SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 30

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 31

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Proper input validation can ensure that prevent insertion of malicious data is not inserted into the system. However, it such validation fails to provide the assurance that validated data will remain remains consistent throughout its lifetime. For instance, if an insider is allowed to insert data into a database without validation, it is possible to he can glean unauthorized information or execute arbitrary code on the client side by means of attacks such as Cross Site Scripting (XSS). Consequently, output filtering Output filtering to prevent such attacks is as important as input validation.

As with input validation, normalized data must be normalized before it is filtered before filtering for malicious characters. To ensure that any avoid vulnerabilities caused data that bypasses the validation does not cause vulnerabilities, it is highly may bypass validation, we recommended that all output characters be encoded, except those that are other than those known to be safe should be encoded.

Noncompliant Code Example

...

Failure to encode or escape output before it is displayed or passed to another system can result in the execution of arbitrary code on the client's sidein the other system.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

IDS04-J

high

probable

medium

P12

L1

Automated Detection

...

Related Vulnerabilities

GERONIMO-1474

Bibliography

Wiki Markup
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] "Improper Encoding or Escaping of Output"
\[[OWASP 2008|AA. Bibliography#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest], [How to perform HTML entity encoding in Java|http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java], [XSS (Cross Site Scripting) Prevention Cheat Sheet|http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29]
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] "Improper Encoding or Escaping of Output"

...

IDS03-J. Do not delete non-character code points      13. Input Validation and Data Sanitization (IDS)      IDS05-J. Library methods should validate their parameters