SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 52

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 53

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As with input validation, normalize data before filtering for malicious characters. To avoid vulnerabilities caused by data that bypasses validation, we recommend that all output characters other than those known to be safe are should be encoded.

Noncompliant Code Example

...

This compliant solution defines a ValidateOutput class that normalizes the output to a known character set, performs output validation using a white-list and encodes any non-specified data values to enforce a double checking mechanism. Different fields may require different Note that required white-listing patterns may vary according to the specific needs of different fields [OWASP 2008].

Code Block
bgColor#ccccff
public class ValidateOutput {
  // Allows only alphanumeric characters and spaces
  private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");

  // Validates and encodes the input field based on a whitelist
  private String validate(String name, String input) throws ValidationException {
    String canonical = normalize(input);

    if(!pattern.matcher(canonical).matches()) {
      throw new ValidationException("Improper format in " + name + " field");
    }
    
    // Performs output encoding for non valid characters 
    canonical = HTMLEntityEncode(canonical);
    return canonical;
  }

  // Normalizes to known instances 	
  private String normalize(String input) {
    String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
    return canonical;
  }

  // Encodes non valid data
  public static String HTMLEntityEncode(String input) {
    StringBuffer sb = new StringBuffer();

    for (int i = 0; i < input.length(); i++) {
      char ch = input.charAt(i);
        if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
          sb.append(ch);
        } else {
          sb.append("&#" + (int)ch + ";");
        }
    }
    return sb.toString();
  }

  // description and input are String variables containing values obtained from a database
  // description = "description" and input = "2 items available"
  public static void display(String description, String input) throws ValidationException {
    ValidateOutput vo = new ValidateOutput();
    vo.validate(description, input);
    // Pass to another system or display to the user
  }
}

...