<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>00. Security (SEC) - CERT Secure Coding Standards</title>
<script language="javascript">
var contextPath = '/confluence';
var i18n = [];
</script>
<link rel="stylesheet" href="/confluence/s/1116/1/1/_/styles/main-action.css?spaceKey=java" type="text/css" />
<script type="text/javascript" src="/confluence/s/1116/1/_/decorators/effects.js"></script>
<script type="text/javascript">
function toggleMenu(menuId)
{
var visible = toggleVisibility(menuId);
if (visible)
setCookie("confluence.leftnav." + menuId, true);
else
setCookie("confluence.leftnav.", false);
}
function isMenuExpanded(menuId)
{
return getCookie("confluence.leftnav." + menuId);
}
function initMenuItem(menuId)
{
if (document.getElementById(menuId))
{
if (isMenuExpanded(menuId) == 'true')
{
document.getElementById(menuId).style.display = "block";
}
else
{
document.getElementById(menuId).style.display = "none";
}
}
}
</script>
</head>
<body onload="placeFocus()">
<!--BEGIN HEADER -->
<table border="0" width="100%" cellspacing="0" cellpadding="0" bgcolor="#ffffff"><tr>
<td valign="middle"><img src="https://www.cert.org/images/1pxinv.gif" width="5" height="94"></td><td valign="middle"><a href="https://www.cert.org/"><img
src="https://www.cert.org/cert/images/cert_logo.gif" alt="CERT" border="0"></a></td><td valign="bottom" align="right" width="100%">
<!--NAVIGATION TABLE-->
<table border="0" cellspacing="0" cellpadding="0" width="600"><a href="https://www.cert.org/work/software_assurance.html"><img src="https://www.cert.org/cert/images/1off.jpg"
width="132" height="21"
alt="Software Assurance" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a href="https://www.cert.org/work/secure_systems.html"><img
src="https://www.cert.org/cert/images/2off.jpg" width="109" height="21" alt="Secure Systems" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a
href="https://www.cert.org/work/organizational_security.html"><img
src="https://www.cert.org/cert/images/3off.jpg" width="140" height="21" alt="Organizational Security" border="0"></a><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a
href="https://www.cert.org/work/coordinating_response.html"><img
src="https://www.cert.org/cert/images/4off.jpg" width="140" height="21" alt="Coordinating Response" border="0"></a><img
src="https://www.cert.org/images/1pxinv.gif" width="1" height="21"><a href="https://www.cert.org/work/training.html"><img src="https://www.cert.org/cert/images/5off.jpg" width="75"
height="21" alt="Training" border="0"></a></td></tr></table>
<!--END NAVIGATION TABLE -->
</td></tr></table>
<table border="0" width="100%" cellspacing="0" cellpadding="0" bgcolor="#666666"><tr><td><img src="https://www.cert.org/images/1pxinv.gif" width="1" height="3"></td></tr></table>
<!--END HEADER -->
<script type="text/javascript">
function hideMessage(messageId)
{
var message = document.getElementById(messageId)
message.style.display = "none";
setCookie(messageId, true);
}
</script>
<div id="PageContent">
<table cellspacing="0" cellpadding="0" width="100%">
<tr class="topBar">
<td align="left">
<span class="topBarDiv fontSizeSmaller">
<script language="JavaScript">
function showBreadcrumbsEllipsis()
{
document.getElementById('breadcrumbsEllipsis').style.display = 'none';
document.getElementById('breadcrumbsExpansion').style.display = 'inline';
}
</script>
<a href="/confluence/dashboard.action">Dashboard</a>
> <a href="/confluence/display/java">java</a>
> <a href="/confluence/display/java/CERT+Java+Secure+Coding+Standard">CERT Java Secure Coding Standard</a>
> <a href="/confluence/display/java/00.+Security+%28SEC%29">00. Security (SEC)</a>
> Edit Page
</span>
</td>
<td align="right" valign="middle" style="white-space:nowrap">
<form id="quickSearch" method="POST" action="/confluence/dosearchsite.action" name="searchForm">
<input type="hidden" name="quickSearch" value="true" />
<input type="hidden" name="searchQuery.spaceKey" value="conf_global" />
<input type="text" accessKey="s" name="searchQuery.queryString" size="25"/>
<input type="submit" value="Search"/>
</form>
</td>
</tr>
</table>
<table cellspacing="0" cellpadding="0" width="100%">
<tr>
<td width="150px" valign="top" class="sidebar" nowrap>
<div class="leftnav">
<div id="logodiv">
<a href="/confluence/display/java"><img src="/confluence/images/confluence_logo.gif" align="absmiddle" border="0"></a> </div>
<div id="menu">
<table class="sectionMacro" border="0" cellpadding="5" cellspacing="0" width="100%"><tbody><tr>
<td class="confluenceTd" valign="top" width="105%">
<div class='panelMacro'><table class='infoMacro'><tr><td>
<p><b>Standards</b><br/>
<a href="/confluence/display/seccode/CERT+Secure+Coding+Standards" title="CERT Secure Coding Standards">Overview</a><br/>
<a href="/confluence/display/seccode/CERT+C+Secure+Coding+Standard" title="CERT C Secure Coding Standard">C Language</a><br/>
<a href="/confluence/pages/viewpage.action?pageId=637" title="CERT C++ Secure Coding Standard">C++</a></p>
<p><b>CERT Websites</b><br/>
<a href="http://www.cert.org/" rel="nofollow">CERT</a><br/>
<a href="http://www.cert.org/secure-coding" rel="nofollow">Secure Coding</a><br/>
<a href="http://www.cert.org/tech_tips/" rel="nofollow">Tech Tips</a></p>
<p><b>CERT Employment</b> <br/>
<a href="http://www.cert.org/jobs/" rel="nofollow"><b>Opportunities</b></a></p>
