From f8ac3fdbc26b5c50a4154097210db01da911289c Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696[at]gmail.com>
Date: Sun, 4 Apr 2021 10:33:25 -0700
Subject: [PATCH 01/22] Signed key history for MATT SEIL begins here.

---
 foo.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 foo.txt

diff --git a/foo.txt b/foo.txt
new file mode 100644
index 000000000..05ac98e63
--- /dev/null
+++ b/foo.txt
@@ -0,0 +1 @@
+delete me!
\ No newline at end of file

From 87c4c4e6eda85b914f0676eac0f24034f85d9303 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696[at]gmail.com>
Date: Sun, 4 Apr 2021 10:33:25 -0700
Subject: [PATCH 02/22] Signed key history for MATT SEIL begins here.  Fixed
 email typo.

---
 foo.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 foo.txt

diff --git a/foo.txt b/foo.txt
new file mode 100644
index 000000000..05ac98e63
--- /dev/null
+++ b/foo.txt
@@ -0,0 +1 @@
+delete me!
\ No newline at end of file

From 304ee3e67c095079ea2dc1fe979279f4fcf6f1a4 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sun, 4 Apr 2021 11:54:36 -0700
Subject: [PATCH 03/22] Revert "Signed key history for MATT SEIL begins here. 
 Fixed email typo."

This reverts commit 87c4c4e6eda85b914f0676eac0f24034f85d9303.
---
 foo.txt | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 foo.txt

diff --git a/foo.txt b/foo.txt
deleted file mode 100644
index 05ac98e63..000000000
--- a/foo.txt
+++ /dev/null
@@ -1 +0,0 @@
-delete me!
\ No newline at end of file

From 0fb66134e63e001205c29a5565f5b26821934c1c Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sun, 18 Apr 2021 17:26:28 -0700
Subject: [PATCH 04/22] created file on main.

---
 foo.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 foo.txt

diff --git a/foo.txt b/foo.txt
new file mode 100644
index 000000000..f6c4fd068
--- /dev/null
+++ b/foo.txt
@@ -0,0 +1 @@
+delete me
\ No newline at end of file

From dc16afd9daf6a2e33c67ec6756efe4e0078ee89c Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Mon, 19 Apr 2021 15:43:10 -0700
Subject: [PATCH 05/22] Deleted foo.txt

---
 foo.txt | 1 -
 1 file changed, 1 deletion(-)
 delete mode 100644 foo.txt

diff --git a/foo.txt b/foo.txt
deleted file mode 100644
index f6c4fd068..000000000
--- a/foo.txt
+++ /dev/null
@@ -1 +0,0 @@
-delete me
\ No newline at end of file

From 2e8694c6beb3bdbb2645b882eba72ce41bc63242 Mon Sep 17 00:00:00 2001
From: kwwall <kevin.w.wall@gmail.com>
Date: Fri, 7 May 2021 21:54:10 -0400
Subject: [PATCH 06/22] Bump release to new patch version #.

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index b4808c13c..3c042c499 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.esapi</groupId>
     <artifactId>esapi</artifactId>
-    <version>2.2.3.1-SNAPSHOT</version>
+    <version>2.2.3.1</version>
     <packaging>jar</packaging>
 
     <distributionManagement>

From 9fa2a53c18451718655340d8dc8a57a1ba43e9f5 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Wed, 23 Feb 2022 10:35:47 -0700
Subject: [PATCH 07/22] #661 Added ability to generate OSGi metadata with the
 command 'mvn org.apache.felix:maven-bundle-plugin:manifest'.

---
 pom.xml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pom.xml b/pom.xml
index 9e4443655..64fb4cbaa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -411,6 +411,27 @@
                     <artifactId>maven-release-plugin</artifactId>
                     <version>3.0.0-M1</version>
                 </plugin>
+				<plugin>
+				  <artifactId>maven-jar-plugin</artifactId>
+				  <configuration>
+				    <archive>
+				      <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
+				    </archive>
+				  </configuration>
+				</plugin>
+				<plugin>
+				  <groupId>org.apache.felix</groupId>
+				  <artifactId>maven-bundle-plugin</artifactId>
+				  <executions>
+				    <execution>
+				      <id>bundle-manifest</id>
+				      <phase>process-classes</phase>
+				      <goals>
+				        <goal>manifest</goal>
+				      </goals>
+				    </execution>
+				  </executions>
+				</plugin>
             </plugins>
         </pluginManagement>
 

From 1d92c37136308c9015a2fbab8fe38fe58c617338 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Thu, 24 Feb 2022 22:01:47 -0700
Subject: [PATCH 08/22] Updated to AntiSamy 1.6.5.

