[Esapi-user] [Esapi-dev] (no subject)

Rob Spremulli rob.spremulli+esapi at gmail.com
Mon Aug 9 13:27:47 EDT 2010


In keeping with returning "" for the String methods, why not return NaN from
the Double, as opposed to null?   At the very least that could save some
autoboxing issues.

On Sun, Aug 8, 2010 at 11:48 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Folks,
>
>
>
> I changed the ESAPI 2.0 Validator reference implementation to return an
> empty string, or null as appropriate for the getValidX functions with the
> errorList argument. These used to return the original (tainted) input data.
>
>
>
> This is a subtle but significant change.
>
>
>
> The full “diff” of this change is below. Thoughts?
>
>
>
> - Jim
>
>
>
>
>
>
>
>
>
> ### Eclipse Workspace Patch 1.0
>
> #P ESAPI 2.0 (trunk)
>
> Index: src/main/java/org/owasp/esapi/reference/DefaultValidator.java
>
> ===================================================================
>
> --- src/main/java/org/owasp/esapi/reference/DefaultValidator.java
> (revision 1470)
>
> +++ src/main/java/org/owasp/esapi/reference/DefaultValidator.java
> (working copy)
>
> @@ -192,9 +192,8 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> original input
>
> -                              // TODO - optimize so that invalid input is
> not canonicalized twice
>
> -                              return encoder.canonicalize(input);
>
> +
>
> +                             return "";
>
>                 }
>
>
>
>                 /**
>
> @@ -264,8 +263,8 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> original input
>
> -                              return input;
>
> +
>
> +                             return "";
>
>                 }
>
>
>
>                 /**
>
> @@ -298,9 +297,8 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> original input
>
> -                              // TODO - optimize so that invalid input is
> not canonicalized twice
>
> -                              return encoder.canonicalize(input);
>
> +
>
> +                             return "";
>
>                 }
>
>
>
>                 /**
>
> @@ -370,8 +368,8 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> original input
>
> -                              return input;
>
> +
>
> +                             return "";
>
>                 }
>
>
>
>
>
> @@ -448,14 +446,8 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> original input
>
> -                              // TODO - optimize so that invalid input is
> not canonicalized twice
>
> -                              try {
>
> -                                              return new
> File(input).getCanonicalFile().getName();
>
> -                              } catch (IOException e) {
>
> -                                              // TODO = consider logging
> canonicalization error?
>
> -                                              return input;
>
> -                              }
>
> +
>
> +                             return "";
>
>                 }
>
>
>
>                 /**
>
> @@ -488,7 +480,7 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> null
>
> +
>
>                                 return null;
>
>                 }
>
>
>
> @@ -597,8 +589,8 @@
>
>                                 } catch (ValidationException e) {
>
>                                                 errors.addError(context,
> e);
>
>                                 }
>
> -                              // error has been added to list, so return
> original input
>
> -                              return input;
>
> +                             // return empty byte array on error
>
> +                             return new byte[0];
>
>                 }
>
>
>
>                 /**
>
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100809/22531dc4/attachment.html 


More information about the Esapi-user mailing list