Some of this appears to have been already covered in PR #663

pom.xml

@@ -237,7 +237,7 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.6.5</version>
+            <version>1.6.6</version>
             <exclusions>
                 <!-- excluded because we pick up much newer version -->
                 <exclusion>

src/main/java/org/owasp/esapi/reference/AbstractAuthenticator.java

@@ -114,7 +114,8 @@ protected User getUserFromSession() {
      */
     protected DefaultUser getUserFromRememberToken() {
         try {
-            String token = ESAPI.httpUtilities().getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
+        	HTTPUtilities utils =ESAPI.httpUtilities();
+            String token = utils.getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
             if (token == null) return null;
 
             // See Google Issue 144 regarding first URLDecode the token and THEN unsealing.

src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java

@@ -235,11 +235,12 @@ public void addHeader(String name, String value) {
 	 * {@inheritDoc}
      */
     public void addHeader(HttpServletResponse response, String name, String value) {
+    	SecurityConfiguration sc = ESAPI.securityConfiguration();
         try {
             String strippedName = StringUtilities.replaceLinearWhiteSpace(name);
             String strippedValue = StringUtilities.replaceLinearWhiteSpace(value);
-            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);
-            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", 500, false);
+            String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", sc.getIntProp("HttpUtilities.MaxHeaderNameSize"), false);
+            String safeValue = ESAPI.validator().getValidInput("addHeader", strippedValue, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
             response.addHeader(safeName, safeValue);
         } catch (ValidationException e) {
             logger.warning(Logger.SECURITY_FAILURE, "Attempt to add invalid header denied", e);
@@ -464,9 +465,10 @@ public void encryptStateInCookie( Map<String,String> cleartext ) throws Encrypti
 	 */
 	public String getCookie( HttpServletRequest request, String name ) throws ValidationException {
         Cookie c = getFirstCookie( request, name );
+        SecurityConfiguration sc = ESAPI.securityConfiguration();
         if ( c == null ) return null;
 		String value = c.getValue();
-		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", 1000, false);
+		return ESAPI.validator().getValidInput("HTTP cookie value: " + value, value, "HTTPCookieValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
 	}
 
 	/**
@@ -656,8 +658,9 @@ private Cookie getFirstCookie(HttpServletRequest request, String name) {
 	 * {@inheritDoc}
 	 */
 	public String getHeader( HttpServletRequest request, String name ) throws ValidationException {
+		SecurityConfiguration sc = ESAPI.securityConfiguration();
         String value = request.getHeader(name);
-        return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", 150, false);
+        return ESAPI.validator().getValidInput("HTTP header value: " + value, value, "HTTPHeaderValue", sc.getIntProp("HttpUtilities.MaxHeaderValueSize"), false);
 	}
 
 

src/test/java/org/owasp/esapi/reference/EncoderTest.java

@@ -212,6 +212,8 @@ public void testCanonicalize() throws EncodingException {
         assertEquals( "<", instance.canonicalize("&lT;"));
         assertEquals( "<", instance.canonicalize("&Lt;"));
         assertEquals( "<", instance.canonicalize("&LT;"));
+        assertEquals( "&", instance.canonicalize("&amp"));
+        assertEquals( "〈", instance.canonicalize("&lang"));
 
         assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") );
         assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E", false) );

src/test/java/org/owasp/esapi/reference/HTTPUtilitiesTest.java

@@ -45,6 +45,7 @@
 import org.owasp.esapi.http.MockHttpServletResponse;
 import org.owasp.esapi.http.MockHttpSession;
 import org.owasp.esapi.util.FileTestUtils;
+import org.owasp.esapi.util.TestUtils;
 