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 64fb4cbaa..69b7a8615 100644
--- a/pom.xml
+++ b/pom.xml
@@ -237,7 +237,7 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.6.4</version>
+            <version>1.6.5</version>
             <exclusions>
                 <!-- excluded because we pick up much newer version -->
                 <exclusion>

From ccf203bb68646efecb0bfd9d7fec78f407045d12 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Fri, 25 Feb 2022 10:03:22 -0700
Subject: [PATCH 09/22] Revert "#661 Added ability to generate OSGi metadata
 with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'."

This reverts commit 9fa2a53c18451718655340d8dc8a57a1ba43e9f5.
---
 pom.xml | 21 ---------------------
 1 file changed, 21 deletions(-)

diff --git a/pom.xml b/pom.xml
index 712cf9760..8bca5ce50 100644
--- a/pom.xml
+++ b/pom.xml
@@ -411,27 +411,6 @@
                     <artifactId>maven-release-plugin</artifactId>
                     <version>3.0.0-M1</version>
                 </plugin>
-				<plugin>
-				  <artifactId>maven-jar-plugin</artifactId>
-				  <configuration>
-				    <archive>
-				      <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
-				    </archive>
-				  </configuration>
-				</plugin>
-				<plugin>
-				  <groupId>org.apache.felix</groupId>
-				  <artifactId>maven-bundle-plugin</artifactId>
-				  <executions>
-				    <execution>
-				      <id>bundle-manifest</id>
-				      <phase>process-classes</phase>
-				      <goals>
-				        <goal>manifest</goal>
-				      </goals>
-				    </execution>
-				  </executions>
-				</plugin>
             </plugins>
         </pluginManagement>
 

From d975a8a811928d659f5dd8edd46d78661be9482f Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Fri, 25 Feb 2022 10:36:57 -0700
Subject: [PATCH 10/22] #656 -->  Parameterized cookie name length and value to
 correspond with the HTTP maxes defined in esapi.properties.

---
 configuration/esapi/ESAPI.properties                         | 2 +-
 .../java/org/owasp/esapi/reference/DefaultHTTPUtilities.java | 5 +++--
 src/test/resources/esapi/ESAPI.properties                    | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
index 828144b45..df987e533 100644
--- a/configuration/esapi/ESAPI.properties
+++ b/configuration/esapi/ESAPI.properties
@@ -469,7 +469,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{1,1024}$
 # Note that headerName and Value length is also configured in the HTTPUtilities section
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
index f690e26bd..2da6546d8 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
@@ -189,8 +189,9 @@ public void addCookie(HttpServletResponse response, Cookie cookie) {
 
         // validate the name and value
         ValidationErrorList errors = new ValidationErrorList();
-        String cookieName = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", 50, false, errors);
-        String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", 5000, false, errors);
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
+        String cookieName = ESAPI.validator().getValidInput("cookie name", name, "HTTPCookieName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false, errors);
+        String cookieValue = ESAPI.validator().getValidInput("cookie value", value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false, errors);
 
         // if there are no errors, then set the cookie either with a header or normally
         if (errors.size() == 0) {
diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties
index f3d7b46f1..f0bc5939c 100644
--- a/src/test/resources/esapi/ESAPI.properties
+++ b/src/test/resources/esapi/ESAPI.properties
@@ -498,7 +498,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{1,1024}$
 # Note that headerName and Value length is also configured in the HTTPUtilities section
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

From 5246396ee4b7a2aa77c4f1fa20375721e57ee02d Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Fri, 25 Feb 2022 11:19:36 -0700
Subject: [PATCH 11/22] Adjusted regex to allow for zero-length matches.

