...
If it is desired to include special characters in a database field such as a password, it is critical to ensure that the authentic data is stored in a sanitized form in the database and any user input is escaped and transformed into the equivalent form, before the validation or comparison takes place. The use of characters that have special meanings in JNDI and LDAP is strongly discouraged unless a comprehensive white-listing based routine is employed to encode and escape the characters. Refer to the guideline IDS13-J. Properly encode or escape output for examples on output encoding and escaping. The special character must be transformed to a sanitized safe value before adding it is added to the white-list expression against which input is required to be validated. Likewise, sanitization of user input (escaping and encoding) should occur before the validation step.
...
Failing to sanitize untrusted input can result in information disclosure and in some cases execution of arbitrary codeprivilege escalation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS16- J | high | likely | medium | P18 | L1 |
...