SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 26

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 27

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (vkp) v1.0

...

Wiki Markup
This compliant solution defines a {{ValidateOutput}} class that normalizes the output to a known character set, performs output validation using a white-list and encodes any non-specified data values to enforce a double checking mechanism. Different fields may require different white-listing patterns \[[OWASP 2008|AA. Java References#OWASPBibliography#OWASP 08]\].

Code Block
bgColor#ccccff
public class ValidateOutput {
  // Allows only alphanumeric characters and spaces
  private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");

  // Validates and encodes the input field based on a whitelist
  private String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if(!pattern.matcher(canonical).matches()) {
      throw new ValidationException("Improper format in " + name + " field");
    }
    
    // Performs output encoding for non valid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // Normalizes to known instances 	
  private String normalize(String input) {
    String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non valid data
  public static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0; i < input.length(); i++) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&#" + (int)ch + ";");
        }
    }
    return sb.toString();
  }

  // description and input are String variables containing values obtained from a database
  // description = "description" and input = "2 items available"
  public static void display(String description, String input) throws ValidationException {
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);
    // Pass to another system or display to the user
  }
}

...

Wiki Markup
\[[OWASP 2008|AA. Java References#OWASPBibliography#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest], [How to perform HTML entity encoding in Java|http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java], [XSS (Cross Site Scripting) Prevention Cheat Sheet|http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29]
\[[MITRE 2009|AA. Java References#MITREBibliography#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] "Improper Encoding or Escaping of Output"

...