From 7ca560634de61ce3d988e800e77ed88c701b760f Mon Sep 17 00:00:00 2001
From: ThrawnCA <carl.antuar@smartservice.qld.gov.au>
Date: Thu, 5 Feb 2026 15:04:15 +1000
Subject: [PATCH 1/3] gracefully handle null within 'stripControls', #906

---
 src/main/java/org/owasp/esapi/StringUtilities.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/org/owasp/esapi/StringUtilities.java b/src/main/java/org/owasp/esapi/StringUtilities.java
index ef95a91ce..fd93e48c6 100644
--- a/src/main/java/org/owasp/esapi/StringUtilities.java
+++ b/src/main/java/org/owasp/esapi/StringUtilities.java
@@ -39,6 +39,9 @@ public static String replaceLinearWhiteSpace( String input ) {
      * @return the stripped value
      */
     public static String stripControls( String input ) {
+        if ( input == null ) {
+            return null;
+        }
         StringBuilder sb = new StringBuilder();
         for ( int i=0; i<input.length(); i++ ) {
             char c = input.charAt( i );

From 6b7d15673a7cabfeb891af8337ffb87d295f295e Mon Sep 17 00:00:00 2001
From: ThrawnCA <carl.antuar@smartservice.qld.gov.au>
Date: Fri, 6 Feb 2026 10:28:59 +1000
Subject: [PATCH 2/3] add unit tests for 'stripControls'

- Check valid string, control characters, empty string, whitespace, and null
---
 .../java/org/owasp/esapi/StringUtilitiesTest.java     | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/test/java/org/owasp/esapi/StringUtilitiesTest.java b/src/test/java/org/owasp/esapi/StringUtilitiesTest.java
index c7f29d27a..e868abaf7 100644
--- a/src/test/java/org/owasp/esapi/StringUtilitiesTest.java
+++ b/src/test/java/org/owasp/esapi/StringUtilitiesTest.java
@@ -87,4 +87,15 @@ public void testReplaceNull() {
         assertEquals( "   Test   ", StringUtilities.replaceNull( "   Test   ", "Replaced" ) );
         assertEquals( "Replaced", StringUtilities.replaceNull( "     NULL ", "Replaced" ) );
     }
+
+    public void testStripControls() {
+        // valid characters are preserved
+        assertEquals( "\u0021abc\u007e", StringUtilities.stripControls( "\u0021abc\u007e" ) );
+        // control characters become spaces
+        assertEquals( " a b c ", StringUtilities.stripControls( "\u0000a\u0020b\u007fc\uffff" ) );
+        // blank strings are preserved
+        assertEquals( "", StringUtilities.stripControls( "" ) );
+        assertEquals( "     ", StringUtilities.stripControls( "     " ) );
+        assertEquals( null, StringUtilities.stripControls( null ) );
+    }
 }

From e942bc3fb55bd8f52dc1504abec3bf92cbb740ab Mon Sep 17 00:00:00 2001
From: ThrawnCA <carl.antuar@smartservice.qld.gov.au>
Date: Fri, 6 Feb 2026 10:30:00 +1000
Subject: [PATCH 3/3] fix spelling

---
 README.md                                               | 2 +-
 documentation/esapi4java-core-2.5.3.0-release-notes.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 0c31f1de1..9bed118bc 100644
--- a/README.md
+++ b/README.md
@@ -150,7 +150,7 @@ add
 ```xml
     <classifier>jakarta</classifier>
 ```
-and include whatever jakara.servlet:jakarta.servlet-api version you are using with
+and include whatever jakarta.servlet:jakarta.servlet-api version you are using with
 ```xml
     <scope>provided</scope>
 ```
diff --git a/documentation/esapi4java-core-2.5.3.0-release-notes.txt b/documentation/esapi4java-core-2.5.3.0-release-notes.txt
index 953e1e0c5..67eca5b43 100644
--- a/documentation/esapi4java-core-2.5.3.0-release-notes.txt
+++ b/documentation/esapi4java-core-2.5.3.0-release-notes.txt
@@ -16,7 +16,7 @@ This is a patch release with the primary intent of providing a Jakarta compatibl
         Encryptor.DigitalSignatureAlgorithm=SHA256withDSA       # The old SHA1withDSA doesn't support 2048-bit RSA modulus length
         Encryptor.DigitalSignatureKeyLength=2048
     Note that if you have persisted previous digital signatures that you must continue to verify, you will have to regenerate them.
-* Thanks to a PR by @jcputney (PR #799), I have attempted to upload additional artifacts to Maven Central that will be a transformed jar suitable for use with the new 'jakarata.servlet' changes for Jakarata EE 9 and later. (Previously, 'javax.servlet' was the name space). Because we are still supporting JDK 8 at this point, we still need to support the 'javax.servlet' namespace as well. In addition to the standard jar artifacts, there should be a new esapi-<release>-jakarta.jar (which uses 'jakarta.servlet' instead of 'javax.servlet' namespace) as well as corresponding *-javadoc.jar and *-sources.jar files. I am not sure it will work as we have no tests for it, but looing at the binaries, it seems like it should.
+* Thanks to a PR by @jcputney (PR #799), I have attempted to upload additional artifacts to Maven Central that will be a transformed jar suitable for use with the new 'jakarta.servlet' changes for Jakarta EE 9 and later. (Previously, 'javax.servlet' was the name space). Because we are still supporting JDK 8 at this point, we still need to support the 'javax.servlet' namespace as well. In addition to the standard jar artifacts, there should be a new esapi-<release>-jakarta.jar (which uses 'jakarta.servlet' instead of 'javax.servlet' namespace) as well as corresponding *-javadoc.jar and *-sources.jar files. I am not sure it will work as we have no tests for it, but looing at the binaries, it seems like it should.
     For additional details, see:
         https://github.com/ESAPI/esapi-java-legacy/pull/799
         https://github.com/ESAPI/esapi-java-legacy/discussions/768