SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 11

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot

...

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to &lt;< and \uFE64 is normalized to &gt;> using KFKC
String s = &quot;"\uFE64&quot;" + &quot;script&quot;"script" + &quot;"\uFE65&quot";; 

//validate
Pattern pattern = Pattern.compile(&quot;[&lt;&gt;]&quot;"[<>]"); // check for angle brackets
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println(&quot;"found black listed tag&quot;");
} else {
  // ... 
}

// normalize
s = Normalizer.normalize(s, Form.NFKC);

...

Code Block
bgColor#ccccff
String s = &quot;"\uFE64&quot;" + &quot;script&quot;"script" + &quot;"\uFE65&quot;";

// normalize
s = Normalizer.normalize(s, Form.NFKC); 

//validate
Pattern pattern = Pattern.compile(&quot;[&lt;&gt;]&quot;"[<>]"); 
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println(&quot;"found black listed tag&quot;"); 
  throw new IllegalStateException();
} else {
  // ... 
}

...

Wiki Markup
\[[API 06|AA. Java References#API 06]\] 
\[[Unicode 08|AA. Java References#Unicode 08]\]
\[[Weber 09|AA. Java References#Weber 09]\]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 289|http://cwe.mitre.org/data/definitions/289.html] &quot;"Authentication Bypass by Alternate Name&quot;" and [CWE ID 180|http://cwe.mitre.org/data/definitions/289.html] &quot;"Incorrect Behavior Order: Validate Before Canonicalize&quot;"

...

IDS09-J. Account for supplementary and combining characters in globalized code&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      10. Input Validation and Data Sanitization (IDS)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;      IDS11-J. Do not delete non-character code points