...
Code Block | ||
---|---|---|
| ||
public class BadOutput { public static void display() { // description and input are String variables containing values obtained from a database // description = "description""description" and input = "<script>"<script> XSS </script>"</script>" // display to the user or pass description and input to another system } } |
...
Code Block | ||
---|---|---|
| ||
public class ValidateOutput { // allows only alphanumeric characters and spaces private Pattern pattern = Pattern.compile(""^[a-zA-Z0-9\\s]{0,20}$""); // validates and encodes the input field based on a whitelist private String validate(String name, String input) throws ValidationException { String canonical = normalize(input); if(!pattern.matcher(canonical).matches()) { throw new ValidationException( ""Improper format in "" + name + "" field""); } // performs output encoding for non valid characters canonical = HTMLEntityEncode(canonical); return canonical; } // normalizes to known instances private String normalize(String input) { String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC); return canonical; } // Encodes non valid data public static String HTMLEntityEncode(String input) { StringBuffer sb = new StringBuffer(); for (int i = 0;i << input.length();++i) { char ch = input.charAt(i); if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) { sb.append(ch); } else { sb.append(""&#"" + (int)ch + ";"";"); } } return sb.toString(); } public static void display() throws ValidationException { // description and input are String variables containing values obtained from a database // description = "description""description" and input = ""2 items available"" ValidateOutput vo = new ValidateOutput(); vo.validate(description, input); // pass to another system or display to the user } } |
...
Wiki Markup |
---|
\[[OWASP 08|AA. Java References#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest] and [How to perform HTML entity encoding in Java|http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java] \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] ""Improper Encoding or Escaping of Output"" |
...
FIO36IDS12-J. Do not create multiple buffered wrappers on an InputStream 09. Input Output (FIO) 09. Input Output (FIO)Prevent XML external entity attacks 10. Input Validation and Data Sanitization (IDS) IDS14-J. Do not use locale dependent methods on locale insensitive data