Calling
ESAPI.validator().getValidInput("...", "%252%35252\u0036lt;", SafeString, 200,
false)
with
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
in my validation.properties throws an ValidationException instead of an
IntrusionException because of the multiple and mixed encoding
(Encoder.AllowMultipleEncoding and Encoder.AllowMixedEncoding are both set to
false in the esapi.properties).
The expected default behavior of the getValidInput method is that it
canonicalize the input and validate them after all. But when I had a look into
the code I saw that it first validates the input than canonicalize it and than
validate it once again and leads to the ValidationException during the first
validation because % is no alphanumerical character. The api docs of
getValidInput says "Input is canonicalized by default before validation. ".
http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/refe
rence/DefaultValidator.html#getValidInput(java.lang.String,%20java.lang.String,%
20java.lang.String,%20int,%20boolean)
Original issue reported on code.google.com by Christop...@googlemail.com on 18 Jul 2012 at 4:45
Original issue reported on code.google.com by
Christop...@googlemail.comon 18 Jul 2012 at 4:45