[Esapi-dev] HTTPParameterValue
Jeff Williams
jeff.williams at aspectsecurity.com
Tue Sep 28 18:01:56 EDT 2010
I strongly encourage organizations to use a reasonably limited whitelist
here. Just because the spec allows it does not mean that you have to
allow it in your application. Do you really need tilde and backtick?
You may want to try a regex that allows printable international
characters.
--Jeff
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Michael Coates
Sent: Tuesday, September 28, 2010 5:47 PM
To: Jim Manico
Cc: 'ESAPI-Developers'
Subject: Re: [Esapi-dev] HTTPParameterValue
Allow %20-%7E (the actual values of course, not the hex representation).
This will eliminate the non-printable characters like null and line
breaks (%0A, %0C) and allow most everything else. One note, I'm not
sure if this will work well for international character sets.
As Jim points out, this should be a course grain filter. Any real
filtering is contextual within the app.
Michael Coates
OWASP
On 9/28/10 2:39 PM, Jim Manico wrote:
We currently use the following regular expression to validate
HTTPParameterValue
in the wrapper filters.
*Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$*
This is turning out to be horribly restrictive (for example, even email
addresses in input data get rejected).
We need some pretty detailed analysis on this regex to get it right.
Keep in mind, this is not to be used for contextual validation (real app
validation). This is just a sanity filter to make sure your inputs abide
by the
HTTP Standard.
Thoughts?
- Jim
_______________________________________________
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100928/7e2177ac/attachment-0001.html
More information about the Esapi-dev
mailing list