 import junit.framework.Test;
 import junit.framework.TestCase;
@@ -372,6 +373,27 @@ public void testSetCookie() {
 		instance.addCookie( response, new Cookie( "test3", "tes<t3" ) );
 		assertTrue(response.getHeaderNames().size() == 2);
 	}
+
+	/**
+	 * Test of setCookie method, of class org.owasp.esapi.HTTPUtilities.
+	 * Validation failures should prevent cookies being added.  
+	 */
+	public void testSetCookieExceedingMaxValueAndName() {
+		HTTPUtilities instance = ESAPI.httpUtilities(); 
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		assertTrue(response.getHeaderNames().isEmpty());
+		//request.addParameter(TestUtils.generateStringOfLength(32), "pass");
+		instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(32), "pass" ) );
+		assertTrue(response.getHeaderNames().size() == 1);
+
+		instance.addCookie( response, new Cookie( "pass", TestUtils.generateStringOfLength(32) ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+		instance.addCookie( response, new Cookie( TestUtils.generateStringOfLength(5000), "fail" ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+		instance.addCookie( response, new Cookie( "fail", TestUtils.generateStringOfLength(5001) ) );
+		assertTrue(response.getHeaderNames().size() == 2);
+	}
+
 
 	/**
 	 *

src/test/java/org/owasp/esapi/reference/ValidatorTest.java

@@ -1040,15 +1040,13 @@ public void testHeaderLengthChecks(){
 
     @Test
     public void testGetHeaderNames() {
-//testing Validator.HTTPHeaderName
         MockHttpServletRequest request = new MockHttpServletRequest();
         SecurityWrapperRequest safeRequest = new SecurityWrapperRequest(request);
         request.addHeader("d-49653-p", "pass");
         request.addHeader("<img ", "fail");
             // Note: Max length in ESAPI.properties as per
             // Validator.HTTPHeaderName regex is 256, but upper
             // bound is configurable by the property HttpUtilities.MaxHeaderNameSize
-        SecurityConfiguration sc = ESAPI.securityConfiguration();
         request.addHeader(TestUtils.generateStringOfLength(255), "pass");
         request.addHeader(TestUtils.generateStringOfLength(257), "fail");
         assertEquals(2, Collections.list(safeRequest.getHeaderNames()).size());
@@ -1130,5 +1128,13 @@ public void testavaloqLooseSafeString(){
     	boolean isValid = v.isValidInput("RegexString", "&quot;test&quot;", "avaloqLooseSafeString", 2147483647, true, true);
     	assertFalse(isValid);
     }
+
+    @Test
+    public void testStandardHeader() {
+    	Validator v = ESAPI.validator();
+    	boolean expected = false;
+    	boolean result = v.isValidInput("HTTPHeaderValue ", "[email protected]", "HTTPHeaderValue", 2147483647, true, true);
+    	assertEquals(expected, result);
+    }
 }
 

src/test/java/org/owasp/esapi/reference/validation/HTMLValidationRuleCleanTest.java

@@ -22,6 +22,7 @@
 import org.owasp.esapi.ValidationErrorList;
 import org.owasp.esapi.ValidationRule;
 import org.owasp.esapi.Validator;
+import org.owasp.esapi.errors.IntrusionException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.filters.SecurityWrapperRequest;
 import org.owasp.esapi.reference.validation.HTMLValidationRule;
@@ -153,4 +154,18 @@ public void testIsValidSafeHTML() {
         assertTrue(errors.size() == 0);
 
     }
+
+    @Test
+    public void testAntiSamyRegressions() throws IntrusionException, ValidationException {
+        System.out.println("isValidSafeHTML");
+        Validator instance = ESAPI.validator();
+        ValidationErrorList errors = new ValidationErrorList();
+		assertTrue(instance.isValidSafeHTML("test7", "<style/>b<![cdata[</style><a href=javascript:alert(1)>test", 100, false, errors));
+		String input = "<style/>b<![cdata[</style><a href=javascript:alert(1)>test";
+		String expected = "b&lt;/style&gt;&lt;a href=javascript:alert(1)&gt;test";
+		String output = instance.getValidSafeHTML("javascript Link", input, 250, false);
+		assertEquals(expected, output);
+		assertTrue(errors.size() == 0);
+
+    }
 }