[Esapi-user] open text fields

Matthew Presson matthew.presson at gmail.com
Thu May 26 10:02:11 EDT 2011


Open text fields, especially those that exist in applications that must
support multiple locales, have always been tricky.  In the past, I have
always taken the stance that the risk is acceptable not to do input
validation on these types of fields as long as the following conditions are
stringently met:

     1. The input provided in the field is not used in *any *type of
business logic decision within the app
     2. It is verified, through code reviews, that *every *place the input
is ever displayed is properly encoded based upon the required context, e.g.
HTML, JS, CSS, etc.

All-in-all, a developer should really be concerned about two* scenarios
concerning input:

     1. Will the input be used in some code path execution/business logic
decision?  If so, it MUST be validated.  This especially includes any
authentication and
         authorization decisions.
     2. Will the input be displayed back to the user?  If so, it must be
encoded for the proper context when being displayed.

*This assumes that all database access code is using bindable queries to
prevent things like SQL Injection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110526/df374f9c/attachment.html 


More information about the Esapi-user mailing list