
 Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPURL=^.*$
 Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$
 # Validation of file related input
 Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
 Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
--- a/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
+++ b/hbase-server/src/main/resources/hbase-webapps/master/table.jsp
@ -29,7 +29,6 @@
  import="java.util.Collection"
  import="java.util.Collections"
  import="java.util.Comparator"
  import="org.owasp.esapi.ESAPI"
  import="org.apache.hadoop.conf.Configuration"
  import="org.apache.hadoop.util.StringUtils"
  import="org.apache.hadoop.hbase.HRegionInfo"
@ -85,7 +84,7 @@
    <% if ( !readOnly && action != null ) { %>
        <title>HBase Master: <%= master.getServerName() %></title>
    <% } else { %>
-        <title>Table: <%= ESAPI.encoder().encodeForHTML(fqtn) %></title>
+        <title>Table: <%= fqtn %></title>
    <% } %>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
@ -181,7 +180,7 @@ if ( fqtn != null ) {
 <div class="container-fluid content">
    <div class="row inner_header">
        <div class="page-header">
-            <h1>Table <small><%= ESAPI.encoder().encodeForHTML(fqtn) %></small></h1>
+            <h1>Table <small><%= fqtn %></small></h1>
        </div>
    </div>
    <div class="row">
--- a/hbase-server/src/main/resources/hbase-webapps/regionserver/region.jsp
+++ b/hbase-server/src/main/resources/hbase-webapps/regionserver/region.jsp
@ -21,7 +21,6 @@
  import="java.util.Collection"
  import="java.util.Date"
  import="java.util.List"
  import="org.owasp.esapi.ESAPI"
  import="static org.apache.commons.lang.StringEscapeUtils.escapeXml"
  import="org.apache.hadoop.conf.Configuration"
  import="org.apache.hadoop.hbase.HTableDescriptor"
@ -36,14 +35,10 @@
  String regionName = request.getParameter("name");
  HRegionServer rs = (HRegionServer) getServletContext().getAttribute(HRegionServer.REGIONSERVER);
  Configuration conf = rs.getConfiguration();
-  String displayName = null;
+
  Region region = rs.getFromOnlineRegions(regionName);
-  if(region == null) {
+  String displayName = HRegionInfo.getRegionNameAsStringForDisplay(region.getRegionInfo(),
    displayName= ESAPI.encoder().encodeForHTML(regionName) + " does not exist";
  } else {
    displayName = HRegionInfo.getRegionNameAsStringForDisplay(region.getRegionInfo(),
    rs.getConfiguration());
  }
 %>
 <!--[if IE]>
 <!DOCTYPE html>
@ -126,14 +121,7 @@
         <p> <%= storeFiles.size() %> StoreFile(s) in set.</p>
         </table>
   <%  }
-   } else { %>
+   }%>
   <div class="container-fluid content">
   <div class="row inner_header">
   </div>
   <p><hr><p>
   <p>Go <a href="javascript:history.back()">Back</a>
   </div>
  <% } %>
 </div>
 <script src="/static/js/jquery.min.js" type="text/javascript"></script>
 <script src="/static/js/bootstrap.min.js" type="text/javascript"></script>
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java
@ -105,11 +105,5 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest {
    assertReFind("\"committed\"\\s*:", result);
    assertReFind("\\}\\);$", result);
    // test to get XSS JSONP result
    result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Memory&callback=<script>alert('hello')</script>"));
    LOG.info("/jmx?qry=java.lang:type=Memory&callback=<script>alert('hello')</script> RESULT: "+result);
    assertTrue(!result.contains("<script>"));
  }
 }
--- a/hbase-server/src/test/resources/ESAPI.properties
+++ b/hbase-server/src/test/resources/ESAPI.properties
@ -1,431 +0,0 @@
 #
 # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
 #
 # This file is part of the Open Web Application Security Project (OWASP)
 # Enterprise Security API (ESAPI) project. For details, please see
 # http://www.owasp.org/index.php/ESAPI.
 #
 # Copyright (c) 2008,2009 - The OWASP Foundation
 #
 # DISCUSS: This may cause a major backwards compatibility issue, etc. but
 #           from a name space perspective, we probably should have prefaced
 #           all the property names with ESAPI or at least OWASP. Otherwise
 #           there could be problems is someone loads this properties file into
 #           the System properties.  We could also put this file into the
 #           esapi.jar file (perhaps as a ResourceBundle) and then allow an external
 #           ESAPI properties be defined that would overwrite these defaults.
 #           That keeps the application's properties relatively simple as usually
 #           they will only want to override a few properties. If looks like we
 #           already support multiple override levels of this in the
 #           DefaultSecurityConfiguration class, but I'm suggesting placing the
 #           defaults in the esapi.jar itself. That way, if the jar is signed,
 #           we could detect if those properties had been tampered with. (The
 #           code to check the jar signatures is pretty simple... maybe 70-90 LOC,
 #           but off course there is an execution penalty (similar to the way
 #           that the separate sunjce.jar used to be when a class from it was
 #           first loaded). Thoughts?
 ###############################################################################
 #
 # WARNING: Operating system protection should be used to lock down the .esapi
 # resources directory and all the files inside and all the directories all the
 # way up to the root directory of the file system.  Note that if you are using
 # file-based implementations, that some files may need to be read-write as they
 # get updated dynamically.
 #
 # Before using, be sure to update the MasterKey and MasterSalt as described below.
 # N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4,
 #        you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired)
 #        re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be
 #        able to decrypt your data with ESAPI 2.0.
 #
 #        YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes.
 #
 #===========================================================================
 # ESAPI Configuration
 #
 # If true, then print all the ESAPI properties set here when they are loaded.
 # If false, they are not printed. Useful to reduce output when running JUnit tests.
 # If you need to troubleshoot a properties related problem, turning this on may help.
 # This is 'false' in the src/test/resources/.esapi version. It is 'true' by
 # default for reasons of backward compatibility with earlier ESAPI versions.
 ESAPI.printProperties=true
 # ESAPI is designed to be easily extensible. You can use the reference implementation
 # or implement your own providers to take advantage of your enterprise's security
 # infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like:
 #
 #    String ciphertext =
 #        ESAPI.encryptor().encrypt("Secret message");   // Deprecated in 2.0
 #    CipherText cipherText =
 #        ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred
 #
 # Below you can specify the classname for the provider that you wish to use in your
 # application. The only requirement is that it implement the appropriate ESAPI interface.
 # This allows you to switch security implementations in the future without rewriting the
 # entire application.
 #
 # ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory
 ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
 # FileBasedAuthenticator requires users.txt file in .esapi directory
 ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
 ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
 ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor
 ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor
 ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities
 ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
 # Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html
 ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory
 #ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory
 ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
 ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
 #===========================================================================
 # ESAPI Authenticator
 #
 Authenticator.AllowedLoginAttempts=3
 Authenticator.MaxOldPasswordHashes=13
 Authenticator.UsernameParameterName=username
 Authenticator.PasswordParameterName=password
 # RememberTokenDuration (in days)
 Authenticator.RememberTokenDuration=14
 # Session Timeouts (in minutes)
 Authenticator.IdleTimeoutDuration=20
 Authenticator.AbsoluteTimeoutDuration=120
 #===========================================================================
 # ESAPI Encoder
 #
 # ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks.
 # Failure to canonicalize input is a very common mistake when implementing validation schemes.
 # Canonicalization is automatic when using the ESAPI Validator, but you can also use the
 # following code to canonicalize data.
 #
 #      ESAPI.Encoder().canonicalize( "%22hello world&#x22;" );
 #
 # Multiple encoding is when a single encoding format is applied multiple times, multiple
 # different encoding formats are applied, or when multiple formats are nested. Allowing
 # multiple encoding is strongly discouraged.
 Encoder.AllowMultipleEncoding=false
 #
 # The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs
 # for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or
 # inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important.
 Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
 #===========================================================================
 # ESAPI Encryption
 #
 # The ESAPI Encryptor provides basic cryptographic functions with a simplified API.
 # To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
 # There is not currently any support for key rotation, so be careful when changing your key and salt as it
 # will invalidate all signed, encrypted, and hashed data.
 #
 # WARNING: Not all combinations of algorithms and key lengths are supported.
 # If you choose to use a key length greater than 128, you MUST download the
 # unlimited strength policy files and install in the lib directory of your JRE/JDK.
 # See http://java.sun.com/javase/downloads/index.jsp for more information.
 #
 # Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API
 # methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever
 # possible, these methods should be avoided as they use ECB cipher mode, which in almost
 # all circumstances a poor choice because of it's weakness. CBC cipher mode is the default
 # for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0.  In general, you
 # should only use this compatibility setting if you have persistent data encrypted with
 # version 1.4 and even then, you should ONLY set this compatibility mode UNTIL
 # you have decrypted all of your old encrypted data and then re-encrypted it with
 # ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode
 # with the new 2.0 methods, make sure that you use the same cipher algorithm for both
 # (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for
 # more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods
 # where you can specify a SecretKey. (Note that if you are using the 256-bit AES,
 # that requires downloading the special jurisdiction policy files mentioned above.)
 #
 #        ***** IMPORTANT: Do NOT forget to replace these with your own values! *****
 # To calculate these values, you can run:
 #        java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor
 #
 Encryptor.MasterKey=
 Encryptor.MasterSalt=
 # Provides the default JCE provider that ESAPI will "prefer" for its symmetric
 # encryption and hashing. (That is it will look to this provider first, but it
 # will defer to other providers if the requested algorithm is not implemented
 # by this provider.) If left unset, ESAPI will just use your Java VM's current
 # preferred JCE provider, which is generally set in the file
 # "$JAVA_HOME/jre/lib/security/java.security".
 #
 # The main intent of this is to allow ESAPI symmetric encryption to be
 # used with a FIPS 140-2 compliant crypto-module. For details, see the section
 # "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in
 # the ESAPI 2.0 Symmetric Encryption User Guide, at:
 # http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
 # However, this property also allows you to easily use an alternate JCE provider
 # such as "Bouncy Castle" without having to make changes to "java.security".
 # See Javadoc for SecurityProviderLoader for further details. If you wish to use
 # a provider that is not known to SecurityProviderLoader, you may specify the
 # fully-qualified class name of the JCE provider class that implements
 # java.security.Provider. If the name contains a '.', this is interpreted as
 # a fully-qualified class name that implements java.security.Provider.
 #
 # NOTE: Setting this property has the side-effect of changing it in your application
 #       as well, so if you are using JCE in your application directly rather than
 #       through ESAPI (you wouldn't do that, would you? ;-), it will change the
 #       preferred JCE provider there as well.
 #
 # Default: Keeps the JCE provider set to whatever JVM sets it to.
 Encryptor.PreferredJCEProvider=
 # AES is the most widely used and strongest encryption algorithm. This
 # should agree with your Encryptor.CipherTransformation property.
 # By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is
 # very weak. It is essentially a password-based encryption key, hashed
 # with MD5 around 1K times and then encrypted with the weak DES algorithm
 # (56-bits) using ECB mode and an unspecified padding (it is
 # JCE provider specific, but most likely "NoPadding"). However, 2.0 uses
 # "AES/CBC/PKCSPadding". If you want to change these, change them here.
 # Warning: This property does not control the default reference implementation for
 #           ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped
 #           in the future.
 # @deprecated
 Encryptor.EncryptionAlgorithm=AES
 #        For ESAPI Java 2.0 - New encrypt / decrypt methods use this.
 Encryptor.CipherTransformation=AES/CBC/PKCS5Padding