---
 configuration/esapi/ESAPI.properties      | 2 +-
 src/test/resources/esapi/ESAPI.properties | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
index df987e533..a70ecbea3 100644
--- a/configuration/esapi/ESAPI.properties
+++ b/configuration/esapi/ESAPI.properties
@@ -469,7 +469,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{1,1024}$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 # Note that headerName and Value length is also configured in the HTTPUtilities section
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
diff --git a/src/test/resources/esapi/ESAPI.properties b/src/test/resources/esapi/ESAPI.properties
index f0bc5939c..e1634dc28 100644
--- a/src/test/resources/esapi/ESAPI.properties
+++ b/src/test/resources/esapi/ESAPI.properties
@@ -498,7 +498,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{1,1024}$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 # Note that headerName and Value length is also configured in the HTTPUtilities section
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,256}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$

From f1a7169de1a83dd48a2e95355c792013f5733953 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Fri, 25 Feb 2022 20:42:53 -0700
Subject: [PATCH 12/22] Added per review comments for PR #663

---
 .../resources/esapi/ESAPI-CommaValidatorFileChecker.properties  | 2 +-
 .../resources/esapi/ESAPI-DualValidatorFileChecker.properties   | 2 +-
 .../resources/esapi/ESAPI-QuotedValidatorFileChecker.properties | 2 +-
 .../resources/esapi/ESAPI-SingleValidatorFileChecker.properties | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
index 402ea806c..ddaa1b8e9 100644
--- a/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-CommaValidatorFileChecker.properties
@@ -468,7 +468,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
diff --git a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
index 322b0f5f4..88c10b6f9 100644
--- a/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-DualValidatorFileChecker.properties
@@ -469,7 +469,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
diff --git a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
index 1a565c41c..7c9d37b7a 100644
--- a/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-QuotedValidatorFileChecker.properties
@@ -467,7 +467,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$
diff --git a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
index bbf49c6d3..a8cca0136 100644
--- a/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
+++ b/src/test/resources/esapi/ESAPI-SingleValidatorFileChecker.properties
@@ -467,7 +467,7 @@ Validator.Redirect=^\\/test.*$
 Validator.HTTPScheme=^(http|https)$
 Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$
 Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$
-Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$
+Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]{0,1024}$
 Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$
 Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$
 Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$

From d859556f44e89bf56b9f4202c3dda3c70d1d5a33 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 19 Mar 2022 11:07:52 -0700
Subject: [PATCH 13/22] #656 Finished sweep looking for headername,
 headervalue, and header value sizes as well as the 'Cookie' versions of those
 statements.  Added unit tests.

---
 .../esapi/reference/DefaultHTTPUtilities.java | 11 ++++++----
 .../esapi/reference/HTTPUtilitiesTest.java    | 22 +++++++++++++++++++
 .../owasp/esapi/reference/ValidatorTest.java  |  2 --
 3 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
index 2da6546d8..6e4f35ca2 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
@@ -235,11 +235,12 @@ public void addHeader(String name, String value) {
 	 * {@inheritDoc}
      */
     public void addHeader(HttpServletResponse response, String name, String value) {
+    	SecurityConfiguration sc = ESAPI.securityConfiguration();
         try {
             String strippedName = StringUtilities.replaceLinearWhiteSpace(name);
             String strippedValue = StringUtilities.replaceLinearWhiteSpace(value);
-            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
-            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", 500, false);
+            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
+            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
             response.addHeader(safeName, safeValue);
         } catch (ValidationException e) {
             logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
@@ -464,9 +465,10 @@ public void encryptStateInCookie( Map<String,String> cleartext ) throws Encrypti
 	 */
 	public String getCookie( HttpServletRequest request, String name ) throws ValidationException {
         Cookie c = getFirstCookie( request, name );
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
         if ( c == null ) return null;
 		String value = c.getValue();
-		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", 1000, false);
+		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
 	}
 
