[OWASP-ESAPI] Issues with Input validation using ESAPI
jim.manico at owasp.org
Sun Aug 8 13:45:10 EDT 2010
I agree, Dave.
On Aug 8, 2010, at 5:38 AM, "Dave Wichers" <dave.wichers at owasp.org> wrote:
> I like this too, and don't think we should deprecate the current methods.
> -----Original Message-----
> From: owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kevin W. Wall
> Sent: Sunday, August 08, 2010 12:30 AM
> To: Jim Manico
> Cc: 'Kesavanarayanan, Ramesh'; owasp-esapi at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] Issues with Input validation using ESAPI
> Jim Manico wrote:
>>> I think the validators should take an optional flag that defaults to true
>> that determines whether canonicalization should be done.
>> I agree, I'd like to make this change to 2.0. I'd like to leave the
>> validation functions as is and have them all default to "cannonizalize" -
>> and then add a new variant of these functions that expose the
>> canonicalization variable. This is a little more "backward compatible"
>> friendly. Acceptable?
> Definitely, at 2.0-rc6, we need to strive for backward compatibility unless
> something is egregiously wrong. However, if it's something that you want
> to consciously *always* think about (whether or not canonicalization should
> used), then you should add a deprecation annotation to the javadoc of the
> existing methods that refer them to the new variants and then sometime
> later (say 3.0 or 2.2 or whenever) we can remove the deprecated method.
> However, personally, I think that canonicalization is _almost always_ the
> *right* thing to do and we are _generally_ safer it people *don't* have to
> think about it, so I'm good with just supporting both variations, even
> though they are somewhat redundant. (It's times like this I envy C++'s
> optional argument values.)
> So, I'm good with what you propose.
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
More information about the OWASP-ESAPI