From schal...@darkmist.net on November 09, 2009 21:21:52

What steps will reproduce the problem? 1. svn checkout..
2. mvn -Dtest=ValidatorTest test What is the expected output? What do you see instead? isInvalidFileName should not claim a file with a back slash in it is valid. Please use labels and text to provide additional information. This has been split out from issue 39 testIsInvalidFilename:

This test fails on a filename being passed as valid when it has a backslash
('') in it. The test expects this to be rejected as invalid which is
probably a good idea. The problem is that during the validation the
filename is canonicalized using the encoder. The encoder includes the
JavaScript codec which removes the backslash. When the canonicalized
filename is validated it no longer contains the backslash and validation
succeeds.

I am not familiar enough with the ESAPI.properties, but changing
"Encoder.DefaultCodecList" is not having any affect on the encoders
actually used (validated by inserting printlns). Canonicalize is also
applying the codecs repeatedly until nothing changes which seems to be
contrary to the default Encoder.AllowMultipleEncoding=false as well.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=54