fix some typos and other small refactorings

README.md

@@ -17,7 +17,7 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
 # Jakarta EE Support
 **IMPORTANT:**
 ESAPI has supported the Jakarta Servlet API (i.e., **jakarta.servlet.api**) since release
-2.5.3.0.  (Unfortunately, we were just forgot to note that in this **README** file. Duh!)
+2.5.3.0.  (Unfortunately, this information was previously missing in this **README** file.)
 
 Therefore, for release 2.5.3.0 and later versions of ESAPI, ESAPI ought to be able to support Spring Boot 3, Spring 6, Tomcat 10,
 and other applications or libraries requiring Jarkata EE. (If you find a case where it does

src/main/java/org/owasp/esapi/Authenticator.java

@@ -148,7 +148,7 @@ public interface Authenticator {
      * <p>
      * <b>WARNING:</b> The implementation of this method as defined in the
      * default reference implementation class, {@code FileBasedAuthenticator},
-     * uses a password hash algorthim that is known to be weak. You are advised
+     * uses a password hash algorithm that is known to be weak. You are advised
      * to replace the default reference implementation class with your own custom
      * implementation that uses a stronger password hashing algorithm.
      * See class comments in * {@code FileBasedAuthenticator} for further details.

src/main/java/org/owasp/esapi/ESAPI.java

@@ -93,7 +93,7 @@ public static Authenticator authenticator() {
     }
 
     /**
-     * The ESAPI Encoder is primarilly used to provide <i>output</i> encoding to
+     * The ESAPI Encoder is primarily used to provide <i>output</i> encoding to
      * prevent Cross-Site Scripting (XSS).
      * @return the current ESAPI Encoder object being used to encode and decode data for this application.
      */

src/main/java/org/owasp/esapi/Encoder.java

@@ -519,7 +519,7 @@ public interface Encoder {
      *
      * NB: The reference implementation encodes almost everything and may over-encode.
      *
-     * The difficulty with XPath encoding is that XPath has no built in mechanism for escaping
+     * The difficulty with XPath encoding is that XPath has no built-in mechanism for escaping
      * characters. It is possible to use XQuery in a parameterized way to
      * prevent injection.
      *

src/main/java/org/owasp/esapi/Encryptor.java

@@ -162,8 +162,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext)
      * </p>
      * @param ciphertext The {@code CipherText} object to be decrypted.
      * @return The {@code PlainText} object resulting from decrypting the specified
-     *            ciphertext. Note that it it is desired to convert the returned
-     *            plaintext byte array to a Java String is should be done using
+     *            ciphertext. Note that the returned plaintext byte array
+     *            should be converted to a Java String using
      *            {@code new String(byte[], "UTF-8");} rather than simply using
      *            {@code new String(byte[]);} which uses native encoding and may
      *            not be portable across hardware and/or OS platforms.
@@ -186,8 +186,8 @@ CipherText encrypt(SecretKey key, PlainText plaintext)
      * @param key        The {@code SecretKey} to use for encrypting the plaintext.
      * @param ciphertext The {@code CipherText} object to be decrypted.
      * @return The {@code PlainText} object resulting from decrypting the specified
-     *            ciphertext. Note that it it is desired to convert the returned
-     *            plaintext byte array to a Java String is should be done using
+     *            ciphertext. Note that the returned plaintext byte array
+     *            should be converted to a Java String using
      *            {@code new String(byte[], "UTF-8");} rather than simply using
      *            {@code new String(byte[]);} which uses native encoding and may
      *            not be portable across hardware and/or OS platforms.

src/main/java/org/owasp/esapi/HTTPUtilities.java

@@ -377,7 +377,7 @@ public interface HTTPUtilities
      * everything to keey your application and environment secure. Some of the more obvious omissions are the
      * absence of examining the actual file content to determine the actual file type or running some AV scan
      * on the uploaded files. You have to add that functionality to you if you want or need that. Some
-     * reasource that you may find usefule are:
+     * resource that you may find useful are:
      * <ul>
      *   <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html">OWASP File Upload Cheat Sheet</a></li>
      *   <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html">OWASP Denial of Service Cheat Sheet</a></li>

src/main/java/org/owasp/esapi/Logger.java

@@ -89,9 +89,9 @@
  * the basis for its logging implementation. Both provided implementations implement requirements #1 through #5 above.
  * </p><p>
  * <i>Customization</i>: It is expected that most organizations may wish to implement their own custom {@code Logger} class in
- * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI feference implementations
+ * order to integrate ESAPI logging with their specific logging infrastructure. The ESAPI reference implementations
  * can serve as a useful starting point to intended to provide a simple functional example of an implementation, but
- * they are also largely usuable out-of-the-box with some additional minimal log configuration.
+ * they are also largely usable out-of-the-box with some additional minimal log configuration.
  *
  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
  * href="http://www.aspectsecurity.com">Aspect Security</a>

src/main/java/org/owasp/esapi/SafeFile.java

@@ -62,12 +62,12 @@ public SafeFile(URI uri) throws ValidationException {
 
     private void doDirCheck(String path) throws ValidationException {
         Matcher m1 = DIR_BLACKLIST_PAT.matcher( path );
-        if ( null != m1 && m1.find() ) {
+        if ( m1.find() ) {
             throw new ValidationException( "Invalid directory", "Directory path (" + path + ") contains illegal character: " + m1.group() );
         }
 
