SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 11

changes.mady.by.user Ankur Goyal

Saved on

compared with

New Version 12

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to < and \uFE64uFE65 is normalized to > using KFKCNFKC
String s = "\uFE64" + "script" + "\uFE65"; 

//validate Validate
Pattern pattern = Pattern.compile("[<>]"); // checkCheck for angle brackets
Matcher matcher = pattern.matcher(s);
if(matcher.find()) {
  System.out.println("found black listed tag");
} else {
  // ... 
}

// normalizeNormalize
s = Normalizer.normalize(s, Form.NFKC);

...

This compliant solution normalizes the string before validating it. Alternative representations of the string are normalized to the canonical angle brackets. Input Consequently, input validation succeeds and an IllegalStateException results.

...