Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFCCCC
public class BadOutput {
  public static void display() {
    // description and input are String variables containing values obtained from a database
    // description = &quot;description&quot;"description" and input = &quot;&lt;script&gt;"<script> XSS &lt;/script&gt;&quot;</script>"
    
    // display to the user or pass description and input to another system
  }
}

...

Code Block
bgColor#ccccff
public class ValidateOutput {
  // allows only alphanumeric characters and spaces
  private Pattern pattern = Pattern.compile(&quot;"^[a-zA-Z0-9\\s]{0,20}$&quot;");

  // validates and encodes the input field based on a whitelist
  private String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if(!pattern.matcher(canonical).matches()) {
      throw new ValidationException( &quot;"Improper format in &quot;" + name + &quot;" field&quot;");
    }
    
    // performs output encoding for non valid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // normalizes to known instances 	
  private String normalize(String input) {
    String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non valid data
  public static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0;i &lt;< input.length();++i) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&quot;&amp;#&quot;" + (int)ch + &quot;;&quot;";");
        }
    }
    return sb.toString();
  }

  public static void display() throws ValidationException {
    // description and input are String variables containing values obtained from a database
    // description = &quot;description&quot;"description" and input = &quot;"2 items available&quot;"
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);
    // pass to another system or display to the user
  }
}

...

Wiki Markup
\[[OWASP 08|AA. Java References#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest] and [How to perform HTML entity encoding in Java|http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] &quot;"Improper Encoding or Escaping of Output&quot;"

...

FIO36IDS12-J. Do not create multiple buffered wrappers on an InputStream&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;09. Input Output (FIO)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;09. Input Output (FIO)Prevent XML external entity attacks      10. Input Validation and Data Sanitization (IDS)      IDS14-J. Do not use locale dependent methods on locale insensitive data