Fix Typos in documentation and comments (#852)

* Update README.md

rephrase warning message in README.md

* EncodingPatternPreservation: fix typo

* AbstractCodec: fix typo

* AbstractCodec: there is no such thing as a footgun usage

* AbstractPushbackSequence: fix typo. see https://languagetool.org/insights/post/regard/

* Base64: fix typo

* HashTrie: fix typo

* HashTrie: fix typo

* HTMLEntityCodec: fix typo

* MySQLCodec: fix typo

* MySQLCodec: fix typo

* PushBackSequenceImpl: fix typo

* PushbackString: fix typo

* EsapiConfiguration: fix typo

* AbstractPrioritizedPropertyLoader: fix typo

* AbstractPrioritizedPropertyLoader: fix grammar

* CipherText: fix typo

* CipherTextSerializer: fix typo

* CryptoHelper: fix typo

* CryptoHelper: fix typo

* CryptoHelper: fix grammar

* CryptoToken: fix typo

* CryptoToken: fix typo

* PlainText: fix typo

* RequestRateThrottleFilter: fix typo

* SecurityWrapperRequest: fix typo

* CompositeLogScrubber: fix typo

* JavaLogBridge: fix typo

* Authenticator: fix typo

* Encoder: fix typo

* Encryptor: untangle unclear sentence

* ESAPI: fix typo

* HTTPUtilities: fix typo

* HTTPUtilities: fix typo

* Logger: fix typo

* Logger: fix typo

* SecurityConfiguration: fix typo

* StringUtilities: correct javadoc

* User: fix typo

* Validator: fix typo

* Validator: fix typo

* CollectionsUtil: fix typo

* ObjFactory: fix typo

* EncodeForBase64Tag: fix typo

* EncodeForCSSTag: fix typo

* EncodeForHTMLAttributeTag: fix typo

* EncodeForHTMLTag: fix typo

* EncodeForJavaScriptTag: fix typo

* EncodeForURLTag: fix typo

* EncodeForVBScriptTag: fix typo

* EncodeForXMLAttributeTag: fix typo

* EncodeForXMLTag: fix typo

* EncodeForXPathTag: fix typo

* AbstractAccessReferenceMap: fix typo

* StringUtilities: replaceNull: rephrase javadoc using @code

* Encryptor: decrypt: fix typo, use expression from before f5e138c

* User: setLastFailedLoginTime: use "authenticate" instead of "log in"

Author: DarioViva42

README.md

@@ -17,7 +17,7 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
 # Jakarta EE Support
 **IMPORTANT:**
 ESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release
-2.5.3.0.  (Unfortunately, we were just forgot to note that in this **README** file. Duh!)
+2.5.3.0.  (Unfortunately, this information was previously missing in this **README** file.)
 
 Therefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10,
 and other applications or libraries requiring Jarkata EE. (If you find a case where it does

src/main/java/org/owasp/esapi/Authenticator.java

@@ -148,7 +148,7 @@ public interface Authenticator {
      * <p>
      * <b>WARNING:</b> The implementation of this method as defined in the
      * default reference implementation class, {@code FileBasedAuthenticator},
-     * uses a password hash algorthim that is known to be weak. You are advised
+     * uses a password hash algorithm that is known to be weak. You are advised
      * to replace the default reference implementation class with your own custom
      * implementation that uses a stronger password hashing algorithm.
      * See class comments in * {@code FileBasedAuthenticator} for further details.

src/main/java/org/owasp/esapi/ESAPI.java

@@ -93,7 +93,7 @@ public static Authenticator authenticator() {
     }
 
     /**
-     * The ESAPI Encoder is primarilly used to provide <i>output</i> encoding to
+     * The ESAPI Encoder is primarily used to provide <i>output</i> encoding to
      * prevent Cross-Site Scripting (XSS).
      * @return the current ESAPI Encoder object being used to encode and decode data for this application.
      */

src/main/java/org/owasp/esapi/Encoder.java

@@ -519,7 +519,7 @@ public interface Encoder {
      *
      * NB: The reference implementation encodes almost everything and may over-encode.
      *
-     * The difficulty with XPath encoding is that XPath has no built in mechanism for escaping
+     * The difficulty with XPath encoding is that XPath has no built-in mechanism for escaping
      * characters. It is possible to use XQuery in a parameterized way to
      * prevent injection.
      *

