Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFCCCC
public class BadOutput {
  public static void display() {
    // description and input are String variables containing values obtained from a database
    // description = "description"&quot;description&quot; and input = "<script>&quot;&lt;script&gt; XSS </script>"&lt;/script&gt;&quot;
    
    // display to the user or pass description and input to another system
  }
}

...

Code Block
bgColor#ccccff
public class ValidateOutput {
  // allows only alphanumeric characters and spaces
  private Pattern pattern = Pattern.compile("&quot;^[a-zA-Z0-9\\s]{0,20}$"&quot;);

  // validates and encodes the input field based on a whitelist
  private String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if(!pattern.matcher(canonical).matches()) {
      throw new ValidationException( "&quot;Improper format in "&quot; + name + "&quot; field"&quot;);
    }
    
    // performs output encoding for non valid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // normalizes to known instances 	
  private String normalize(String input) {
    String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non valid data
  public static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0;i <&lt; input.length();++i) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&quot;&amp;#"&quot; + (int)ch + ";"&quot;;&quot;);
        }
    }
    return sb.toString();
  }

  public static void display() throws ValidationException {
    // description and input are String variables containing values obtained from a database
    // description = "description"&quot;description&quot; and input = "&quot;2 items available"&quot;
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);
    // pass to another system or display to the user
  }
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC44 IDS13- J

high

probable

medium

P12

L1

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[OWASP 08|AA. Java References#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest] and [How to perform HTML entity encoding in Java|http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java]
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] "&quot;Improper Encoding or Escaping of Output"&quot;

...

FIO36-J. Do not create multiple buffered wrappers on an InputStream      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;09. Input Output (FIO)      &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;09. Input Output (FIO)