 	/**
@@ -656,8 +658,9 @@ private Cookie getFirstCookie(HttpServletRequest request, String name) {
 	 * {@inheritDoc}
 	 */
 	public String getHeader( HttpServletRequest request, String name ) throws ValidationException {
+		SecurityConfiguration sc = ESAPI.securityConfiguration();
         String value = request.getHeader(name);
-        return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", 150, false);
+        return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
 	}
 
 
diff --git a/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java b/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java
index ba6715313..1f8701efd 100644
--- a/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java
+++ b/src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java
@@ -45,6 +45,7 @@
 import org.owasp.esapi.http.MockHttpServletResponse;
 import org.owasp.esapi.http.MockHttpSession;
 import org.owasp.esapi.util.FileTestUtils;
+import org.owasp.esapi.util.TestUtils;
 
 import junit.framework.Test;
 import junit.framework.TestCase;
@@ -372,6 +373,27 @@ public void testSetCookie() {
 		instance.addCookie( response, new Cookie( "test3", "tes<t3" ) );
 		assertTrue(response.getHeaderNames().size() == 2);
 	}
+	
+	/**
+	 * Test of setCookie method, of class org.owasp.esapi.HTTPUtilities.
+	 * Validation failures should prevent cookies being added.  
+	 */
+	public void testSetCookieExceedingMaxValueAndName() {
+		HTTPUtilities instance = ESAPI.httpUtilities(); 
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		assertTrue(response.getHeaderNames().isEmpty());
+		//request.addParameter(TestUtils.generateStringOfLength(32), "pass");
+		instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(32), "pass" ) );
+		assertTrue(response.getHeaderNames().size() == 1);
+
+		instance.addCookie( response, new Cookie( "pass", TestUtils.generateStringOfLength(32) ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+		instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(5000), "fail" ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+		instance.addCookie( response, new Cookie( "fail", TestUtils.generateStringOfLength(5001) ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+	}
+
 
 	/**
 	 *
diff --git a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
index ef954107b..2b162b5be 100644
--- a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
+++ b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
@@ -1040,7 +1040,6 @@ public void testHeaderLengthChecks(){
 
     @Test
     public void testGetHeaderNames() {
-//testing Validator.HTTPHeaderName
         MockHttpServletRequest request = new MockHttpServletRequest();
         SecurityWrapperRequest safeRequest = new SecurityWrapperRequest(request);
         request.addHeader("d-49653-p", "pass");
@@ -1048,7 +1047,6 @@ public void testGetHeaderNames() {
             // Note: Max length in ESAPI.properties as per
             // Validator.HTTPHeaderName regex is 256, but upper
             // bound is configurable by the property HttpUtilities.MaxHeaderNameSize
-        SecurityConfiguration sc = ESAPI.securityConfiguration();
         request.addHeader(TestUtils.generateStringOfLength(255), "pass");
         request.addHeader(TestUtils.generateStringOfLength(257), "fail");
         assertEquals(2, Collections.list(safeRequest.getHeaderNames()).size());

From f684e2aaf5cb1e8a0ea36c49e893101285e8fb5a Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 19 Mar 2022 13:52:37 -0700
Subject: [PATCH 14/22] #663 Fixed a missed unit test.

---
 .../java/org/owasp/esapi/reference/AbstractAuthenticator.java  | 3 ++-
 .../java/org/owasp/esapi/reference/DefaultHTTPUtilities.java   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java b/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java
index d7de99f04..e6976c7ac 100644
--- a/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java
+++ b/src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java
@@ -114,7 +114,8 @@ protected User getUserFromSession() {
      */
     protected DefaultUser getUserFromRememberToken() {
         try {
-            String token = ESAPI.httpUtilities().getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
+        	HTTPUtilities utils =ESAPI.httpUtilities();
+            String token = utils.getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
             if (token == null) return null;
             
             // See Google Issue 144 regarding first URLDecode the token and THEN unsealing.
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
index 6e4f35ca2..ecce1a9ff 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
@@ -468,7 +468,7 @@ public String getCookie( HttpServletRequest request, String name ) throws Valida
         SecurityConfiguration sc = ESAPI.securityConfiguration();
         if ( c == null ) return null;
 		String value = c.getValue();
-		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
+		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
 	}
 
 	/**

From 39d8a8ab5241a28ff346ad74ec1041f8deb989b0 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 2 Apr 2022 13:54:19 -0700
Subject: [PATCH 15/22] Antisamy 1.6.6, Antisamy regression test for analysis
 1.  A handful of new regression tests for other purposes in validation and
 encoder tests.