src/main/java/org/owasp/esapi/Encryptor.java

@@ -162,8 +162,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext)
      * </p>
      * @param ciphertext The {@code CipherText} object to be decrypted.
      * @return The {@code PlainText} object resulting from decrypting the specified
-     *            ciphertext. Note that it it is desired to convert the returned
-     *            plaintext byte array to a Java String is should be done using
+     *            ciphertext. Note that if it is desired to convert the returned
+     *            plaintext byte array to a Java String it should be done using
      *            {@code new String(byte[], "UTF-8");} rather than simply using
      *            {@code new String(byte[]);} which uses native encoding and may
      *            not be portable across hardware and/or OS platforms.
@@ -186,8 +186,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext)
      * @param key        The {@code SecretKey} to use for encrypting the plaintext.
      * @param ciphertext The {@code CipherText} object to be decrypted.
      * @return The {@code PlainText} object resulting from decrypting the specified
-     *            ciphertext. Note that it it is desired to convert the returned
-     *            plaintext byte array to a Java String is should be done using
+     *            ciphertext. Note that if it is desired to convert the returned
+     *            plaintext byte array to a Java String it should be done using
      *            {@code new String(byte[], "UTF-8");} rather than simply using
      *            {@code new String(byte[]);} which uses native encoding and may
      *            not be portable across hardware and/or OS platforms.

src/main/java/org/owasp/esapi/HTTPUtilities.java

@@ -377,7 +377,7 @@ public interface HTTPUtilities
      * everything to keey your application and environment secure. Some of the more obvious omissions are the
      * absence of examining the actual file content to determine the actual file type or running some AV scan
      * on the uploaded files. You have to add that functionality to you if you want or need that. Some
-     * reasource that you may find usefule are:
+     * resource that you may find useful are:
      * <ul>
      *   <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html">OWASP File Upload Cheat Sheet</a></li>
      *   <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html">OWASP Denial of Service Cheat Sheet</a></li>

src/main/java/org/owasp/esapi/Logger.java

@@ -89,9 +89,9 @@
  * the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above.
  * </p><p>
  * <i>Customization</i>: It is expected that most organizations may wish to implement their own custom {@code Logger} class in
- * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations
+ * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI reference implementations
  * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but
- * they are also largely usuable out-of-the-box with some additional minimal log configuration.
+ * they are also largely usable out-of-the-box with some additional minimal log configuration.
  *
  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
  * href="http://www.aspectsecurity.com">Aspect Security</a>

src/main/java/org/owasp/esapi/SecurityConfiguration.java

@@ -179,7 +179,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      * considered the <i>default</i> key size that ESAPI will use for symmetric
      * ciphers supporting multiple key sizes. (Note that there is also an <b>Encryptor.MinEncryptionKeyLength</b>,
      * which is the <i>minimum</i> key size (in bits) that ESAPI will support
-     * for encryption. (There is no miminimum for decryption.)
+     * for encryption. (There is no minimum for decryption.)
      *
      * @return the key length (in bits)
      * @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

src/main/java/org/owasp/esapi/StringUtilities.java

@@ -90,7 +90,7 @@ public static boolean contains(StringBuilder input, char c) {
     }
 
     /**
-     * Returns the replace value if the value of test is null, "null", or ""
+     * Returns {@code replace} if {@code test} is null, "null" (case-insensitive), or blank, otherwise {@code test}
      *
      * @param test The value to test
      * @param replace The replacement value

src/main/java/org/owasp/esapi/User.java

@@ -380,7 +380,7 @@ public interface User extends Principal, Serializable {
     /**
      * Set the time of the last failed login for this user.
      *
-     * @param lastFailedLoginTime the date and time when the user just failed to login correctly.
+     * @param lastFailedLoginTime the date and time when the user just failed to authenticate correctly.
      */
     void setLastFailedLoginTime(Date lastFailedLoginTime);
 

src/main/java/org/owasp/esapi/Validator.java

@@ -384,10 +384,10 @@ public interface Validator {
     boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException;
 
     /**
-     * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that
+     * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
      * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting
      * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input
-     * that gets HTML encoded (e.g., a single quote (') might get chaged to """).
+     * that gets HTML encoded (e.g., a single quote (') might get changed to """).
      * <p>
      * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file
      * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your
@@ -414,10 +414,10 @@ public interface Validator {
     String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException;
 
     /**
-     * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that
+     * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
      * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting
      * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input
-     * that gets HTML encoded (e.g., a single quote (') might get chaged to "&quot;").
+     * that gets HTML encoded (e.g., a single quote (') might get changed to "&quot;").
      * <p>
      * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file
      * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your

src/main/java/org/owasp/esapi/codecs/AbstractCodec.java

@@ -25,7 +25,7 @@
  * <p>
  * Be sure to see the several <b>WARNING</b>s associated with the detailed
  * method descriptions. You will not find that in the "Method Summary" section
- * of the javadoc because that only shows the intial sentence.
+ * of the javadoc because that only shows the initial sentence.
  *
  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
  *         href="http://www.aspectsecurity.com">Aspect Security</a>
@@ -96,7 +96,7 @@ public String encodeCharacter( char[] immune, Character c ) {
 