<p><a href="http://www.cert.org/books/secure-coding/" rel="nofollow"><img src="https://www.cert.org/images/securec.jpg" align="absmiddle" border="0" width="100" /></a></p>
<p><b>Related Sites</b><br/>
<a href="http://www.us-cert.gov/" rel="nofollow"><img src="https://www.cert.org/images/logo/uscert_4g_sm.jpg" align="absmiddle" border="0" /></a><br/>
<a href="http://www.cylab.cmu.edu/" title="http://www.cylab.cmu.edu/" rel="nofollow"><img src="https://www.cert.org/images/logo/cylab_alt.jpg" align="absmiddle" border="0" /></a></p></td></tr></table></div></td></tr></tbody></table>
<h5><a href="#" onCLick="toggleMenu('pagenav'); return false;"><img src="/confluence/images/icons/docs_16.gif" width=16 height=16 border=0 align=absmiddle > Page Operations</a></h5>
<div id="pagenav" class="subnav" style="display:none;">
<ul>
<li><a id="viewPageLink" href="/confluence/display/java/00.+Security+%28SEC%29" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="v"><u>V</u>iew</a></li>
<li><a id="editPageLink" href="/confluence/pages/editpage.action?pageId=4254" class="current" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="e"><u>E</u>dit</a></li>
<li><a id="viewAttachmentsLink" href="/confluence/pages/viewpageattachments.action?pageId=4254" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="a"><u>A</u>ttachments (0)</a></li>
<li><a id="viewPageInfoLink" href="/confluence/pages/viewinfo.action?pageId=4254" onClick="javascript:saveDraftOnPageChange(this); return false;" accessKey="i"><u>I</u>nfo</a></li>
</ul>
</div>
<h5><a href="#" onCLick="toggleMenu('browsenav'); return false;"><img src="/confluence/images/icons/browse_space.gif" height="16" width="16" border="0" align="absmiddle" title="Find Content"> Browse Space</a></h5>
<div id="browsenav"class="subnav" style="display:none;">
<ul>
<li><a href="/confluence/pages/listpages.action?key=java" >Pages</a></li>
<li><a href="/confluence/labels/listlabels-heatmap.action?key=java" >Labels</a></li>
<li><a href="/confluence/spaces/listattachmentsforspace.action?key=java" >Attachments</a></li>
<li><a href="/confluence/spaces/viewmailarchive.action?key=java" >Mail</a></li>
<li><a href="/confluence/pages/viewrecentblogposts.action?key=java" >News</a></li>
<li><a href="/confluence/spaces/usage/report.action?key=java" >Activity</a></li>
<li><a href="/confluence/spaces/viewspacesummary.action?key=java" >Advanced</a></li>
</ul>
</div>
<h5><a href="#" onCLick="toggleMenu('addcontent'); return false;"><img src="/confluence/images/icons/add_16.gif" height="16" width="16" border="0" align="absmiddle" title="Find Content"> Add Content</a></h5>
<div id="addcontent" class="subnav" style="display:none;">
<ul>
<li><a href="/confluence/pages/createpage.action?spaceKey=java&fromPageId=4254"><img src="/confluence/images/icons/add_page_16.gif" height="16" width="16" border="0" align="absmiddle" title="Add Page"> Add Page</a></li>
</ul>
</div>
</div>
<script type="text/javascript">
initMenuItem("browsenav");
initMenuItem("pagenav");
initMenuItem("addcontent");
</script>
</div>
</td>
<td valign="top" width="100%">
<!-- Inner content table -->
<table width="100%" cellpadding="2" cellspacing="0">
<tr>
<td colspan="2" valign="middle" align="right" style="background-color:#F0F0F0">
<div style="margin-right: 3px;">
<span class="smalltext" id="userNavBar">
Welcome <a href="/confluence/display/~jpincar">Justin Pincar</a> |
<a href="/confluence/users/viewuserhistory.action" onClick="window.open(this.href,'user_history', 'width=620, height=150, resizable'); return false;" title="View History">History</a> |
<a href="/confluence/users/viewuserprofile.action?username=jpincar">Preferences</a> |
<a href="/confluence/logout.action" id="logout">Log Out</a>
</span>
<a href="/confluence/pages/editpage.action?pageId=4254&decorator=printable" rel="nofollow"><img src="/confluence/images/icons/print_16.gif" width="16" height="16" hspace="1" vspace="1" align="absmiddle" border="0" alt="View a printable version of the current page." title="View a printable version of the current page."/></a>
<a href="/confluence/pages/doexportpage.action?pageId=4254&type=TYPE_PDF" rel="nofollow">
<img src="/confluence/images/icons/attachments/pdf.gif" height="16" width="16" border="0" align="absmiddle" title="Export Page as PDF"></a>
</div>
</td>
</tr>
<tr>
<td id="mainViewPane">
<div>
<table class="fullWidthBorderless">
<td><span id="spaceFullNameLink"> <a href="/confluence/display/java">java</a> </span></td>
<td align="right">
<a id="pageFavourite" href="/confluence/labels/addfavourite.action?entityId=4254"><img src="/confluence/images/icons/star_grey.gif" height="16" width="16" border="0" align="absmiddle" title="Add this page to your favourites list" alt="Add this page to your favourites list"></a>
<a id="pageWatch" href="/confluence/pages/addpagenotification.action?pageId=4254"><img src="/confluence/images/icons/watch_16.gif" height="16" width="16" border="0" align="absmiddle" title="Watch this page" alt="Watch this page"></a>
</td>
</table>
<div class="pagetitle" style="padding: 0px; margin-bottom:5px; margin-top: 2px;">
00. Security (SEC)
</div>
</div>
<div id="content">
<!-- call the page decorator -->
<!--
Root decorator: all decisions about how a page is to be decorated via the
inline decoration begins here.
