Preparation for ESAPI 2.5.3.0 release

configuration/esapi/ESAPI.properties

@@ -1,7 +1,7 @@
 #
 # OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version
 # 
-# This file is part of the Open Web Application Security Project (OWASP)
+# This file is part of the Open Worldwide Application Security Project (OWASP)
 # Enterprise Security API (ESAPI) project. For details, please see
 # https://owasp.org/www-project-enterprise-security-api/
 #
@@ -275,8 +275,14 @@ Encryptor.PlainText.overwrite=true
 
 Encryptor.HashAlgorithm=SHA-512
 Encryptor.HashIterations=1024
-Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
-Encryptor.DigitalSignatureKeyLength=1024
+
+# Was 'SHA1withDSA', but that won't support 2048 key sizes. Change back for
+# backward compatibility.
+Encryptor.DigitalSignatureAlgorithm=SHA256withDSA
+
+# Was 1024. Change this back if you require backward compatibility.
+Encryptor.DigitalSignatureKeyLength=2048
+# SHA1 is fine as a CSRNG; no need to use anything else.
 Encryptor.RandomAlgorithm=SHA1PRNG
 Encryptor.CharacterEncoding=UTF-8
 

configuration/esapi/antisamy-esapi.xml

@@ -18,6 +18,7 @@ Slashdot allowed tags taken from "Reply" page:
 		<directive name="omitDoctypeDeclaration" value="true"/>
 		<directive name="maxInputSize" value="500000"/>
 		<directive name="embedStyleSheets" value="false"/>
+        <directive name="noopenerAndNoreferrerAnchors" value="true" />
 	</directives>
 
 

src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java

@@ -1076,7 +1076,7 @@ public String getDigitalSignatureAlgorithm() {
      * {@inheritDoc}
      */
     public int getDigitalSignatureKeyLength() {
-        return getESAPIProperty(DIGITAL_SIGNATURE_KEY_LENGTH, 1024);
+        return getESAPIProperty(DIGITAL_SIGNATURE_KEY_LENGTH, 2048);
     }
 
     /**

src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java

@@ -106,9 +106,9 @@ public static Encryptor getInstance() throws EncryptionException {
     // digital signatures
     private static PrivateKey privateKey = null;
     private static PublicKey publicKey = null;
-    private static String signatureAlgorithm = "SHA1withDSA";
-    private static String randomAlgorithm = "SHA1PRNG";
-    private static int signatureKeyLength = 1024;
+    private static String signatureAlgorithm = "SHA256withDSA";
+    private static String randomAlgorithm = "SHA1PRNG";     // SHA1 is fine as a CSRNG.
+    private static int signatureKeyLength = 2048;
 
     // hashing
     private static String hashAlgorithm = "SHA-512";

src/test/resources/esapi/ESAPI.properties

@@ -31,7 +31,7 @@
 #
 #############################################################################
 # 
-# This file is part of the Open Web Application Security Project (OWASP)
+# This file is part of the Open Worldwide Application Security Project (OWASP)
 # Enterprise Security API (ESAPI) project. For details, please see
 # https://owasp.org/www-project-enterprise-security-api/
 #
@@ -318,10 +318,17 @@ Encryptor.PlainText.overwrite=true
 
 Encryptor.HashAlgorithm=SHA-512
 Encryptor.HashIterations=1024
-Encryptor.DigitalSignatureAlgorithm=SHA1withDSA
-Encryptor.DigitalSignatureKeyLength=1024
+
+# Was 'SHA1withDSA', but that won't support 2048 key sizes. Change back for
+# backward compatibility.
+Encryptor.DigitalSignatureAlgorithm=SHA256withDSA
+
+# Was 1024. Change this back if you require backward compatibility.
+Encryptor.DigitalSignatureKeyLength=2048
+# SHA1 is fine as a CSRNG; no need to use anything else.
 Encryptor.RandomAlgorithm=SHA1PRNG
 Encryptor.CharacterEncoding=UTF-8
+
 # Currently supported choices for JDK 1.5 and 1.6 are:
 #	HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and
 #	HmacSHA512 (512 bits).

src/test/resources/esapi/antisamy-esapi.xml

@@ -18,6 +18,7 @@ Slashdot allowed tags taken from "Reply" page:
 		<directive name="omitDoctypeDeclaration" value="true"/>
 		<directive name="maxInputSize" value="500000"/>
 		<directive name="embedStyleSheets" value="false"/>
+        <directive name="noopenerAndNoreferrerAnchors" value="true" />
 	</directives>