SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 76

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 77

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
// String s may be user controllable
// \uFE64 is normalized to < and \uFE65 is normalized to > using NFKC
String s = "\uFE64" + "script" + "\uFE65";

// Validate
Pattern pattern = Pattern.compile("[<>]"); // Check for angle brackets
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
  // Found black listed tag
  throw new IllegalStateException();
} else {
  // ...
}

// Normalize
s = Normalizer.normalize(s, Form.NFKC);

The {{normalize() }} method transforms Unicode text into an equivalent composed or decomposed form, allowing for easier searching of text. The normalize method supports the standard normalization forms described in Unicode Standard Annex #15 Unicode Normalization Forms.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b82d479ea5109183-e2782ccd-483b452d-8743927f-a4e620d36da823978b9c0097"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

Cross-site scripting [XYT]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-289. Authentication bypass by alternate name

 

CWE-180. Incorrect behavior order: Validate before canonicalize

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ea5208814822d6f5-d6ac7543-4a2644d0-8bf5a9bb-86ac6d85bd4c9231c20a5b7f"><ac:plain-text-body><![CDATA[

[[API 2006

AA. References#API 06]]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4156aebd272006bc-f1f4d694-489b4690-b0f8aae1-a1bed29a61b33cfa4bdd4be0"><ac:plain-text-body><![CDATA[

[[Davis 2008

AA. References#Davis 08]]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cb950ba4fabd1c40-269c65b8-4df3423d-b503a4b8-f6bc5392ddf766d273551b7f"><ac:plain-text-body><![CDATA[

[[Weber 2009

AA. References#Weber 09]]

]]></ac:plain-text-body></ac:structured-macro>

...