-->
<!--
Switch based upon the context. However, for now, just delegate to a decorator
identified directly by the context.
-->
<!--[if gte IE 5.5000]>
<script language="JavaScript">
function correctPNG() // correctly handle PNG transparency in Win IE 5.5 or higher.
{
for(var i=0; i<document.images.length; i++)
{
var img = document.images[i]
var imgName = img.src.toUpperCase()
if (imgName.substring(imgName.length-3, imgName.length) == "PNG")
{
var imgID = (img.id) ? "id='" + img.id + "' " : ""
var imgClass = (img.className) ? "class='" + img.className + "' " : ""
var imgTitle = (img.title) ? "title='" + img.title + "' " : "title='" + img.alt + "' "
var imgStyle = "display:inline-block;" + img.style.cssText
if (img.align == "left") imgStyle = "float:left;" + imgStyle
if (img.align == "right") imgStyle = "float:right;" + imgStyle
if (img.parentElement.href) imgStyle = "cursor:hand;" + imgStyle
var strNewHTML = "<span " + imgID + imgClass + imgTitle
+ " style=\"" + "width:" + img.width + "px; height:" + img.height + "px;" + imgStyle + ";"
+ "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"
+ "(src=\'" + img.src + "\', sizingMethod='scale');\"></span>"
img.outerHTML = strNewHTML
i = i-1
}
}
}
window.attachEvent("onload", correctPNG);
</script>
<![endif]-->
<style>
.imageLink{
margin:2px;
vertical-align: bottom;
float:left;
}
/*Overwritten styles in the main.css*/
.greybox {
border: 0px;
border-top: 1px solid #ddd;
border-bottom: 1px solid #ddd;
background-color: #F0F0F0;
padding: 3px;
margin: 0;
}
</style>
<div id="editpage">
<!-- is the user logged in? -->
<script type="text/javascript" src="/confluence/s/1116/1/_/editpage-javascript"></script>
<script type="text/javascript" language="JavaScript">
var domainName = 'https://www.securecoding.cert.org/confluence';
var entityId = '4254';
var spaceKey = 'java';
function toggleHierarchy()
{
// prepare to toggle the hierarchy checkbox
var selectbox = document.getElementById('newSpaceKey');
var checkbox = document.getElementById('hierarchy_checkbox');
var checkboxText = document.getElementById('hierarchy_text');
if (selectbox != undefined && selectbox.type == "select-one")
{
var selectedSpaceKey = selectbox.options[selectbox.selectedIndex].value;
var currentSpaceKey = 'java';
if(currentSpaceKey != selectedSpaceKey){
checkbox.disabled=false;
checkbox.checked=false;
checkboxText.style.color='black';
}
else{
checkbox.disabled=true;
checkbox.checked = true;
checkboxText.style.color='lightgrey';
}
}
}
</script>
<form id="editpageform" name="editpageform" method="post" action="doeditpage.action?pageId=4254">
<input
type="hidden"
name="originalVersion" value="8" /> <input
type="hidden"
name="originalContent" value="h2. Recommendations
[SEC00-A. Do not allow exceptions to transmit sensitive information]
[SEC01-A. Be careful using doPrivileged]
[SEC02-A. Beware of standard APIs that may bypass Security Manager checks]
[SEC03-A. Beware of standard APIs that may use the immediate caller's class loader instance]
[SEC04-A. Beware of standard APIs that perform access checks against the immediate caller]
[SEC05-A. Handle exceptions appropriately]
h2. Rules
[SEC30-C. Always use a Security Manager]
[SEC31-C. Never grant AllPermission]
[SEC32-C. Do not grant ReflectPermission with action suppressAccessChecks]
[SEC33-C. Define wrappers around native methods]
[SEC34-C. Do not allow the unauthorized construction of sensitive classes]
[SEC35-C. Provide mutable classes with a clone method]
[SEC36-C. Ensure that the bytecode verifier is applied to all involved code upon any modification]
h2. Risk Assessment Summary
h3. Rules
|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| SEC30-C | high | likely | low | {color:red}{*}P27{*}{color} | {color:red}{*}L1{*}{color} |
| SEC31-C | medium | probable | medium | {color:#cc9900}{*}P8{*}{color} | {color:#cc9900}{*}L2{*}{color} |
| SEC32-C | low | unlikely | high | {color:green}{*}P1{*}{color} | {color:green}{*}L3{*}{color} |
" /> <input
type="hidden"
name="labelsShowing" value="false" id="labelsShowing" /> <input
type="hidden"
name="restrictionsShowing" value="false" id="restrictionsShowing" /> <input
type="hidden"
name="locationShowing" value="false" id="locationShowing" />
<div id="editBox">
<!--headerRow with padding of 10px. needs to be renamed-->
<div id="headerRow">
<!--Remove Page Link -->
<div style="float:right;">
<a href="/confluence/pages/removepage.action?pageId=4254"><img src="/confluence/images/icons/trash_16.gif" width="16" height="16" border="0px" align="absmiddle" title="Remove"></a> <a href="/confluence/pages/removepage.action?pageId=4254">Remove Page</a>
</div>
<div style="float:left"/>
<!--title text field-->
<div style="margin-bottom:5px;">
<input type="text"
name="title"
size="55" value="00. Security (SEC)" tabindex="1" class="pagetitle" /> </div>
<!-- Start location section -->
<div class="inputSection">
<script>
<!--
function hideLocationDiv()
{
