[Esapi-dev] Different validation patterns pre/post canonicalization in StringValidationRule.getValid()
augustd at codemagi.com
Wed Nov 17 22:42:53 EST 2010
The only thing I could think of would be if you want to pre-check the data
before you even canonicalize. For example, if you are expecting URL encoded
data and the input includes newlines and control chars, it could be rejected
right then, saving the cycles required to canonicalize. But that would
definitely require a separate regex be used before and after.
On Wed, Nov 17, 2010 at 6:31 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
> On 11/17/2010 06:52 PM, augustd wrote:
> > I'm not sure I see the point either -I was just thinking of backwards
> > compatibility. Could anyone really be depending on the
> > validation that is n there right now?
> I doubt it. I can't think of a case where you don't always want to
> perform the canonicalization first. So IMO, this was a bug and if
> breaks backwards compatibility, it is only because someone is
> relying the behavior of a bug as the correct behavior, and that's
> never a good thing.
> I'd vote to simply move the validation to AFTER canonicalization
> and leave it at that.
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev