...
Character information in Java is based on the Unicode Standard. The following table shows the version of Unicode supported by the previous latest three release releases of Java SE.
| Java Version | Unicode Version |
|---|---|
| Java SE 6 | Unicode Standard, version 4.0 [Unicode 2003] |
| Java SE 7 | Unicode Standard, version 6.0.0 [Unicode 2011] |
| Java SE 8 | Unicode Standard, version 6.2.0 [Unicode 2012] |
Applications that accept untrusted input should normalize the input before validating it. Normalization is important because in Unicode, the same string can have many different representations. According to the Unicode Standard [Davis 2008], annex #15, Unicode Normalization Forms:
...
The validation logic fails to detect the
<script> tag because it is not normalized at the time. Therefore the system accepts the invaild invalid input.Compliant Solution
This compliant solution normalizes the string before validating it. Alternative representations of the string are normalized to the canonical angle brackets. Consequently, input validation correctly detects the malicious input and throws an IllegalStateException.
...
| Tool | Version | Checker | Description |
|---|---|---|---|
| Fortify | 1.0 | Process_Control | Implemented |
Related Guidelines
Cross-site Scripting [XYT] | |
CWE-289, Authentication bypass by alternate name |
...
Android apps can receive string data from the outside and normalize it.
Bibliography
...