...
Note that the class must also be declared final to prevent a malicious subclass from carrying out a finalizer attack. (See rule OBJ05OBJ11-J. Prevent access to partially initialized objects.) For extendable classes, an acceptable alternative is use of a flag that indicates whether the instance is safe for use. The flag can be set after validation and must be checked in every method before any operation is performed.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0dc5b4fe18c55145-36b132e3-4cf34890-aee38565-4bc90edbecc35a534957a329"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 502 | http://cwe.mitre.org/data/definitions/502.html] "Deserialization of Untrusted Data" | ]]></ac:plain-text-body></ac:structured-macro> |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9b186ba8f3f17f47-04b0dbe0-48ab4663-92afacc3-7e3c6cceef7d9015d3446150"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="78dc65b902c34815-dbfcc505-43dc4e56-9e36a2c4-937c129c662acfa0a86f458b"><ac:plain-text-body><![CDATA[ | [[Bloch 2008 | AA. Bibliography#Bloch 08]] | Item 75: "Consider using a custom serialized form" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5c129f388e108527-2204e2fd-4006467c-83f5b566-63106b3aba9c48782d6ac13c"><ac:plain-text-body><![CDATA[ | [[Greanier 2000 | AA. Bibliography#Greanier 00]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c308ba92ef06cff8-d7177496-4d8e4d9f-9a5c91d5-bd784b8b68eb1e4e9881e0c8"><ac:plain-text-body><![CDATA[ | [[Harold 1999 | AA. Bibliography#Harold 99]] | Chapter 11: Object Serialization, Validation | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ac458e326b615f46-ad7ccae9-41564a6c-9eebb534-0997e1ec703c70886ffa09b2"><ac:plain-text-body><![CDATA[ | [[Hawtin 2008 | AA. Bibliography#Hawtin 08]] | Antipattern 8: Believing deserialisation is unrelated to construction | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1b76b0c7aad0bfb7-facf8b75-431d45b6-b46da2b6-0efbe4cf96a481e414322c33"><ac:plain-text-body><![CDATA[ | [[SCG 2007 | AA. Bibliography#SCG 07]] | Guideline 5-2 View deserialization the same as object construction | ]]></ac:plain-text-body></ac:structured-macro> |
...