 # Applies to ESAPI 2.0 and later only!
 # Comma-separated list of cipher modes that provide *BOTH*
 # confidentiality *AND* message authenticity. (NIST refers to such cipher
 # modes as "combined modes" so that's what we shall call them.) If any of these
 # cipher modes are used then no MAC is calculated and stored
 # in the CipherText upon encryption. Likewise, if one of these
 # cipher modes is used with decryption, no attempt will be made
 # to validate the MAC contained in the CipherText object regardless
 # of whether it contains one or not. Since the expectation is that
 # these cipher modes support support message authenticity already,
 # injecting a MAC in the CipherText object would be at best redundant.
 #
 # Note that as of JDK 1.5, the SunJCE provider does not support *any*
 # of these cipher modes. Of these listed, only GCM and CCM are currently
 # NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports
 # GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other
 # padding modes.
 Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC
 # Applies to ESAPI 2.0 and later only!
 # Additional cipher modes allowed for ESAPI 2.0 encryption. These
 # cipher modes are in _addition_ to those specified by the property
 # 'Encryptor.cipher_modes.combined_modes'.
 # Note: We will add support for streaming modes like CFB & OFB once
 # we add support for 'specified' to the property 'Encryptor.ChooseIVMethod'
 # (probably in ESAPI 2.1).
 # DISCUSS: Better name?
 Encryptor.cipher_modes.additional_allowed=CBC
 # 128-bit is almost always sufficient and appears to be more resistant to
 # related key attacks than is 256-bit AES. Use '_' to use default key size
 # for cipher algorithms (where it makes sense because the algorithm supports
 # a variable key size). Key length must agree to what's provided as the
 # cipher transformation, otherwise this will be ignored after logging a
 # warning.
 #
 # NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing!
 Encryptor.EncryptionKeyLength=128
 # Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
 # (All cipher modes except ECB require an IV.) There are two choices: we can either
 # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
 # the IV does not need to be hidden from adversaries, it is important that the
 # adversary not be allowed to choose it. Also, random IVs are generally much more
 # secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
 # such as CFB and OFB use a different IV for each encryption with a given key so
 # in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
 # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
 # uncomment the Encryptor.fixedIV.
 #
 # Valid values:        random|fixed|specified        'specified' not yet implemented; planned for 2.1
 Encryptor.ChooseIVMethod=random
 # If you choose to use a fixed IV, then you must place a fixed IV here that
 # is known to all others who are sharing your secret key. The format should
 # be a hex string that is the same length as the cipher block size for the
 # cipher algorithm that you are using. The following is an example for AES
 # from an AES test vector for AES-128/CBC as described in:
 # NIST Special Publication 800-38A (2001 Edition)
 # "Recommendation for Block Cipher Modes of Operation".
 # (Note that the block size for AES is 16 bytes == 128 bits.)
 #
 Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f
 # Whether or not CipherText should use a message authentication code (MAC) with it.
 # This prevents an adversary from altering the IV as well as allowing a more
 # fool-proof way of determining the decryption failed because of an incorrect
 # key being supplied. This refers to the "separate" MAC calculated and stored
 # in CipherText, not part of any MAC that is calculated as a result of a
 # "combined mode" cipher mode.
 #
 # If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also
 # set this property to false.
 Encryptor.CipherText.useMAC=true
 # Whether or not the PlainText object may be overwritten and then marked
 # eligible for garbage collection. If not set, this is still treated as 'true'.
 Encryptor.PlainText.overwrite=true
 # Do not use DES except in a legacy situations. 56-bit is way too small key size.
 #Encryptor.EncryptionKeyLength=56
 #Encryptor.EncryptionAlgorithm=DES
 # TripleDES is considered strong enough for most purposes.
 #    Note:    There is also a 112-bit version of DESede. Using the 168-bit version
 #            requires downloading the special jurisdiction policy from Sun.
 #Encryptor.EncryptionKeyLength=168
 #Encryptor.EncryptionAlgorithm=DESede
 Encryptor.HashAlgorithm=SHA-512
 Encryptor.HashIterations=1024
 Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
 Encryptor.DigitalSignatureKeyLength=1024
 Encryptor.RandomAlgorithm=SHA1PRNG
 Encryptor.CharacterEncoding=UTF-8
 #===========================================================================
 # ESAPI HttpUtilties
 #
 # The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods
 # protect against malicious data from attackers, such as unprintable characters, escaped characters,
 # and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies,
 # headers, and CSRF tokens.
 #
 # Default file upload location (remember to escape backslashes with \\)
 HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
 HttpUtilities.UploadTempDir=C:\\temp
