The attached ziped project is finished and tested code for moving validation
patterns of http fields like Email, etc out of ESAPI.properties. This will
improve the API since it will allow definition of http validation per web
application instead of the system-wide effect of ESAPI.properties.
New packages:
1. org.owasp.esapi.fields
The ESAPI fields package provides interfaces to model a so called
"SiteDefintion". A SiteDefinition allows for validation and checks of every
possible Http Parameter that is used by a Java Web Application. Unlike the
ESAPI.properties which is set via a System Property, a SiteDefinition can (and
should) be set per web application.
The idea is to provide the system with a list of the most important http
parameters that you need to validate within a web site. By http parameters we
mean for example the name of a textbox or a list control on an html form. For
each of these paeameters the system needs to know:
The parameter name.
The parameter's validation pattern to match when validating its value received
in a Http Request
Optionally, An String array of the allowed URIs that this parameter can appear
on.
Maximum allowed length of a received http parameter value.
Whether to allow blanks or not.
In addition, the SiteDefinition needs the following application-wide settings:
Website Name
Default validation pattern: Because it is impractical to define every single
web site http parameter, this is the default validation pattern to be used for
http parameters not explicitely defined.
Maximum allowed length: Default maximum length for http parameters not
explicitely defined.
Parameter name validation pattern.
The maximum http parameter name length.
The maximum http cookie name length
The maximum http cookie value length
The validation pattern used to validate cookie values
The validation pattern used to validate cookie names
The maximum http header value length
The maximum http header name length
The validation pattern used to validate http header values
The validation pattern used to validate http header names
The ESAPI-Site-Definition.xsd file within this package defines the structure
mentioned above for loading site definitions from xml files.
org.owasp.esapi.reference.fields; : Contains implemenation of Web Site
Validation from definitions stored into an XML file.
Original issue reported on code.google.com by christof...@gmail.com on 26 Feb 2012 at 8:08
Original issue reported on code.google.com by
christof...@gmail.com
on 26 Feb 2012 at 8:08Attachments: