Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to &lt;< and \uFE64 is normalized to &gt;> using KFKC
String s = &quot;"\uFE64&quot;" + &quot;script&quot;"script" + &quot;"\uFE65&quot;"; 

//validate
Pattern pattern = Pattern.compile(&quot;[&lt;&gt;]&quot;"[<>]"); // check for angle brackets
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println(&quot;"found black listed tag&quot;");
} else {
  // ... 
}

// normalize
s = Normalizer.normalize(s, Form.NFKC); 

...

Code Block
bgColor#ccccff
String s = &quot;"\uFE64&quot;" + &quot;script&quot;"script" + &quot;"\uFE65&quot;";

// normalize
s = Normalizer.normalize(s, Form.NFKC); 

//validate
Pattern pattern = Pattern.compile(&quot;[&lt;&gt;]&quot;"[<>]"); 
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println(&quot;"found black listed tag&quot;"); 
  throw new IllegalStateException();
} else {
  // ... 
}

...

Wiki Markup
\[[API 06|AA. Java References#API 06]\] 
\[[Unicode 08|AA. Java References#Unicode 08]\]
\[[Weber 09|AA. Java References#Weber 09]\]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 289|http://cwe.mitre.org/data/definitions/289.html] &quot;"Authentication Bypass by Alternate Name&quot;" and [CWE ID 180|http://cwe.mitre.org/data/definitions/289.html] &quot;"Incorrect Behavior Order: Validate Before Canonicalize&quot;"

...

IDS09-J. Account for supplementary and combining characters in globalized code&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;49. Miscellaneous (MSC)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;99. The Void (VOID)      10. Input Validation and Data Sanitization (IDS)      IDS11-J. Do not delete non-character code points