$('location_div').style.display = 'none';
publishFormData($('newSpaceKey'), $('space_info'), $('space_content'));
publishFormData($('parentPageString'), $('parent_info'), $('parent_content'));
$('location_edit_link').innerHTML = "EDIT";
highlight($('location_info'));
}
function showLocationDiv()
{
$('location_div').style.display = 'block';
$('location_edit_link').innerHTML = "DONE";
}
function toggleLocation()
{
if($('location_div').style.display == 'none')
{
showLocationDiv();
}
else
{
hideLocationDiv();
}
return false;
}
//-->
</script>
<span class="formtitle">Location:</span>
<span id="location_info" onclick="toggleLocation()">
<span id="space_info" >
<span id="space_content">java</span>
</span>
<span id="parent_info" >
> <span id="parent_content">CERT Java Secure Coding Standard</span>
</span>
<span class="inline-control-link fontSizeTiny" id="location_edit_link">EDIT</span>
</span>
<div id="location_div" class="toggleFormDiv" style="padding: 8px; display:none">
<table>
<tr>
<td valign="top">
<div>
<div>
<label onclick="toggleLocation()" class="formtitle">Space</label>
<br />
<select id="newSpaceKey" name="newSpaceKey" tabindex="3" onChange="toggleHierarchy(); blankParent();">
<option value="cplusplus" >C++ Secure Coding Practices</option>
<option value="java" selected>java</option>
<option value="seccode" >Secure Coding</option>
<option value="SD" >Secure Design</option>
</select>
</div>
</div>
</td>
<td valign="top">
<div>
<div class="formtitle">
Parent Page
</div>
<input type="text"
name="parentPageString"
size="30" value="CERT Java Secure Coding Standard" tabindex="2" id="parentPageString" /> <a href="#" onClick="window.open('/confluence/users/spacepagepicker.action?pageId=4254¤tspace=' + document.getElementById('newSpaceKey').value + '&formname=editpageform&fieldname=parentPageString&mode=history','link_inserter', 'width=620, height=400, resizable, scrollbars=yes'); return false;" title="Choose Page" tabindex="diabled"><img src="/confluence/images/icons/document_zoom_in_16.gif" width="16" height="16" border="0" tabindex="diabled" align="absmiddle"></a>
</div>
</td>
</tr>
<tr>
<td id="hierarchy_checkbox_area">
<input id="hierarchy_checkbox" tabindex="4" type="checkbox" name="moveHierarchy" value="true" />
<label for="hierarchy_checkbox">
<span id="hierarchy_text" class="smalltext">Move children?</span>
</label>
</td>
<td> </td>
</tr>
</table>
</div>
<script>
</script>
</div>
</div>
<!-- End location section -->
<div>
<!-- edit page form -->
<!-- captcha form elements -->
<br style="clear: both" />
</div>
<!--content editor-->
<div class="inputSection">
<div style="float:right;">
<div class="submitButtons">
<input
tabindex="102" accessKey="s" type="submit" name="confirm" value="Save"/>
<input
tabindex="104" type="submit" name="cancel" value="Cancel"/> </div>
</div>
<div id="editorDiv" style="width:100%">
<script type="text/javascript">
var contentId = "4254" ;
// this function is needed to store the caret position for IE browsers
// you need to insert a call to storeCaret(this); to the onclick, onselect and onkeyup events of
// the textarea you are editing
function storeCaret(textAreaObject)
{
if (textAreaObject.createTextRange) // test for IE browsers
{
textAreaObject.caretPos = document.selection.createRange().duplicate();
}
}
// this function stores the selected and unselected text for the textarea in hidden fields on the form
function storeTextareaBits()
{
var t = $('markupTextarea');
var currentForm = getCurrentForm();
if (t.selectionStart != null)
{
// for netscape, mozilla, gecko
t.sel = t.value.substr(t.selectionStart, t.selectionEnd - t.selectionStart);
t.sel1 = t.value.substr(0, t.selectionStart);
t.sel2 = t.value.substr(t.selectionEnd);
currentForm.selectedText.value = t.sel;
}
else if (document.selection && document.selection.createRange)
{
// for ie
var str = document.selection.createRange().text;
try
{
currentForm.elements['content'].focus();
}
catch (e)
{
// ignore
}
var sel = document.selection.createRange();
currentForm.selectedText.value = sel.text;
return;
}
}
function showRichText(show)
{
}
function showMarkup(show)
{
if(show)
{
$('markup').style.display = 'block';
$('markupTab').className = 'current';
if ($('helptd'))
{
try
{
$('helptd').style.display = 'table-cell';
}
catch (e)
{
// IE throws exception with invalid display type, so
// we'll use the incorrect value of 'block'
$('helptd').style.display = 'block';
}
}
if ($('linkinserters'))
{
$('linkinserters').style.display = 'block';
}
}
else
{
$('markup').style.display = 'none';
$('markupTab').className = '';
if ($('helptd'))
{
$('helptd').style.display = 'none';
}
if ($('linkinserters'))
{
$('linkinserters').style.display = 'none';
}
}
}
function showPreview(show)
{
if(show)
{
$('preview').style.display = 'block';
$('previewTab').className = 'current';
}
else
{
$('preview').style.display = 'none';
$('previewTab').className = '';
}
}
function setRichTextDefault(value)
{
