...
As with input validation, normalize data before filtering for malicious characters. To avoid vulnerabilities caused by data that bypasses validation, we recommend that all output characters other than those known to be safe are encoded.
Noncompliant Code Example
This noncompliant code example displays input obtained from a database directly to the user without performing any output validation or encoding.
| Code Block | ||
|---|---|---|
| ||
public class BadOutput {
// description and input are String variables containing values obtained from a database
// description = "description" and input = "<script> executable code </script>"
public static void display(String description, String input) {
// Display to the user or pass description and input to another system
}
}
|
Compliant Solution
| Wiki Markup |
|---|
This compliant solution defines a {{ValidateOutput}} class that normalizes the output to a known character set, performs output validation using a white-list and encodes any non-specified data values to enforce a double checking mechanism. Different fields may require different white-listing patterns \[[OWASP 2008|AA. Bibliography#OWASP 08]\]. |
| Code Block | ||
|---|---|---|
| ||
public class ValidateOutput {
// Allows only alphanumeric characters and spaces
private Pattern pattern = Pattern.compile("^[a-zA-Z0-9\\s]{0,20}$");
// Validates and encodes the input field based on a whitelist
private String validate(String name, String input) throws ValidationException {
String canonical = normalize(input);
if(!pattern.matcher(canonical).matches()) {
throw new ValidationException("Improper format in " + name + " field");
}
// Performs output encoding for non valid characters
canonical = HTMLEntityEncode(canonical);
return canonical;
}
// Normalizes to known instances
private String normalize(String input) {
String canonical = java.text.Normalizer.normalize(input, Normalizer.Form.NFKC);
return canonical;
}
// Encodes non valid data
public static String HTMLEntityEncode(String input) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < input.length(); i++) {
char ch = input.charAt(i);
if (Character.isLetterOrDigit(ch) || Character.isWhitespace(ch)) {
sb.append(ch);
} else {
sb.append("&#" + (int)ch + ";");
}
}
return sb.toString();
}
// description and input are String variables containing values obtained from a database
// description = "description" and input = "2 items available"
public static void display(String description, String input) throws ValidationException {
ValidateOutput vo = new ValidateOutput();
vo.validate(description, input);
// Pass to another system or display to the user
}
}
|
Risk Assessment
Failure to encode or escape output before it is displayed or passed to another system can result in the execution of arbitrary code in the other system.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS04-J | high | probable | medium | P12 | L1 |
Related Vulnerabilities
Bibliography
| Wiki Markup |
|---|
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 116|http://cwe.mitre.org/data/definitions/116.html] "Improper Encoding or Escaping of Output" \[[OWASP 2008|AA. Bibliography#OWASP 08]\] [How to add validation logic to HttpServletRequest|http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest], [XSS (Cross Site Scripting) Prevention Cheat Sheet|http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29] |
...