...
| Code Block | ||
|---|---|---|
| ||
public class BadOutput {
// description and input are String variables containing values obtained from a database
// description = "description" and input = "<script> executable code </script>"
public static void display(String description, String input) {
// Display to the user or pass description and input to another system
}
}
|
Compliant Solution
Wiki Markup ValidateOutput}} class that normalizes the output to a known character set, performs output validation using a white-list and encodes any non-specified data values to enforce a double checking mechanism. Different fields may require different white-listing patterns \ [java:[OWASP 2008|AA. References#OWASP 08]\].
| Code Block | ||
|---|---|---|
| ||
public class ValidateOutput {
// Allows only alphanumeric characters and spaces
private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");
// Validates and encodes the input field based on a whitelist
private String validate(String name, String input) throws ValidationException {
String canonical = normalize(input);
if(!pattern.matcher(canonical).matches()) {
throw new ValidationException("Improper format in " + name + " field");
}
// Performs output encoding for non valid characters
canonical = HTMLEntityEncode(canonical);
return canonical;
}
// Normalizes to known instances
private String normalize(String input) {
String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
return canonical;
}
// Encodes non valid data
public static String HTMLEntityEncode(String input) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
sb.append(ch);
} else {
sb.append("&#" + (int)ch + ";");
}
}
return sb.toString();
}
// description and input are String variables containing values obtained from a database
// description = "description" and input = "2 items available"
public static void display(String description, String input) throws ValidationException {
ValidateOutput vo = new ValidateOutput();
vo.validate(description, input);
// Pass to another system or display to the user
}
}
|
...
Bibliography
...
\[java:[MITRE 2009|AA. References#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/ 116.html] "Improper Encoding or Escaping of Output"
\
[java:[OWASP 2008|AA. References#OWASP 08] \] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest], [XSS (Cross Site Scripting) Prevention Cheat Sheet|http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29]
...
IDS11-J. Eliminate noncharacter code points before validation