AjaxUserProfileEditor.setPreferenceUserEditWysiwyg(value);
$('makeRichTextDefault').style.display = 'none';
$('makeMarkupDefault').style.display = 'none';
}
function showWaitImage(flag)
{
$('wysiwygWaitImage').style.visibility = (flag ? 'visible' : 'hidden');
}
function reply_setTextArea(s)
{
showWaitImage(false);
setMode('markup');
if (s != null)
$('markupTextarea').value = s;
}
function reply_setEditorValue(s)
{
showWaitImage(false);
setMode('richtext');
setEditorValue(s);
}
function reply_setPreviewArea(s)
{
showWaitImage(false);
setMode('preview');
$('previewArea').innerHTML = s;
}
/**
* Set up the page for rich text or markup editing
*/
function setMode(mode)
{
var inRichText = inRichTextMode();
var form = getCurrentForm();
form.mode.value = mode;
if (mode != 'preview')
{
form.xhtml.value = (mode == 'richtext');
}
if (mode == 'richtext')
{
showRichText(true);
showMarkup(false);
showPreview(false);
}
if (mode == 'markup')
{
if (inRichText)
showRichText(false);
showMarkup(true);
showPreview(false);
}
if (mode == 'preview')
{
saveDraft(null);
if (inRichText)
{
// get the editor content in case we come back to wiki-markup
lastKnownGoodContent = getEditorHTML() + "";
showRichText(false);
}
showMarkup(false);
showPreview(true);
}
}
// Hide and show the "make default" links, based on what mode the user is currently in, and what the WYSIWYG setting is
function showDefaultLinks(defaultIsWysiwyg)
{
var showRichTextDefault = false;
var showMarkupDefault = false;
var form = getCurrentForm();
// If we are in MARKUP mode, show the text to set markup as default
if (defaultIsWysiwyg && form.mode.value == 'markup')
{
showMarkupDefault = true;
}
// If we are in RICHTEXT mode, show the text to set richtext as default
else if (!defaultIsWysiwyg && form.mode.value == 'richtext')
{
showRichTextDefault = true;
}
$('makeRichTextDefault').style.display = (showRichTextDefault ? 'inline' : 'none');
$('makeMarkupDefault').style.display = (showMarkupDefault ? 'inline' : 'none');
}
// Save the last edit mode in case the user changes to preview and from there to the other edit mode...
// then we will have to convert the markup to XHTML or vice verca.
var lastEditMode;
var lastKnownGoodContent = null;
function inRichTextMode()
{
var form = getCurrentForm();
return form.mode.value == 'richtext';
}
function changeMode(mode)
{
var form = getCurrentForm();
if (form.mode.value != mode)
{
showWaitImage(true);
if (mode == 'markup') // going from wysiwyg to markup
{
// If the current mode is preview...
if (form.mode.value == 'preview')
{
// Markup -> Preview -> Markup
// We don't need to do any conversion...
if(lastEditMode == 'markup')
{
reply_setTextArea(null);
}
// WYSIWYG -> Preview -> Markup
// Convert the WYSIWYG html to wiki markup
else
{
WysiwygConverter.convertXHtmlToWikiMarkupWithoutPage(lastKnownGoodContent,contentId,reply_setTextArea);
}
}
// WYSIWYG -> Markup, so just convert
else
{
WysiwygConverter.convertXHtmlToWikiMarkupWithoutPage(getEditorHTML() + "",contentId,reply_setTextArea);
}
}
else if (mode == 'richtext')// going from markup to wysiwyg
{
var textarea = $('markupTextarea');
// If the current mode is preview...
if (form.mode.value == 'preview')
{
// WYSIWYG -> Preview -> WYSIWYG
// We don't need to reload or convert the contents of the tinyMCE editor
if(lastEditMode == 'richtext')
{
reply_setEditorValue(null);
}
// Markup -> Preview -> WYSIWYG
// Convert the markup to be used with WYSIWYG
else
{
WysiwygConverter.convertWikiMarkupToXHtmlWithoutPage(textarea.value,contentId, reply_setEditorValue);
}
}
// Markup -> WYSIWYG, so just grab the contents of the markup textarea and convert it to be used with WYSIWYG
else
{
WysiwygConverter.convertWikiMarkupToXHtmlWithoutPage(textarea.value,contentId, reply_setEditorValue);
}
}
else // viewing the preview
{
// WYSIWYG -> Preview
if (form.mode.value == 'richtext')
{
lastEditMode = 'richtext';
var html = getEditorHTML() + "";
lastKnownGoodContent = html;
WysiwygConverter.convertToPreview(html,contentId, 'java', 'richtext', reply_setPreviewArea);
}
// Markup -> Preview
else
{
lastEditMode = 'markup';
var textarea = $('markupTextarea');
WysiwygConverter.convertToPreview(textarea.value, contentId, 'java', 'markup', reply_setPreviewArea);
}
}
}
}
var contentHasChangedSinceLastAutoSave = false;
function saveDraft(callback)
{
if (!callback)
callback = function() {};
var form = getCurrentForm();
if (hasContentChanged())
{
var draftData = new Object();
draftData.pageId = '4254';
if (form.title)
{
draftData.title = form.title.value;
}
if (form.newSpaceKey)
{
draftData.spaceKey = form.newSpaceKey.value;
}
else
{
draftData.spaceKey = 'java';
}
if (form.originalVersion)
{
draftData.pageVersion = parseInt(form.originalVersion.value);
}
draftData.type='page';
draftData.content = getCurrentFormContent(form);
DraftAjax.saveDraft(draftData, form.xhtml.value == 'true', callback);
resetContentChanged();
}
else
{
// must call the call back even if we don't save a draft!
