SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 24

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 25

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
This compliant solution defines a {{ValidateOutput}} class that normalizes the output to a known character set, performs output validation using a white-list and encodes any non-specified data values to enforce a double checking mechanism. Different fields may require different white-listing patterns. \[[OWASP 2008|AA. Java References#OWASP 08]\].

Code Block
bgColor#ccccff
public class ValidateOutput {
  // Allows only alphanumeric characters and spaces
  private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");

  // Validates and encodes the input field based on a whitelist
  private String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if(!pattern.matcher(canonical).matches()) {
      throw new ValidationException("Improper format in " + name + " field");
    }
    
    // Performs output encoding for non valid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // Normalizes to known instances 	
  private String normalize(String input) {
    String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non valid data
  public static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0; i < input.length(); i++) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&#" + (int)ch + ";");
        }
    }
    return sb.toString();
  }

  // description and input are String variables containing values obtained from a database
  // description = "description" and input = "2 items available"
  public static void display(String description, String input) throws ValidationException {
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);
    // Pass to another system or display to the user
  }
}

...

Failure to encode or escape output before it is displayed or passed to another system can result in the execution of arbitrary code on the client's side.

Rule Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS04-J

high

probable

medium

P12

L1

...