---
 pom.xml                                           |  2 +-
 .../org/owasp/esapi/reference/EncoderTest.java    |  2 ++
 .../org/owasp/esapi/reference/ValidatorTest.java  |  8 ++++++++
 .../validation/HTMLValidationRuleCleanTest.java   | 15 +++++++++++++++
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 8bca5ce50..9e2dba927 100644
--- a/pom.xml
+++ b/pom.xml
@@ -237,7 +237,7 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.6.5</version>
+            <version>1.6.6</version>
             <exclusions>
                 <!-- excluded because we pick up much newer version -->
                 <exclusion>
diff --git a/src/test/java/org/owasp/esapi/reference/EncoderTest.java b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
index 8f345e199..ba183daca 100644
--- a/src/test/java/org/owasp/esapi/reference/EncoderTest.java
+++ b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
@@ -212,6 +212,8 @@ public void testCanonicalize() throws EncodingException {
         assertEquals( "<", instance.canonicalize("&lT;"));
         assertEquals( "<", instance.canonicalize("&Lt;"));
         assertEquals( "<", instance.canonicalize("&LT;"));
+        assertEquals( "&", instance.canonicalize("&amp"));
+        assertEquals( "〈", instance.canonicalize("&lang"));
         
         assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") );
         assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E", false) );
diff --git a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
index 2b162b5be..076fe1806 100644
--- a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
+++ b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
@@ -1128,5 +1128,13 @@ public void testavaloqLooseSafeString(){
     	boolean isValid = v.isValidInput("RegexString", "&quot;test&quot;", "avaloqLooseSafeString", 2147483647, true, true);
     	assertFalse(isValid);
     }
+    
+    @Test
+    public void testStandardHeader() {
+    	Validator v = ESAPI.validator();
+    	boolean expected = false;
+    	boolean result = v.isValidInput("HTTPHeaderValue ", "mary.poppins@gmail.com", "HTTPHeaderValue", 2147483647, true, true);
+    	assertEquals(expected, result);
+    }
 }
 
diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
index 2d489e793..42055a01f 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
@@ -22,6 +22,7 @@
 import org.owasp.esapi.ValidationErrorList;
 import org.owasp.esapi.ValidationRule;
 import org.owasp.esapi.Validator;
+import org.owasp.esapi.errors.IntrusionException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.filters.SecurityWrapperRequest;
 import org.owasp.esapi.reference.validation.HTMLValidationRule;
@@ -153,4 +154,18 @@ public void testIsValidSafeHTML() {
         assertTrue(errors.size() == 0);
 
     }
+    
+    @Test
+    public void testAntiSamyRegressions() throws IntrusionException, ValidationException {
+        System.out.println("isValidSafeHTML");
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+		assertTrue(instance.isValidSafeHTML("test7", "<style/>b<![cdata[</style><a href=javascript:alert(1)>test", 100, false, errors));
+		String input = "<style/>b<![cdata[</style><a href=javascript:alert(1)>test";
+		String expected = "b&lt;/style&gt;&lt;a href=javascript:alert(1)&gt;test";
+		String output = instance.getValidSafeHTML("javascript Link", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+
+    }
 }

From 8db0fc1f739a4af247db5375b5bbb5d8f555a216 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 2 Apr 2022 14:41:13 -0700
Subject: [PATCH 16/22] Attempting to fix classfile differences with antisamy
 dependencies.

---
 pom.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pom.xml b/pom.xml
index 9e2dba927..3462b8536 100644
--- a/pom.xml
+++ b/pom.xml
@@ -248,8 +248,17 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-api</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>net.sourceforge.htmlunit</groupId>
+                    <artifactId>neko-htmluni</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+		    <groupId>net.sourceforge.htmlunit</groupId>
+		    <artifactId>neko-htmlunit</artifactId>
+		    <version>2.24</version>
+		</dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

From 14c914da5897819a057a5099a3775bba33e4409f Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 2 Apr 2022 14:45:50 -0700
Subject: [PATCH 17/22] Fixed typo on exclusion.

