Upgrade owasp-java-encoder to v1.3.1 am: bbf7192a59

Original change: https://android-review.googlesource.com/c/platform/external/owasp/java-encoder/+/3455110

Change-Id: I989507c91b1599081e527956344f71c8c37d107a
Signed-off-by: Automerger Merge Worker <[email protected]>
tree: e4c5cd2ba55cf75abcf9b50d0a388853b4d31316
  1. .github/
  2. core/
  3. esapi/
  4. jakarta/
  5. jakarta-test/
  6. jsp/
  7. META-INF/
  8. src/
  9. .gitignore
  10. .java-version
  11. Android.bp
  12. AndroidManifest.xml
  13. AndroidTest.xml
  17. pom.xml
  18. README.md

OWASP Java Encoder Project

Build Status License javadoc

Contextual Output Encoding is a computer programming technique necessary to stop Cross-Site Scripting. This project is a Java 1.8+ simple-to-use drop-in high-performance encoder class with little baggage.

For more detailed documentation on the OWASP Javca Encoder please visit https://owasp.org/www-project-java-encoder/.

Start using the OWASP Java Encoders

You can download a JAR from Maven Central.

JSP tags and EL functions are available in the encoder-jsp, also available:

The jars are also available in Central:


<!-- using Servlet Spec 5 in the jakarta.servlet package use: -->

<!-- using the Legacy Servlet Spec in the javax.servlet package use: -->

Quick Overview

The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.2.3.jar, import org.owasp.encoder.Encode and start using.

Example usage:

    PrintWriter out = ....;

Please look at the javadoc for Encode to see the variety of contexts for which you can encode.

Happy Encoding!


Due to test cases for the encoder-jakarta-jsp project Java 17 is required to package and test the project. Simply run:

mvn package

To run the Jakarta JSP intgration test, to validate that the JSP Tags and EL work correctly run:

mvn verify -PtestJakarta
  • Note that the above test may fail on modern Apple silicon.

Java 9+ Module Names

JARModule Name


encoder-jakarta-jsp<%@taglib prefix=“e” uri=“owasp.encoder.jakarta”%>
encoder-jsp<%@taglib prefix=“e” uri=“https://www.owasp.org/index.php/OWASP_Java_Encoder_Project”%>


2024-08-20 - 1.3.1 Release

The team is happy to announce that version 1.3.1 has been released!

  • fix: add OSGi related entries in the MANIFEST.MF file (#82).
  • fix: java.lang.NoSuchMethodError when running on Java 8 (#80).

2024-08-02 - 1.3.0 Release

The team is happy to announce that version 1.3.0 has been released!

  • Minimum JDK Requirement is now Java 8
    • Requires Java 17 to build due to test case dependencies.
  • Adds Java 9 Module name via Multi-Release Jars (#77).
  • Fixed compilation errors with the ESAPI Thunk (#76).
  • Adds support for Servlet Spec 5 using the jakarta.servlet.* (#75).
    • taglib : <%@taglib prefix=“e” uri=“owasp.encoder.jakarta”%>

2020-11-08 - 1.2.3 Release

The team is happy to announce that version 1.2.3 has been released!

  • Update to make the manifest OSGi-compliant (#39).
  • Update to support ESAPI 2.2 and later (#37).

2018-09-14 - 1.2.2 Release

The team is happy to announce that version 1.2.2 has been released!

  • This is a minor release fixing documentation and licensing issues.

2017-02-19 - 1.2.1 Release

The team is happy to announce that version 1.2.1 has been released!

  • The CDATA Encoder was modified so that it does not emit intermediate characters between adjacent CDATA sections.
  • The documentation on gh-pages has been improved.

2015-04-12 - 1.2 Release on GitHub

OWASP Java Encoder has been moved to GitHub. Version 1.2 was also released!

2014-03-31 - Documentation updated

Please visit https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to see detailed documentation and examples on each API use!

2014-01-30 - Version 1.1.1 released

We're happy to announce that version 1.1.1 has been released. Along with a important bug fix, we added ESAPI integration to replace the legacy ESAPI encoders with the OWASP Java Encoder.

2013-02-14 - Version 1.1 released

We're happy to announce that version 1.1 has been released. Along with a few minor encoding enhancements, we improved performance, and added a JSP tag and function library.