[Esapi-user] [Esapi-dev] ESAPI Input Validator and Exception

Kevin W. Wall kevin.w.wall at gmail.com
Tue Feb 2 00:10:51 EST 2010

Johan Lim wrote:
> Hi All,
> With the Validation Exception that is thrown by the input validator, can we
> customise the error message?
> I notice that currently it will throw a message telling user what the regex
> is for a particular field but I think the message may not be useful for user
> that don't know regex.

First question...which version of ESAPI? Second question...which particular
input validator specifically are you referring to? There are some
validators that have specific "user friendly" error messages (e.g., those
for date validation, credit card validation, etc.), but one validation rule--
StringValidationRule--which is has this "user friendly" (cough, cough) exception
that it throws:

throw new ValidationException( this.encoder.encodeForJavaScript(context) +
                                   ": Invalid input. Please conform to regex " +
                                   p.pattern() +
                                   ( maxLength == Integer.MAX_VALUE ? "" :
                                     " with a maximum length of " + maxLength ),
                               "Invalid input: context=" + context + ", type(" +
                                   getTypeName() + ")=" + p.pattern() +
                                   ", input=" + input +
                                   (NullSafe.equals(orig,input) ? "" :
                                     ", orig=" + orig), context );

and is probably the one you are talking about. ValidationException has several
constructors. The one used here is this one:
     * Creates a new instance of ValidationException.
     * @param userMessage	the message to display to users
     * @param logMessage	the message logged
    public ValidationException(String userMessage, String logMessage);

It probably would be better to simply say

	"Invalid input. Please try again."

rather than all that geek-speak.  Unfortunately, since StringValidationRule
doesn't know if its parsing a dollar amount from an address from the
name of a bank, it's hard for it to be much more specific. Furthermore, I
suppose the reasoning goes that there is some small set of the general
population that thinks everyone should have regular expressions tattooed on
their arm. (I didn't put this specific message in, but I can relate. Every once
in a while, our geekiness shows through. ;-)

Since we already have an appropriate message to log, I suggest that for the time
being (especially for 1.4.4), we punt and just use something like:

	"Invalid input; please try again."
	"Invalid input; please try again. " +
	  "Contact the help desk if you need further assistance."

This pondering has caused to to think about another more generic, long-term
approach (e.g., 2.1 timeframe) for all this, but I don't have time to write
it up tonight. Maybe in a few days.

Anyhow, I how this addresses Johan's issue somewhat.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list