callback();
}
}
function heartbeat()
{
HeartbeatAjax.startActivity('4254', 'page',
function (activityResponses)
{
if (activityResponses.length > 0)
{
$('heartbeatDiv').style.display = 'block';
var html = "";
var sep = "";
for (i = 0; i < activityResponses.length; ++i)
{
var activityResponse = activityResponses[i]
var usernamelink = '<a href="/confluence/display/~' + activityResponse.userName + '">' + activityResponse.fullName + '</a>';
var lastEditDateMessage = '';
if (activityResponse.lastEditDate != null)
lastEditDateMessage = '<span class="smalltext">(last edit ' + activityResponse.lastEditDate + ')</span>';
html += sep + usernamelink + ' ' + lastEditDateMessage;
sep = ", ";
}
$('otherUsersSpan').innerHTML = html;
}
else
{
$('heartbeatDiv').style.display = 'none';
}
}
);
}
function getCurrentForm()
{
return document.forms['editpageform'];
}
// Fallback function for Safari to show to submit the form via JavaScript and display the preview page.
function sendFormWithPreview()
{
form = getCurrentForm();
// create a hidden field for the update variable
var el = document.createElement("input");
el.type = "hidden";
el.name = "preview";
el.name = "preview";
el.value = "preview";
form.appendChild(el);
form.submit();
}
// function to send the form to discard/use the draft
function sendFormDraft(flagName)
{
form = getCurrentForm();
addHiddenElement(form, flagName, "true");
addHiddenElement(form, "pageId", "4254");
if (!form.spaceKey)
{
addHiddenElement(form, "spaceKey", "java");
}
form.action="edit${draft.draftType}.action";
form.submit();
}
function addHiddenElement(form, name, value)
{
var el = document.createElement("input");
el.type = "hidden";
el.name = name;
el.value = value;
form.appendChild(el);
}
</script>
<div id='heartbeatDiv' style="display: none;">
<table style="clear: right" cellpadding='5' width='100%' cellspacing='8px' class='noteMacro' border="0" align='center'>
<tr><td valign='top' width="1%"><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>
This page is being edited by <span id='otherUsersSpan'/>.
</td></tr>
</table>
</div>
<ul class="tabnav" style="border-bottom: 0; width: 400px">
<li class="tabs">
<a id="markupTab" class="current" href="#" onClick="javascript:changeMode('markup');return false;">Wiki Markup</a>
<a id="previewTab" href="#" onClick="javascript:sendFormWithPreview();return false;">Preview</a>
</li>
<li class="nontabs" style="margin: 8px 0pt 0pt 3px"><img id="wysiwygWaitImage" style="visibility:hidden" alt="Wait Image" border=0 src="/confluence/images/icons/wait.gif"></li>
</ul>
<!-- clears the floated elements above -->
<br class="after-tabnav">
<div style="background-color:#D6D6D6; border:1px solid #CCC; border-bottom:0; " id='linkinserters'>
<a style="text-decoration: none" href="#" onClick="storeTextareaBits(); window.open('/confluence/users/insertimageinpage.action?pageId=4254&formname=editpageform&fieldname=content&mode=search','link_image_inserter', 'width=700, height=400, resizable, scrollbars=yes'); return false;" title="Insert Image">
<img src="/confluence/images/icons/confimage.gif" border="0px" title="Insert Image">
</a>
<a style="text-decoration: none" href="#" onClick="storeTextareaBits(); window.open('/confluence/users/insertlink.action?pageId=4254¤tspace=java&formname=editpageform&fieldname=content' + (document.getElementById('selectedText').value ? '&alias=' + document.getElementById('selectedText').value : ''),'link_inserter', 'width=620, height=480, resizable, scrollbars=yes'); return false;" title="Insert Link">
<img src="/confluence/images/icons/conflink.gif" border="0px" title="Insert Link">
</a>
</div>
<script type="text/javascript">
var useWysiwyg = false;
/*---------------------------------------------------------------------------
Redefine the following two methods without calls to editorHasContentChanged()
---------------------------------------------------------------------------*/
function hasContentChanged()
{
return contentHasChangedSinceLastAutoSave;
}
function resetContentChanged()
{
contentHasChangedSinceLastAutoSave = false;
}
</script>
<script type="text/javascript" src="/confluence/s/1116/1/_/dwr/engine.js"></script>
<!-- request this the traditional way to fix CONF-5561 -->
<script type="text/javascript" src="/confluence/s/1116/1/_/wysiwyg-javascript"></script>
<div id="markup" >
<div>
<textarea id="markupTextarea" name="content"
cols=""
rows="30"
tabindex="5" onclick="storeCaret(this);"
onselect="storeCaret(this); storeTextareaBits()"
onkeyup="storeCaret(this);contentChangeHandler();"
onchange="contentChangeHandler();"
style="padding:0; margin:0; width:100%; "
class="monospaceInput"
>h2. Recommendations
[SEC00-A. Do not allow exceptions to transmit sensitive information]
[SEC01-A. Be careful using doPrivileged]
