commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf Hauser (JIRA)" <j...@apache.org>
Subject [jira] Commented: (VALIDATOR-228) allow to cite the offending value if a validation fails as argument (Trusted-Input vs. Filter Concept)
Date Sat, 17 Nov 2007 18:16:43 GMT

    [ https://issues.apache.org/jira/browse/VALIDATOR-228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543298
] 

Ralf Hauser commented on VALIDATOR-228:
---------------------------------------

sure, the EmailValidator.isValid()  only returns a boolean, but with struts, the validation.xml
allows you to give a an error resource and have the email address inserted as an argument.

So, if the display media really is struts, you hopefully use TagUtils.getInstance().filter()
almost automatically, but for other output media there may be other filters needed (e.g. anti
sql-injection) if storing into a DB.

> allow to cite the offending value if a validation fails as argument (Trusted-Input vs.
Filter Concept)
> ------------------------------------------------------------------------------------------------------
>
>                 Key: VALIDATOR-228
>                 URL: https://issues.apache.org/jira/browse/VALIDATOR-228
>             Project: Commons Validator
>          Issue Type: Improvement
>          Components: Framework
>         Environment: any
>            Reporter: Ralf Hauser
>             Fix For: Validator2
>
>
> for example if an email recipient in a webmail form is deemed to be wrong, it is useful
to cite which recipient it was since there could have been several recipients in the form.
> To do this safely, the email needs to be considered untrusted, since it may contain a
cross-site-script XSS .
> For inspiration, have a look how we paired untrusted inputs (should be the default) with
filtering in org.bouncycastle.i18n
> (if you use it for example in tomcat, there are also some tricky class-loader issues
that are solved by now...)
> previous discussions on this are in https://issues.apache.org/struts/browse/STR-1946

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message