00. Input Validation and Data Sanitization (IDS)

Rules

• Page:
  IDS00-J. Prevent SQL injection
• Page:
  IDS01-J. Normalize strings before validating them
• Page:
  IDS02-J. Canonicalize path names before validating them
• Page:
  IDS03-J. Do not log unsanitized user input
• Page:
  IDS04-J. Safely extract files from ZipInputStream
• Page:
  IDS05-J. Use a safe subset of ASCII for file and path names
• Page:
  IDS06-J. Exclude unsanitized user input from format strings
• Page:
  IDS07-J. Sanitize untrusted data passed to the Runtime.exec() method
• Page:
  IDS08-J. Sanitize untrusted data included in a regular expression
• Page:
  IDS09-J. Specify an appropriate locale when comparing locale-dependent data
• Page:
  IDS10-J. Don't form strings containing partial characters
• Page:
  IDS11-J. Perform any string modifications before validation
• Page:
  IDS13-J. Use compatible character encodings on both sides of file or network IO
• Page:
  IDS14-J. Do not trust the contents of hidden form fields
• Page:
  IDS15-J. Do not allow sensitive information to leak outside a trust boundary
• Page:
  IDS16-J. Prevent XML Injection
• Page:
  IDS17-J. Prevent XML External Entity Attacks
• Page:
  IDS50-J. Use conservative file naming conventions
• Page:
  IDS51-J. Properly encode or escape output
• Page:
  IDS52-J. Prevent code injection
• Page:
  IDS53-J. Prevent XPath Injection
• Page:
  IDS54-J. Prevent LDAP injection
• Page:
  IDS55-J. Understand how escape characters are interpreted when strings are loaded
• Page:
  IDS56-J. Prevent arbitrary file upload
• Page:
  Rec. 00. Input Validation and Data Sanitization (IDS)
• Page:
  Rule 00. Input Validation and Data Sanitization (IDS)

Risk Assessment Summary

FIO15-J. Do not store excess or sensitive information within cookies when using Java Servlets      The CERT Oracle Secure Coding Standard for Java      IDS01-J. Sanitize untrusted data passed across a trust boundary