...
| Code Block | ||
|---|---|---|
| ||
// String s may be user controllable
// \uFE64 is normalized to < and \uFE65 is normalized to > using NFKC
String s = "\uFE64" + "script" + "\uFE65";
// Validate
Pattern pattern = Pattern.compile("[<>]"); // Check for angle brackets
Matcher matcher = pattern.matcher(s);
if (matcher.find()) {
// Found black listed tag
throw new IllegalStateException();
} else {
// ...
}
// Normalize
s = Normalizer.normalize(s, Form.NFKC);
|
The {{normalize() }} method transforms Unicode text into an equivalent composed or decomposed form, allowing for easier searching of text. The normalize method supports the standard normalization forms described in Unicode Standard Annex #15 Unicode Normalization Forms.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e15eea0296b3385d-d549f611-41dd4df4-b74dad8b-a85b8e9652060500ad476b62"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Cross-site scripting [XYT] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-289. Authentication bypass by alternate name | ||||
| CWE-180. Incorrect behavior order: Validate before canonicalize |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4b3b18bcb9263551-c3e7ad99-48f84edf-8b77a322-ba9063b8bd6b4b8781def6f7"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. References#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="59136a2e1ae2580b-30b9dc59-4caa4e1f-aaecb9ac-c4948e8e8607b78ee882ccd3"><ac:plain-text-body><![CDATA[ | [[Davis 2008 | AA. References#Davis 08]] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="32a3738fd595691e-170ff8ad-4ec74746-b87289ec-1e5dee9394b090eef133ba0f"><ac:plain-text-body><![CDATA[ | [[Weber 2009 | AA. References#Weber 09]] | ]]></ac:plain-text-body></ac:structured-macro> |
...