 
     /**
-     * To prevent accidental footgun usage and calling
+     * To prevent accidental usage and calling
      * {@link #encodeCharacter( char[], int)} when called with {@code char} and
      * {@code char} is first silently converted to {@code int} and then the
      * unexpected method is called.

src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java

@@ -19,7 +19,7 @@
 
 /**
  * This Abstract class provides the generic logic for using a {@link PushbackSequence}
- * in regards to iterating strings.  The final Impl is intended for the user to supply
+ * in regard to iterating strings.  The final Impl is intended for the user to supply
  * a type T such that the pushback interface can be utilized for sequences
  * of type T.  Presently this generic class is limited by the fact that
  * input is a String.

src/main/java/org/owasp/esapi/codecs/Base64.java

@@ -72,7 +72,7 @@
  *   Added the ability to "suspend" encoding in the Output Stream so
  *   you can turn on and off the encoding if you need to embed base64
  *   data in an otherwise "normal" stream (like an XML file).</li>
- *  <li>v1.5 - Output stream pases on flush() command but doesn't do anything itself.
+ *  <li>v1.5 - Output stream passes on flush() command but doesn't do anything itself.
  *      This helps when using GZIP streams.
  *      Added the ability to GZip-compress objects before encoding them.</li>
  *  <li>v1.4 - Added helper methods to read/write files.</li>

src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java

@@ -119,7 +119,7 @@ public String encodeCharacter( char[] immune, int codePoint ) {
      * Returns the decoded version of the character starting at index, or
      * null if no decoding is possible.
      *
-     * Formats all are legal both with and without semi-colon, upper/lower case:
+     * Formats all are legal both with and without semicolon, upper/lower case:
      *   &#dddd;
      *   &#xhhhh;
      *   &name;
@@ -198,7 +198,7 @@ private Integer parseNumber( PushbackSequence<Integer> input ) {
                 sb.appendCodePoint( c );
                 input.next();
 
-            // if character is a semi-colon, eat it and quit
+            // if character is a semicolon, eat it and quit
             } else if (c == ';' ) {
                 input.next();
                 break;
@@ -239,7 +239,7 @@ private Integer parseHex( PushbackSequence<Integer> input ) {
                 sb.appendCodePoint( c );
                 input.next();
 
-            // if character is a semi-colon, eat it and quit
+            // if character is a semicolon, eat it and quit
             } else if (c == ';' ) {
                 input.next();
                 break;
@@ -312,7 +312,7 @@ private Integer getNamedEntity( PushbackSequence<Integer> input ) {
         for(int i=0;i<len;i++)
             input.next();
 
-        // check for a trailing semicolen
+        // check for a trailing semicolon
         if(input.peek(Integer.valueOf(';')))
             input.next();
 

src/main/java/org/owasp/esapi/codecs/HashTrie.java

@@ -396,7 +396,7 @@ public HashTrie()
     }
 
     /**
-     * Get the key value entry who's key is the longest prefix match.
+     * Get the key value entry whose key is the longest prefix match.
      * @param key The key to lookup
      * @return Entry with the longest matching key.
      */
@@ -408,7 +408,7 @@ public Map.Entry<CharSequence,T> getLongestMatch(CharSequence key)
     }
 
     /**
-     * Get the key value entry who's key is the longest prefix match.
+     * Get the key value entry whose key is the longest prefix match.
      * @param keyIn Pushback reader to read the key from. This should
      * have a buffer at least as large as {@link #getMaxKeyLength()}
      * or an IOException may be thrown backing up.
@@ -549,7 +549,7 @@ public T get(Object key)
 
     /**
      * Get the number of entries.
-     * @return the number or entries.
+     * @return the number of entries.
      */
     public int size()
     {

src/main/java/org/owasp/esapi/codecs/MySQLCodec.java

@@ -63,7 +63,7 @@ public class MySQLCodec extends AbstractCharacterCodec {
      * please see the Manual at
      * @link http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html#sqlmode_ansi
      *
-     * Currently the only supported modes are:
+     * Currently, the only supported modes are:
      * ANSI
      * STANDARD
      */
@@ -195,7 +195,7 @@ private String encodeCharacterMySQL( Character c ) {
      * Returns the decoded version of the character starting at index, or
      * null if no decoding is possible.
      *
-     * Formats all are legal (case sensitive)
+     * Formats all are legal (case-sensitive)
      *   In ANSI_MODE '' decodes to '
      *   In MYSQL_MODE \x decodes to x (or a small list of specials)
      */