[SEC02-A. Beware of standard APIs that may bypass Security Manager checks]
[SEC03-A. Beware of standard APIs that may use the immediate caller's class loader instance]
[SEC04-A. Beware of standard APIs that perform access checks against the immediate caller]
[SEC05-A. Handle exceptions appropriately]
h2. Rules
[SEC30-C. Always use a Security Manager]
[SEC31-C. Never grant AllPermission]
[SEC32-C. Do not grant ReflectPermission with action suppressAccessChecks]
[SEC33-C. Define wrappers around native methods]
[SEC34-C. Do not allow the unauthorized construction of sensitive classes]
[SEC35-C. Provide mutable classes with a clone method]
[SEC36-C. Ensure that the bytecode verifier is applied to all involved code upon any modification]
h2. Risk Assessment Summary
h3. Rules
|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| SEC30-C | high | likely | low | {color:red}{*}P27{*}{color} | {color:red}{*}L1{*}{color} |
| SEC31-C | medium | probable | medium | {color:#cc9900}{*}P8{*}{color} | {color:#cc9900}{*}L2{*}{color} |
| SEC32-C | low | unlikely | high | {color:green}{*}P1{*}{color} | {color:green}{*}L3{*}{color} |
</textarea>
</div>
</div>
<input id="selectedText" name="selectedText" type="hidden">
<!-- two hidden fields to store textarea parts for mozilla based browsers -->
<input type="hidden" name="sel1"><!--sel1: text before the selection-->
<input type="hidden" name="sel2"><!--sel2: text after the selection-->
<input type="hidden" name="inPreview" value="false"/>
<input type="hidden" name="mode" value="markup"/>
<input type="hidden" name="xhtml" value="false"/>
<div id="preview" style="display: none ; border:1px solid #CCCCCC; background-color:white;">
<div id="previewArea" style="margin:5px;"></div>
</div>
<!-- javascript code to initialise draft and heartbeat ajax -->
<script type="text/javascript">
DraftAjax.getDraftSaveInterval(
function (interval) { setInterval("saveDraft()", interval); }
);
if ('4254' != '0')
{
heartbeat();
HeartbeatAjax.getHeartbeatInterval(
function (interval) { setInterval("heartbeat()", interval); }
);
}
function contentChangeHandler()
{
contentHasChangedSinceLastAutoSave = true;
}
</script> </div>
</div>
<!-- comment field and minor edit checkbox -->
<div class="inputSection">
<div style="float:right">
<input id="minorEdit" type="checkbox" name="minorEdit" value="true" />
<label for="minorEdit">
<span class="smalltext"><b>Minor change?</b> (no notifications will be sent)</span>
</label>
</div>
<span class="formtitle">Comment:</span>
<input type="text"
name="versionComment"
size="40" tabindex="6" class="monospaceInput" style="width: 50%" /> </div>
<!-- Page permissions -->
<div class="inputSection">
<!-- Copy some methods out of prototype 1.5 since we can't rev to it yet due to it causing a memory leak in jwebunit 1.2 and hence our func tests -->
<!-- this block of javascript can be removed when we rev to prototype 1.5 -->
<script type="text/javascript">
Array.prototype.indexOf = function(object)
{
for (var i = 0, length = this.length; i < length; i++)
if (this[i] == object) return i;
return -1;
}
Array.prototype.without = function()
{
var values = $A(arguments);
return this.select(function(value)
{
return !values.include(value);
});
}
String.prototype.strip = function()
{
return this.replace(/^\s+/, '').replace(/\s+$/, '');
}
</script>
<script type="text/javascript">
var viewPagePermissions = new PagePermissions();
var editPagePermissions = new PagePermissions();
var viewPermissionManager = new PermissionManager(PagePermissionType.VIEW);
var editPermissionManager = new PermissionManager(PagePermissionType.EDIT);
var currentPermissionManager = viewPermissionManager;
i18n['done.name.caps'] = 'DONE';
i18n['edit.name.caps'] = 'EDIT';
i18n['page.perms.viewing.restricted'] = 'Viewing restricted to:';
i18n['page.perms.editing.restricted'] = 'Editing restricted to:';
i18n['page.perms.no.view.restrictions'] = 'No viewing restrictions set on this page';
i18n['page.perms.no.edit.restrictions'] = 'No editing restrictions set on this page';
i18n['page.perms.duplicate.names'] = 'Duplicate user or group name(s):';
i18n['page.perms.invalid.entity.names'] = 'Invalid user or group name(s):';
</script>
</div>
<!--labels section-->
<script>
function toggleLabels()
{
toggleVisibility('labels_div');
toggleVisibility('labels_info');
if($('labels_div').style.display == 'none')
{
$('labels_info').innerHTML = $('labelsString').value.toLowerCase();
$('labels_edit_link').innerHTML = "EDIT";
highlight($('labels_info'));
}
else
{
SuggestedLabelsForEntity.viewLabels('4254', "labels/editpage-suggestedlabels.vm", loadSuggestedLabels);
$('labels_edit_link').innerHTML = "DONE";
}
}
function loadSuggestedLabels(ajaxResponse)
{
if (ajaxResponse.success)
{
$('suggestedLabelsSpan').innerHTML = ajaxResponse.response;
