We're working on getting out managed package to pass security review. In various documentation (including trailhead) Salesforce are recommending we use ESAPI for server side (apex) encoding.
My understanding is it's supposed to provide the following:
- input validation
- output encoding
- FLS
I'm trying to work out the difference between ESAPI and just using some of the standard string methods available in apex, such as escapeHtml4().
Is there any benefit to using ESAPI over just using the apex language itself?
ESAPI also appears to be old. Looking at the commit history, there haven't been any real logic changes for many years. There are also many TODO comments from the original author.
To me, this makes it feel like one of these thought bubbles that Salesforce have but they don't commit to.
References:
Best Answer
The short answer: ESAPI is for security, preventing deliberate attacks; Apex escapeHTML, etc. is for ensuring html displays properly.
Cross site scripting