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 3462b8536..4d155d9cf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -250,7 +250,7 @@
                 </exclusion>
                 <exclusion>
                     <groupId>net.sourceforge.htmlunit</groupId>
-                    <artifactId>neko-htmluni</artifactId>
+                    <artifactId>neko-htmlunit</artifactId>
                 </exclusion>
             </exclusions>
         </dependency>

From 6bc689188e5b6d2e13cdade036182c83d773b3e2 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 2 Apr 2022 14:54:20 -0700
Subject: [PATCH 18/22] Added xerces exclusion to antisamy in the pom.xml

---
 pom.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pom.xml b/pom.xml
index 4d155d9cf..8f582ee2d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -252,7 +252,15 @@
                     <groupId>net.sourceforge.htmlunit</groupId>
                     <artifactId>neko-htmlunit</artifactId>
                 </exclusion>
+	            <exclusion>
+	                <!-- xom tries to pull this in, but a newer version is in Java 7 and later
+	                     so we want to exclude this transitive dependency.
+	                -->
+	                <groupId>xerces</groupId>
+	                <artifactId>xercesImpl</artifactId>
+	            </exclusion>
             </exclusions>
+
         </dependency>
         <dependency>
 		    <groupId>net.sourceforge.htmlunit</groupId>

From fd1a32389a85e5dc8a1b9961ddee5e5325f794e6 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 2 Apr 2022 16:19:54 -0700
Subject: [PATCH 19/22] Added test cases 2 & 3.

---
 .../HTMLValidationRuleCleanTest.java          | 32 ++++++++++++++++---
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
index 42055a01f..0d5090c81 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
@@ -156,16 +156,40 @@ public void testIsValidSafeHTML() {
     }
     
     @Test
-    public void testAntiSamyRegressions() throws IntrusionException, ValidationException {
-        System.out.println("isValidSafeHTML");
+    public void testAntiSamyRegressionCDATAWithJavascriptURL() throws Exception {
         Validator instance = ESAPI.validator();
         ValidationErrorList errors = new ValidationErrorList();
-		assertTrue(instance.isValidSafeHTML("test7", "<style/>b<![cdata[</style><a href=javascript:alert(1)>test", 100, false, errors));
-		String input = "<style/>b<![cdata[</style><a href=javascript:alert(1)>test";
+        String input = "<style/>b<![cdata[</style><a href=javascript:alert(1)>test";
+		assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
 		String expected = "b&lt;/style&gt;&lt;a href=javascript:alert(1)&gt;test";
 		String output = instance.getValidSafeHTML("javascript Link", input, 250, false);
 		assertEquals(expected, output);
 		assertTrue(errors.size() == 0);
 
     }
+    
+    @Test
+    public void testScriptTagAfterStyleClosing() throws Exception {
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+        String input = "<select<style/>W<xmp<script>alert(1)</script>";
+		assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
+		String expected = "W&lt;script&gt;alert(1)&lt;/script&gt;";
+		String output = instance.getValidSafeHTML("escaping style tag attack", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+
+    }
+    
+    @Test
+    public void testNekoDOSWithAnHTMLComment() throws Exception {
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+        String input = "<!--><?a/";
+		assertTrue(instance.isValidSafeHTML("test7", input, 100, false, errors));
+		String expected = "&#x3C;!--&#x3E;&#x3C;?a/";
+		String output = instance.getValidSafeHTML("escaping style tag attack", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+    }
 }

From d2f41494e1f474f92bc7e7dd3557ff767b75bd45 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sat, 2 Apr 2022 16:20:27 -0700
Subject: [PATCH 20/22] Added test cases 2 & 3.  @Ignore on test case 3 from
 AntiSamy as the DOS is still present.