         Matcher m2 = PERCENTS_PAT.matcher( path );
-        if (null != m2 &&  m2.find() ) {
+        if ( m2.find() ) {
             throw new ValidationException( "Invalid directory", "Directory path (" + path + ") contains encoded characters: " + m2.group() );
         }
 

src/main/java/org/owasp/esapi/SecurityConfiguration.java

@@ -179,7 +179,7 @@ public interface SecurityConfiguration extends EsapiPropertyLoader {
      * considered the <i>default</i> key size that ESAPI will use for symmetric
      * ciphers supporting multiple key sizes. (Note that there is also an <b>Encryptor.MinEncryptionKeyLength</b>,
      * which is the <i>minimum</i> key size (in bits) that ESAPI will support
-     * for encryption. (There is no miminimum for decryption.)
+     * for encryption. (There is no minimum for decryption.)
      *
      * @return the key length (in bits)
      * @deprecated Use SecurityConfiguration.getIntProp("appropriate_esapi_prop_name") instead.

src/main/java/org/owasp/esapi/StringUtilities.java

@@ -90,14 +90,14 @@ public static boolean contains(StringBuilder input, char c) {
     }
 
     /**
-     * Returns the replace value if the value of test is null, "null", or ""
+     * Returns the replace value if the value of test is null, "null" (case-insensitive), or blank
      *
      * @param test The value to test
      * @param replace The replacement value
      * @return The correct value
      */
     public static String replaceNull( String test, String replace ) {
-        return test == null || "null".equalsIgnoreCase( test.trim() ) || "".equals( test.trim() ) ? replace : test;
+        return test == null || "null".equalsIgnoreCase( test.trim() ) || test.trim().isEmpty() ? replace : test;
     }
 
     /**
@@ -185,16 +185,16 @@ public static int getLevenshteinDistance (String s, String t) {
      */
     public static boolean notNullOrEmpty(String str, boolean trim) {
         if ( trim ) {
-            return !( str == null || str.trim().equals("") );
+            return !( str == null || str.trim().isEmpty() );
         } else {
-            return !( str == null || str.equals("") );
+            return !( str == null || str.isEmpty() );
         }
     }
 
     /**
      * Returns true if String is empty ("") or null.
      */
     public static boolean isEmpty(String str) {
-        return str == null || str.length() == 0;
+        return str == null || str.isEmpty();
     }
 }

src/main/java/org/owasp/esapi/User.java

@@ -380,7 +380,7 @@ public interface User extends Principal, Serializable {
     /**
      * Set the time of the last failed login for this user.
      *
-     * @param lastFailedLoginTime the date and time when the user just failed to login correctly.
+     * @param lastFailedLoginTime the date and time when the user just failed to log in correctly.
      */
     void setLastFailedLoginTime(Date lastFailedLoginTime);
 

src/main/java/org/owasp/esapi/Validator.java

@@ -384,10 +384,10 @@ public interface Validator {
     boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException;
 
     /**
-     * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that
+     * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
      * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting
      * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input
-     * that gets HTML encoded (e.g., a single quote (') might get chaged to """).
+     * that gets HTML encoded (e.g., a single quote (') might get changed to """).
      * <p>
      * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file
      * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your
@@ -414,10 +414,10 @@ public interface Validator {
     String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException;
 
     /**
-     * Canonicalize and then sanitize the input so that it is "safe" for renderinger in an HTML context (i.e., that
+     * Canonicalize and then sanitize the input so that it is "safe" for rendering in an HTML context (i.e., that
      * it does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else). Note that the resulting
      * returned value may omit input that is considered dangerous and cannot be safely sanitized and other input
-     * that gets HTML encoded (e.g., a single quote (') might get chaged to "&quot;").
+     * that gets HTML encoded (e.g., a single quote (') might get changed to "&quot;").
      * <p>
      * The default behavior of this check depends on the {@code antisamy-esapi.xml} AntiSamy policy configuration file
      * (or an alternate filename, specified via the "Validator.HtmlValidationConfigurationFile" property in your

src/main/java/org/owasp/esapi/codecs/AbstractCodec.java

@@ -25,7 +25,7 @@
  * <p>
  * Be sure to see the several <b>WARNING</b>s associated with the detailed
  * method descriptions. You will not find that in the "Method Summary" section
- * of the javadoc because that only shows the intial sentence.
+ * of the javadoc because that only shows the initial sentence.
  *
  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
  *         href="http://www.aspectsecurity.com">Aspect Security</a>
@@ -96,7 +96,7 @@ public String encodeCharacter( char[] immune, Character c ) {
 
 
     /**
-     * To prevent accidental footgun usage and calling
+     * To prevent accidental usage and calling
      * {@link #encodeCharacter( char[], int)} when called with {@code char} and
      * {@code char} is first silently converted to {@code int} and then the
      * unexpected method is called.

src/main/java/org/owasp/esapi/codecs/AbstractPushbackSequence.java

@@ -19,7 +19,7 @@
 
 /**
  * This Abstract class provides the generic logic for using a {@link PushbackSequence}
- * in regards to iterating strings.  The final Impl is intended for the user to supply
+ * in regard to iterating strings.  The final Impl is intended for the user to supply
  * a type T such that the pushback interface can be utilized for sequences
  * of type T.  Presently this generic class is limited by the fact that
  * input is a String.
@@ -61,7 +61,7 @@ public boolean hasNext() {
             return true;
         if (input == null)
             return false;
-        if (input.length() == 0)
+        if (input.isEmpty())
             return false;
         if (index >= input.length())
             return false;