Hi Jim, Aloha! E komo mai! Welcome to the Shiro community. And thanks for the kudos - it's nice to see you drop in!
> I would like to suggest that Shiro implements an encoding library to stop > injection attacks. > > Specific to Cross Site Scripting: encodeForHTML, encodeForHTMLAttribute, > encodeForJavaScriptVariable, encodeForCSSValue, etc. > Specific to Command Injection: encodeForOS, etc. > > Etc. > > Does this interest the project in any way? I'm extremely interested in this as an effort. There is a org.apache.shiro.codec package that can certainly stand to be flushed out, or maybe this is worthy of another package/module. > PS: Apache probably also needs an encoding-commons, I dare say. > > Does this sound interesting or appropriate? Most definitely! How would you envision this being implemented? Any architectural overview that you might be able to present? Module organization, etc? Best regards, Les
