ESAPI 提供了此方法的更安全的版本。
ESAPI 安全編碼指南包含一個禁止的 API 列表。對于這些 API,ESAPI 中具有更為安全的備選組件。
禁止的 API 與替代性 API 的列表:
Banned 001 System.out.println()
Banned 002 Throwable.printStackTrace()
Banned 003 Runtime.exec()
Banned 004 Session.getId()
Banned 005 ServletRequest.getUserPrincipal()
Banned 006 ServletRequest.isUserInRole()
Banned 007 Session.invalidate()
Banned 008 Math.Random.*
Banned 009 File.createTempFile()
Banned 010 ServletResponse.setContentType()
Banned 011 ServletResponse.sendRedirect()
Banned 012 RequestDispatcher.forward()
Banned 013 ServletResponse.addHeader()
Banned 014 ServletResponse.addCookie()
Banned 015 ServletRequest.isSecure()
Banned 016 Properties.*
Banned 017 ServletContext.log()
Banned 018 java.security and javax.crypto
Banned 019 java.net.URLEncoder/Decoder
Banned 021 ServletResponse.encodeURL
Banned 022 ServletResponse.encodeRedirectURL
Banned 023 javax.servlet.ServletInputStream.readLine
[1] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP2060.4 CAT II
[2] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP2060.4 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 676
[4] OWASP ESAPI Secure Coding Guideline
[5] Standards Mapping - SANS Top 25 2011 - (SANS Top 25 2011) Risky Resource Management - CWE ID 676