Encoding your data before processing
ESAPI, the Open Web Application Security Project (OWASP) API, provides a free, open-source web application security control library that makes it easier to write lower-risk applications. Use this standard library to encode your output.
The following examples show how to encode data for some of the most common types of output:
String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
- HTML attribute values such as width, name, or value:
String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );
- URL Parameter values:
String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
Adding callback and widget.js code to your webpages
To load the Amazon Pay button asynchronously:
- In the header of the page, set your clientId in the onAmazonLoginReady callback.
- Add the Widgets.js script tag, with the async attribute, below the window.onAmazonPaymentsReady function.
To prevent timing issues, the script tags need to be positioned in the order listed above.
The code sample below shows how to load the Amazon Pay button asynchronously:
The example above is for the sandbox environment. When you move your code to production, be sure to change the URL accordingly.
- Loading the widgets.js should occur only once, and it needs the async attribute in the <script> tag where the widgets.js is loaded.
For more information about the script tag async attribute, see the Mozilla Developer Network Script Tag Summary.