[Esapi-user] encoding Validation error messages?

Jim Manico jim.manico at owasp.org
Tue Jun 29 07:07:41 EDT 2010


Folks,

The error messages coming out of ESAPI's validation mechanism are 
encoded strangely.

I'd like to no longer Javascript encode the context of validation errors 
as you can see in the code below.

I think we need to assume that validation messages are tainted and 
should be output encoded on display depending on context... right?

This is killing me because I'm creating a JSON object with validation 
messages - and the JSON tool I'm using automatically JS encodes this 
data - I want to use this data plaintext and let my automatic JSON tools 
encode.

Thoughts? Ok to drop this?

(From  org.owasp.esapi.reference.validation.StringValidationRule)

    private String checkLength(String context, String input, String 
orig) throws ValidationException
    {
        if (input.length() < minLength) {
            throw new ValidationException( 
this.encoder.*encodeForJavaScript*(context) + ": Invalid input. The 
minimum length of " + minLength + " characters was not met.", "Input 
does not meet the minimum length of " + minLength + " by " + (minLength 
- input.length()) + " characters: context=" + context + ", type=" + 
getTypeName() + "), input=" + input + (NullSafe.equals(input,orig) ? "" 
: ", orig=" + orig), context );
        }

        if (input.length() > maxLength) {
            throw new ValidationException( 
this.encoder.*encodeForJavaScript*(context) + ": Invalid input. The 
maximum length of " + maxLength + " characters was exceeded.", "Input 
exceeds maximum allowed length of " + maxLength + " by " + 
(input.length()-maxLength) + " characters: context=" + context + ", 
type=" + getTypeName() + ", orig=" + orig +", input=" + input, context );
        }

        return input;
    }

-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100629/2745cb58/attachment.html 


More information about the Esapi-user mailing list