raviteja07 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
0 stars 0 forks source link

Cannot Override Error Messages thrown in ValidationRules #57

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Certain certifications, such as PCI-DSS, mandate that sensitive 
information cannot be persisted, including in log files.  If a credit card 
number or CVV, for example, fails input validation, the getValid method 
will log the CC# entered into the logfile, even though it is not displayed 
to the user.  This is not easily controllable, because the intrusion 
detector is handling the logging, we don't have a chance to override the 
fact that the input value has been logged.

What is the expected output? What do you see instead?
The expectation is that either we have a means of overriding the messages 
that are getting formed, by making the ValidationExceptions have hooks to 
change the content of the message, or alternatively, provide a settable 
flag somewhere that indicates the UI message should be used for logs as 
well.

What version of the product are you using? On what operating system?
2.0rc4, All

Please provide any additional information below.
the key to address here is that the method of preventing the log should be 
accessable by a superclass, but the superclass should not be required to 
rewrite all the validation logic as the only think that needs to be 
changed is the messages we log.

Original issue reported on code.google.com by rob.spre...@gmail.com on 12 Nov 2009 at 10:02

GoogleCodeExporter commented 9 years ago
Scheduled for 2.1

Original comment by chrisisbeef on 2 Dec 2009 at 7:59

GoogleCodeExporter commented 9 years ago

Original comment by manico.james@gmail.com on 1 Nov 2010 at 6:04

GoogleCodeExporter commented 9 years ago

Original comment by chrisisbeef on 20 Nov 2010 at 9:52