---
 .../reference/validation/HTMLValidationRuleCleanTest.java    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
index 0d5090c81..ec0dceea8 100644
--- a/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
+++ b/src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java
@@ -29,6 +29,7 @@
 
 import org.junit.Test;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.After;
 import org.junit.Rule;
 import org.junit.rules.ExpectedException;
@@ -182,7 +183,11 @@ public void testScriptTagAfterStyleClosing() throws Exception {
     }
     
     @Test
+    @Ignore
     public void testNekoDOSWithAnHTMLComment() throws Exception {
+    	/**
+    	 * FIXME:  This unit test needs to pass before the next ESAPI release.
+    	 */
         Validator instance = ESAPI.validator();
         ValidationErrorList errors = new ValidationErrorList();
         String input = "<!--><?a/";

From d6589cd6b4a477893900c7e9d97f5e660e0672b5 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Sun, 3 Apr 2022 14:27:48 -0700
Subject: [PATCH 21/22] Forced my version to match Wichers.

---
 pom.xml | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/pom.xml b/pom.xml
index 9636bdd25..8bdc659a7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -200,6 +200,10 @@
                     <groupId>commons-logging</groupId>
                     <artifactId>commons-logging</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>xml-apis</groupId>
+                    <artifactId>xml-apis</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -260,13 +264,6 @@
                     <groupId>net.sourceforge.htmlunit</groupId>
                     <artifactId>neko-htmlunit</artifactId>
                 </exclusion>
-	            <exclusion>
-	                <!-- xom tries to pull this in, but a newer version is in Java 7 and later
-	                     so we want to exclude this transitive dependency.
-	                -->
-	                <groupId>xerces</groupId>
-	                <artifactId>xercesImpl</artifactId>
-	            </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -280,13 +277,7 @@
                     <artifactId>xercesImpl</artifactId>
                 </exclusion>
             </exclusions>
-
         </dependency>
-        <dependency>
-		    <groupId>net.sourceforge.htmlunit</groupId>
-		    <artifactId>neko-htmlunit</artifactId>
-		    <version>2.24</version>
-		</dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
@@ -466,6 +457,12 @@
                 </dependencies>
             </plugin>
 
+            <plugin>
+                <groupId>com.h3xstream.findsecbugs</groupId>
+                <artifactId>findsecbugs-plugin</artifactId>
+                <version>${version.findsecbugs}</version>
+            </plugin>
+
             <plugin>
                 <groupId>net.sourceforge.maven-taglib</groupId>
                 <artifactId>maven-taglib-plugin</artifactId>

From a473f1762b0ef6bf4af5b285d66a343fd5228cf3 Mon Sep 17 00:00:00 2001
From: Matt Seil <xeno6696@gmail.com>
Date: Tue, 5 Apr 2022 16:27:07 -0700
Subject: [PATCH 22/22] Added a pair of unit tests for canoncialization to
 prove out an issue opened up on github.  One of which however reminded me
 that we need a codec to account for UTF-8 encoding/decoding.

---
 .../owasp/esapi/reference/EncoderTest.java    | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/test/java/org/owasp/esapi/reference/EncoderTest.java b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
index ba183daca..ed04b6d5b 100644
--- a/src/test/java/org/owasp/esapi/reference/EncoderTest.java
+++ b/src/test/java/org/owasp/esapi/reference/EncoderTest.java
@@ -914,11 +914,28 @@ public void testHtmlEncodeStrSurrogatePair()
     
     public void testHtmlDecodeHexEntititesSurrogatePair()
     {
-    	HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
+        HTMLEntityCodec htmlCodec = new HTMLEntityCodec();
         String expected = new String (new int[]{0x2f804}, 0, 1);
         assertEquals( expected, htmlCodec.decode("&#194564;") );
         assertEquals( expected, htmlCodec.decode("&#x2f804;") );
     }
     
+    public void testUnicodeCanonicalize() {
+        Encoder e = ESAPI.encoder();
+        String input = "测试";
+        String expected = "测试";
+        String output = e.canonicalize(input);
+        assertEquals(expected, output);
+    }
+    
+    public void testUnicodeCanonicalizePercentEncoding() {
+        //TODO:  We need to find a way to specify the encoding type for percent encoding.  
+        //I believe by default we're doing Latin-1 and we really should be doing UTF-8
+        Encoder e = ESAPI.encoder();
+        String input = "%E6%B5%8B%E8%AF%95";
+        String expected = "测试";
+        String output = e.canonicalize(input);
+        assertNotSame(expected, output);
+    }
 }