Using locale-sensitive methods on locale-sensitive data can produce unexpected results when the locale is unspecified. Programming language identifiers, protocol keys, and HTML tags are often specified in a particular locale, usually Locale.ENGLISH. It may even be possible to bypass input filters by changing the default locale, which can alter the behavior of locale-sensitive methods. For example, when a string is converted to uppercase, it may be declared valid; however, changing the string back to lower case during subsequent execution may result in a black-listed string.
...
| Code Block | ||
|---|---|---|
| ||
Locale.setDefault( Locale.ENGLISH);
"title".toUpperCase();
|
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS14-J | medium | probable | medium | P8 | L2 |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c75c96b21db07d97-414585a2-469d4a69-aa2da041-f24505dc72c4943713d83c41"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> |
...