Cannot Override Error Messages thrown in ValidationRules

[meg23]

From rob.spre...@gmail.com on November 12, 2009 17:02:34

Certain certifications, such as PCI-DSS, mandate that sensitive information cannot be persisted, including in log files. If a credit card number or CVV, for example, fails input validation, the getValid method will log the CC# entered into the logfile, even though it is not displayed to the user. This is not easily controllable, because the intrusion detector is handling the logging, we don't have a chance to override the fact that the input value has been logged. What is the expected output? What do you see instead? The expectation is that either we have a means of overriding the messages that are getting formed, by making the ValidationExceptions have hooks to change the content of the message, or alternatively, provide a settable flag somewhere that indicates the UI message should be used for logs as well. What version of the product are you using? On what operating system? 2.0rc4, All Please provide any additional information below. the key to address here is that the method of preventing the log should be accessable by a superclass, but the superclass should not be required to rewrite all the validation logic as the only think that needs to be changed is the messages we log.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=57

[meg23]

From chrisisbeef on December 01, 2009 23:59:12

Scheduled for 2.1

Labels: -Type-Defect Type-Enhancement Milestone-Release2.1

[meg23]

From manico.james@gmail.com on October 31, 2010 23:04:02

Status: Accepted

[meg23]

From chrisisbeef on November 20, 2010 13:52:15

Labels: Component-Validator