[Esapi-user] Validation fields with JSF

Sebastian smarichal at seciu.edu.uy
Wed Feb 24 11:24:45 EST 2010


I've been investigating this for a month and i've read a lot of 
ESAPI-OWASP documents, what is more, actually im using CSRFGuard in 
order to prevent CSRF attacks. I know about the existance of encoders 
and validators provided by ESAPI. In the document "OWASP Top Ten For 
JAVAEE" says this:

Use JSF validation server-side:
o f:validateLength for the allowed length of input
<f:validateLength minimum="2" maximum="10"/>
o <h:inputText required=”true”> if an input field is required

So you recomend no to use this? You recomend call ESAPI functions in the 
backing bean code ?
I think that ESAPI validators has a good point because it is capable to 
detect attacks too...

David Sklarew wrote:
> Sebastian,
>>> " I'll apreciate it you can tell me if it is 
> better validate the fields using <f:validate> or <h:inputText 
> required='true'>
> This is the ESAPI mailing list and hopefully most members would agree that
> you could use the EASPI Java library (the latest 2.X version is recommended
> over the 1.x verion) to validate input and to encode all variable output
> included in your webpages ( to prevent Cross Site Scripting Attacks).  The
> OWASP website has a good wiki page on preventing cross site scripting
> attacks..
> David
> -----Original Message-----
> From: esapi-user-bounces at lists.owasp.org
> [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Sebastian
> Sent: Wednesday, February 24, 2010 10:05 AM
> To: esapi-user at lists.owasp.org
> Subject: [Esapi-user] Validation fields with JSF
> Hi everybody, im new in the esapi-user list.
> Actually im investigating security configurations for a JavaEE + JSF 
> application.
> The system has 2 components, a EJB Proyect called "Logica" and a 
> presentation component called "WebComponent".
> So, the validations in the pages of WebComponent are done with 
> JavaScript. And when the data arrives to "Logica" then it is validated 
> again (server side).
> I would like to ask you if it is necesary validate fields in the 
> "WebComponent" on server side, not only JavaScript. Why?
> And if the answer is "Yes" I'll apreciate it you can tell me if it is 
> better validate the fields using <f:validate> or <h:inputText 
> required='true'> or just validate in the code of the BackingBean ??
> Thanks you very much!
> Sebastian
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

More information about the Esapi-user mailing list