[Esapi-user] Validation help

Luke Biddell luke.biddell at gmail.com
Wed Jan 30 10:24:45 UTC 2013


I'm hoping to canvas your opinion around some input
validation/canonicalization we're looking to do.

The scenario is that we're building a form of event logger. The API to the
event logger is internal only at the moment, but we will open it up as an
authenticated REST API at some point in the future.

The event itself is pretty standard in most respects, it has a title, tags
and so forth. Validating these is pretty easy using the ESAPI validator and
I'm comfortable we've got that part correct.

The part I'm uncomfortable with is validating the body of the event.

The intention is that we might store some xml (etc of a failed soap call)
or some json or maybe even HTML. It's going to be pretty free form.and we
don't want to restrict it too much. However, the events will surface in an
HTML event viewer application.

So I'm fishing for advice on how to validate the event body. We could do
some black-listing  but that always feels like the path to the dark side.
But, white-listing something that's so free format is also proving hard to

Do you chaps have any experience around this pattern? Do we need to narrow
our scope around the format?

Extremely grateful of any help you can provide.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130130/d87daea3/attachment.html>

More information about the Esapi-user mailing list