[Esapi-dev] Help regarding issue 251

Matt Seil mseil at acm.org
Thu Oct 2 20:57:23 UTC 2014


I agree with output escaping being a better choice, but the absolute *best*
solution is the full combination of:

1.  Input Validation
2.  Output Escaping
3.  Client-Side Validation.  (If only to help tell the difference between
an attack and a legitimate request.)

Even if I become convinced its a bad bug, its *extremely* common for
developers to rely on 1.) so its just not something we can dismiss.  When
looking at the input provided in the ticket, we could easily be accepting
SQL statements through date fields depending on how back-end processing is
used.

On Thu, Oct 2, 2014 at 3:07 PM, Jim Manico <jim.manico at owasp.org> wrote:

> You do not stop injection at the input validation layer, I do not
> think this is a good bug.
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> > On Oct 2, 2014, at 10:53 AM, Nalin Goel <naling1994 at gmail.com> wrote:
> >
> > Hi guys,
> >
> > I am new to open-source and would like to work with owasp-esapi.
> >
> > I did some research on issue 251(IsValidDate not recognizing inection
> attacks) and would appreciate guidance as well as feedback as to what our
> inputs might be.
> >
> > Any help on getting me started is appreciated .
> > _______________________________________________
> > Esapi-dev mailing list
> > Esapi-dev at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-dev
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>



-- 
Matt Seil
Software Engineer
ACM/IEEE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20141002/5772992d/attachment.html>


More information about the Esapi-dev mailing list