[Esapi-user] [Esapi-dev] ESAPI Input Validator and Exception
chrisisbeef at gmail.com
Tue Feb 2 00:59:19 EST 2010
*cough* ResourceBundle *cough*
For example, check out how I did it in esapi4js. There are some slight
syntactic differences to do it in Java, but the idea is the same.
Basically, a ValidationRule has an associated ResourceBundle that it uses,
this is configured through configuration (or as a runtime decision based on
the client Locale). This allows for both i18n support and customized
messaging for errors in validation logic. :)
Just an idea.
Granted, ResourceBundles can generally be a pain in the butt, but they work
well once they are implemented.
On Mon, Feb 1, 2010 at 10:10 PM, Kevin W. Wall <kevin.w.wall at gmail.com>wrote:
> Johan Lim wrote:
> > Hi All,
> > With the Validation Exception that is thrown by the input validator, can
> > customise the error message?
> > I notice that currently it will throw a message telling user what the
> > is for a particular field but I think the message may not be useful for
> > that don't know regex.
> First question...which version of ESAPI? Second question...which particular
> input validator specifically are you referring to? There are some
> validators that have specific "user friendly" error messages (e.g., those
> for date validation, credit card validation, etc.), but one validation
> StringValidationRule--which is has this "user friendly" (cough, cough)
> that it throws:
> ": Invalid input. Please conform to regex
> " +
> p.pattern() +
> ( maxLength == Integer.MAX_VALUE ? "" :
> " with a maximum length of " +
> maxLength ),
> "Invalid input: context=" + context + ",
> type(" +
> getTypeName() + ")=" + p.pattern() +
> ", input=" + input +
> (NullSafe.equals(orig,input) ? "" :
> ", orig=" + orig), context );
> and is probably the one you are talking about. ValidationException has
> constructors. The one used here is this one:
> * Creates a new instance of ValidationException.
> * @param userMessage the message to display to users
> * @param logMessage the message logged
> public ValidationException(String userMessage, String logMessage);
> It probably would be better to simply say
> "Invalid input. Please try again."
> rather than all that geek-speak. Unfortunately, since StringValidationRule
> doesn't know if its parsing a dollar amount from an address from the
> name of a bank, it's hard for it to be much more specific. Furthermore, I
> suppose the reasoning goes that there is some small set of the general
> population that thinks everyone should have regular expressions tattooed on
> their arm. (I didn't put this specific message in, but I can relate. Every
> in a while, our geekiness shows through. ;-)
> Since we already have an appropriate message to log, I suggest that for the
> being (especially for 1.4.4), we punt and just use something like:
> "Invalid input; please try again."
> "Invalid input; please try again. " +
> "Contact the help desk if you need further assistance."
> This pondering has caused to to think about another more generic, long-term
> approach (e.g., 2.1 timeframe) for all this, but I don't have time to write
> it up tonight. Maybe in a few days.
> Anyhow, I how this addresses Johan's issue somewhat.
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
OWASP ESAPI Developer
Check out OWASP ESAPI for Java
Yet Another Developers Blog
Bio and Resume
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user