You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Using local sensitive methods on data that should be interpreted locale independently can produce unexpected results. Locale independent data includes programming language identifiers, protocol keys and HTML tags. It may even be possible to bypass input filters by supplying locale specific data. For example, if a string is converted to uppercase, it may be declared valid, however, further down when changed to lower case, it may result in a black-listed string.

Noncompliant Code Example

This noncompliant code example uses the locale sensitive String.toUpperCase() method to convert an html tag to uppercase. This produces the string "T?TLE" in the Turkish locale wherein '?' is the Latin capital letter 'I' with a dot above the character [[API 06]].

"title".toUpperCase();

Compliant Solution

This compliant solution explicitly sets the locale to English to avoid the unexpected result.

"title".toUpperCase(Locale.ENGLISH);

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS14- J

medium

probable

medium

P8

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]] Class String


IDS13-J. Properly encode or escape output      10. Input Validation and Data Sanitization (IDS)      IDS15-J. Library methods should validate their parameters

  • No labels