[Esapi-user] [Esapi-dev] (no subject)

Jim Manico jim.manico at owasp.org
Mon Aug 9 14:31:42 EDT 2010


This is already done. :)

-Jim
http://manico.net

On Aug 9, 2010, at 7:27 AM, Rob Spremulli <rob.spremulli+esapi at gmail.com> wrote:

> In keeping with returning "" for the String methods, why not return NaN from the Double, as opposed to null?   At the very least that could save some autoboxing issues.
> 
> On Sun, Aug 8, 2010 at 11:48 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Folks,
> 
>  
> 
> I changed the ESAPI 2.0 Validator reference implementation to return an empty string, or null as appropriate for the getValidX functions with the errorList argument. These used to return the original (tainted) input data.
> 
>  
> 
> This is a subtle but significant change.
> 
>  
> 
> The full “diff” of this change is below. Thoughts?
> 
>  
> 
> - Jim
> 
>  
> 
>  
> 
>  
> 
>  
> 
> ### Eclipse Workspace Patch 1.0
> 
> #P ESAPI 2.0 (trunk)
> 
> Index: src/main/java/org/owasp/esapi/reference/DefaultValidator.java
> 
> ===================================================================
> 
> --- src/main/java/org/owasp/esapi/reference/DefaultValidator.java      (revision 1470)
> 
> +++ src/main/java/org/owasp/esapi/reference/DefaultValidator.java   (working copy)
> 
> @@ -192,9 +192,8 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return original input
> 
> -                              // TODO - optimize so that invalid input is not canonicalized twice
> 
> -                              return encoder.canonicalize(input);
> 
> +
> 
> +                             return "";
> 
>                 }
> 
>  
> 
>                 /**
> 
> @@ -264,8 +263,8 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return original input
> 
> -                              return input;
> 
> +
> 
> +                             return "";
> 
>                 }
> 
>  
> 
>                 /**
> 
> @@ -298,9 +297,8 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return original input
> 
> -                              // TODO - optimize so that invalid input is not canonicalized twice
> 
> -                              return encoder.canonicalize(input);
> 
> +                            
> 
> +                             return "";
> 
>                 }
> 
>  
> 
>                 /**
> 
> @@ -370,8 +368,8 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return original input
> 
> -                              return input;
> 
> +
> 
> +                             return "";
> 
>                 }
> 
>  
> 
>  
> 
> @@ -448,14 +446,8 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return original input 
> 
> -                              // TODO - optimize so that invalid input is not canonicalized twice
> 
> -                              try {
> 
> -                                              return new File(input).getCanonicalFile().getName();
> 
> -                              } catch (IOException e) {
> 
> -                                              // TODO = consider logging canonicalization error?
> 
> -                                              return input;
> 
> -                              }
> 
> +                            
> 
> +                             return "";
> 
>                 }
> 
>                
> 
>                 /**
> 
> @@ -488,7 +480,7 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return null
> 
> +
> 
>                                 return null;
> 
>                 }
> 
>                
> 
> @@ -597,8 +589,8 @@
> 
>                                 } catch (ValidationException e) {
> 
>                                                 errors.addError(context, e);
> 
>                                 }
> 
> -                              // error has been added to list, so return original input
> 
> -                              return input;
> 
> +                             // return empty byte array on error
> 
> +                             return new byte[0];
> 
>                 }
> 
>                
> 
>                 /**
> 
>  
> 
> 
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100809/291d3a8d/attachment.html 


More information about the Esapi-user mailing list