...
The validation logic fails to detect the
<script> tag because it is not normalized at the time. Therefore the code fails to reject the system accepts the invaild input.Compliant Solution
This compliant solution normalizes the string before validating it. Alternative representations of the string are normalized to the canonical angle brackets. Consequently, input validation correctly detects the malicious input and throws an IllegalStateException.
...
...
IDS00-J. Sanitize untrusted data passed across a trust boundary