src/main/java/org/owasp/esapi/codecs/PushBackSequenceImpl.java

@@ -60,9 +60,9 @@ public Integer nextOctal() {
     }
 
       /**
-      * Returns true if the parameter character is a hexidecimal digit 0 through 9, a through f, or A through F.
+      * Returns true if the parameter character is a hexadecimal digit 0 through 9, a through f, or A through F.
       * @param c
-      * @return true if it is a hexidecimal digit, false otherwise.
+      * @return true if it is a hexadecimal digit, false otherwise.
       */
      public static boolean isHexDigit( Integer c ) {
         if ( c == null ) return false;

src/main/java/org/owasp/esapi/codecs/PushbackString.java

@@ -124,11 +124,11 @@ public Character nextOctal() {
     }
 
     /**
-     * Returns true if the parameter character is a hexidecimal digit 0 through
+     * Returns true if the parameter character is a hexadecimal digit 0 through
      * 9, a through f, or A through F.
      *
      * @param c
-      * @return true if it is a hexidecimal digit, false otherwise.
+      * @return true if it is a hexadecimal digit, false otherwise.
      */
     public static boolean isHexDigit(Character c) {
         if (c == null){

src/main/java/org/owasp/esapi/codecs/ref/EncodingPatternPreservation.java

@@ -89,7 +89,7 @@ public String restoreOriginalContent(String input) {
     /**
      * Allows the marker used as a replacement to be altered.
      *
-     * @param marker String replacment to use for regex matches.
+     * @param marker String replacement to use for regex matches.
      */
     public void setReplacementMarker(String marker) {
         if (!replacedContentList.isEmpty()) {

src/main/java/org/owasp/esapi/configuration/AbstractPrioritizedPropertyLoader.java

@@ -7,7 +7,7 @@
 import java.util.Properties;
 
 /**
- * Abstrace class that supports two "levels" of priorities for ESAPI properties.
+ * Abstract class that supports two "levels" of priorities for ESAPI properties.
  * The higher level is the property file supported by an "operations" team and
  * the lower level is the property file intended to be supported by the
  * "development" team. ESAPI properties defined in the lower level properties
@@ -42,7 +42,7 @@ public AbstractPrioritizedPropertyLoader(String filename, int priority) throws I
 
     /**
      * Get priority of this property loader. If two and more loaders can return value for the same property key,
-     * the one with highest priority will be chosen.
+     * the one with the highest priority will be chosen.
      * @return priority of this property loader
      */
     public int priority() {

src/main/java/org/owasp/esapi/configuration/consts/EsapiConfiguration.java

@@ -16,7 +16,7 @@ public enum EsapiConfiguration {
     String configName;
 
     /**
-     * Priority of configuration (higher numer - higher priority).
+     * Priority of configuration (higher number - higher priority).
      */
     int priority;
 

src/main/java/org/owasp/esapi/crypto/CipherText.java

@@ -494,7 +494,7 @@ public boolean validateMAC(SecretKey authKey) {
     /**
      * Return this {@code CipherText} object as a portable (i.e., network byte
      * ordered) serialized byte array. Note this is <b>not</b> the same as
-     * returning a serialized object using Java serialization. Instead this
+     * returning a serialized object using Java serialization. Instead, this
      * is a representation that all ESAPI implementations will use to pass
      * ciphertext between different programming language implementations.
      *

src/main/java/org/owasp/esapi/crypto/CipherTextSerializer.java

@@ -26,7 +26,7 @@
  * and do not have extensive support for the various implementation languages which ESAPI
  * supports. (Perhaps wishful thinking that other ESAPI implementations such as
  * ESAPI for .NET, ESAPI for C, ESAPI for C++, etc. will all support a single, common
- * serialization technique so they could exchange encrypted data.)
+ * serialization technique, so they could exchange encrypted data.)
  *
  * @author [email protected]
  * @since 2.0
@@ -207,7 +207,7 @@ private byte[] computeSerialization(int kdfInfo, long timestamp,
 
     // All strings are written as UTF-8 encoded byte streams with the
     // length prepended before it as a short. The prepended length is
-    // more for the benefit of languages like C so they can pre-allocate
+    // more for the benefit of languages like C, so they can pre-allocate
     // char arrays without worrying about buffer overflows.
     private void writeString(ByteArrayOutputStream baos, String str) {
         byte[] bytes;
@@ -405,7 +405,7 @@ private CipherText convertToCipherText(byte[] cipherTextSerializedBytes)
                 // Fixed in ESAPI crypto version 20130839. Previously is didn't really matter
                 // because there was only one version (20110203) and it defaulted to that
                 // version, which was the current version. But we don't want that as now there
-                // are two versions and we could be decrypting data encrypted using the previous
+                // are two versions, and we could be decrypting data encrypted using the previous
                 // version.
             ct.setKDF_PRF(kdfPrf);
             ct.setKDFVersion(kdfVers);