 # Force flags on cookies, if you use HttpUtilities to set cookies
 HttpUtilities.ForceHttpOnlySession=false
 HttpUtilities.ForceSecureSession=false
 HttpUtilities.ForceHttpOnlyCookies=true
 HttpUtilities.ForceSecureCookies=true
 # Maximum size of HTTP headers
 HttpUtilities.MaxHeaderSize=4096
 # File upload configuration
 HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll
 HttpUtilities.MaxUploadFileBytes=500000000
 # Using UTF-8 throughout your stack is highly recommended. That includes your database driver,
 # container, and any other technologies you may be using. Failure to do this may expose you
 # to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization.
 HttpUtilities.ResponseContentType=text/html; charset=UTF-8
 #===========================================================================
 # ESAPI Executor
 # CHECKME - Not sure what this is used for, but surely it should be made OS independent.
 Executor.WorkingDirectory=C:\\Windows\\Temp
 Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
 #===========================================================================
 # ESAPI Logging
 # Set the application name if these logs are combined with other applications
 Logger.ApplicationName=ExampleApplication
 # If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
 Logger.LogEncodingRequired=false
 # Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
 Logger.LogApplicationName=true
 # Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
 Logger.LogServerIP=true
 # LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
 # want to place it in a specific directory.
 Logger.LogFileName=ESAPI_logging_file
 # MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
 Logger.MaxLogFileSize=10000000
 #===========================================================================
 # ESAPI Intrusion Detection
 #
 # Each event has a base to which .count, .interval, and .action are added
 # The IntrusionException will fire if we receive "count" events within "interval" seconds
 # The IntrusionDetector is configurable to take the following actions: log, logout, and disable
 #  (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable
 #
 # Custom Events
 # Names must start with "event." as the base
 # Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here
 # You can also disable intrusion detection completely by changing
 # the following parameter to true
 #
 IntrusionDetector.Disable=false
 #
 IntrusionDetector.event.test.count=2
 IntrusionDetector.event.test.interval=10
 IntrusionDetector.event.test.actions=disable,log
 # Exception Events
 # All EnterpriseSecurityExceptions are registered automatically
 # Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException
 # Use the fully qualified classname of the exception as the base
 # any intrusion is an attack
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
 IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout
 # for test purposes
 # CHECKME: Shouldn't there be something in the property name itself that designates
 #           that these are for testing???
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5
 IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout
 # rapid validation errors indicate scans or attacks in progress
 # org.owasp.esapi.errors.ValidationException.count=10
 # org.owasp.esapi.errors.ValidationException.interval=10
 # org.owasp.esapi.errors.ValidationException.actions=log,logout
 # sessions jumping between hosts indicates session hijacking
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10
 IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout
 #===========================================================================
 # ESAPI Validation
 #
 # The ESAPI Validator works on regular expressions with defined names. You can define names
 # either here, or you may define application specific patterns in a separate file defined below.
 # This allows enterprises to specify both organizational standards as well as application specific
 # validation rules.
 #
 Validator.ConfigurationFile=validation.properties
 # Validators used by ESAPI
 Validator.AccountName=^[a-zA-Z0-9]{3,20}$
 Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$
 Validator.RoleName=^[a-z]{1,20}$
 #the word TEST below should be changed to your application
 #name - only relative URL's are supported
 Validator.Redirect=^\\/test.*$
 # Global HTTP Validation Rules
 # Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=]
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$
 Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPContextPath=^[a-zA-Z0-9.\\-\\/_]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
 Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$
 Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$
 Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPURL=^.*$
 Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$
 # Validation of file related input
 Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
 Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$
--- a/pom.xml
+++ b/pom.xml
@ -874,7 +874,6 @@
              <exclude>**/patchprocess/**</exclude>
              <exclude>src/main/site/resources/repo/**</exclude>
              <exclude>**/dependency-reduced-pom.xml</exclude>
              <exclude>**/ESAPI.properties</exclude>
              <exclude>**/rat.txt</exclude>
            </excludes>
          </configuration>