}
}
</script>
<div id="labels_tab">
<span class="formtitle">Labels: </span><span onclick="toggleLabels()" class="inline-control-link fontSizeTiny" id="labels_edit_link">EDIT</span>
</div>
<div id="labels_info">
</div>
<div id="labels_div" class="toggleFormDiv" style="padding: 8px; display:none">
<table width="100%">
<tr>
<td width="60%" valign="top">
<span class="error">
<span class="errorMessage" id="errorSpan"></span>
</span>
<input autocomplete="off" type="text" id="labelsString" name="labelsString" value="" class="monospaceInput" style="width:100%;" />
<div class="smalltext"><em>Tip:</em> Looking for a label? Just start typing.</div>
<div class="auto_complete" id="labelsAutocompleteList"></div>
<script>new Ajax.Autocompleter('labelsString', 'labelsAutocompleteList', '4254', { tokens: new Array(',', ' '), dwrFunction: GenerateAutocompleteLabelsListForEntity.autocompleteLabels});</script>
</td>
<td valign="top">
<div id="suggestedLabelsSpan" style="margin-top:5px;">
</div>
</td>
</tr>
</table>
</div>
<script>
toggleLabels();
</script>
<div>
<div class="submitButtons">
<input
tabindex="102" accessKey="s" type="submit" name="confirm" value="Save"/>
<input
tabindex="104" type="submit" name="cancel" value="Cancel"/> </div>
</div>
</div>
</div>
</form>
<script type="text/javascript">
(function() {
$A(document.getElementsByClassName("submitButtons")).each(function(div) {
$A(div.getElementsByTagName("input")).each(function(button) {
Event.observe(button, "click", pageFormSubmit, false);
});
});
})();
</script>
<img src="/confluence/images/border/spacer.gif" width="0" height="0" border="0" onLoad="toggleHierarchy()">
</div>
</div>
</td>
<td valign="top" id="helptd" style="display:block; width:200px; border-top:1px solid #CCC;">
<div style="padding-left:5px;">
<div class="rightpanel">
<div id="helpheading">
<img src="/confluence/images/icons/help_16.gif" height=16 width=16 border=0 align=absmiddle title="Help Tips">
Help Tips
</div>
<div id="helpcontent">
<p>
<b>Notation Help:</b>
(<a href="#" onClick="window.open('/confluence/renderer/notationhelp.action','notation_help','width=780, height=580, resizable, scrollbars')">full guide</a>)
<br/>
Text formatting:<br/>
<span class="smalltext">
*bold* » <b class="strong">bold</b><br/>
_italic_ » <em class="emphasis">italic</em><br/>
-strike- » <del class="deleted">strike</del><br/>
+under+ » <u>under</u><br/>
</span>
</p>
<p>
Headings:<br/>
<span class="smalltext">
h1. Large heading!<br />
h3. Medium heading<br/>
h5. Small heading...<br/>
</span>
</p>
<p>
Lists:<br/>
<span class="smalltext">
* Bulleted point<br />
# Numbered point<br/>
</span>
</p>
<p>
Linking:<br/>
<span class="smalltext">
[title#anchor] » Link a page<br/>
[dev:title#anchor] » In space with 'dev'<br/>
[http://host.com] » Remote link<br/>
[phrase@shortcut] » Shortcut<br/>
<b><i>Note:</i></b> [alias|any_of_above_links] » Custom link title
</span>
</p>
<p>
Tables:<br/>
<span class="smalltext">
||head1||head2||<br/>
|colA1|colA2|<br/>
|colB1|colB2|
</span>
</p>
Details and full examples are in the
<a href="/confluence/renderer/notationhelp.action" onClick="window.open(this.href,'notation_help','width=680, height=440, resizable, scrollbars'); return false;">full notation guide »</a>
</div>
</div>
</div>
</td>
</tr>
</table>
<!-- End inner content table -->
</td>
</tr>
</table>
</div>
<div class="bottomshadow"></div>
<!-- <div id="poweredby" class="smalltext">
Powered by <a href="http://www.atlassian.com/software/confluence" class="smalltext">Atlassian Confluence</a> 2.7.3, the <a href="http://www.atlassian.com/software/confluence" class="smalltext">Enterprise Wiki</a>.
<a href="http://jira.atlassian.com/secure/BrowseProject.jspa?id=10470" class="smalltext">Bug/feature request</a>
-
<a href="http://www.atlassian.com/about/connected.jsp?s_kwcid=Confluence-stayintouch" class="smalltext">Atlassian news</a>
-
<a href="/confluence/administrators.action">Contact administrators</a>
<br/>
</div>
-->
<!-- delay the loading of large javascript files to the end so that they don't interfere with the loading of page content -->
<span style="display: none"></span>
<!--BEGIN FOOTER -->
<table border="0" width="100%" cellspacing="0" cellpadding="8" bgcolor="#666666"><tr>
<td width="50%"><img src="https://www.cert.org/cert/images/sei_cmu_logo2.gif" alt="Software Engineering Institute | Carnegie Mellon University" border="0" usemap="#footermap"/>
<map name="footermap" id="footermap">
<area shape="rect" coords="2,2,233,19" href="http://www.sei.cmu.edu/" alt="Software Engineering Institute"/>
<area shape="rect" coords="241,3,341,19" href="http://www.cmu.edu/" alt="Carnegie Mellon University" />
</map>
</td>
<td width="50%" align="right">
<span style="font-size:11px; color:#ffffff; font-family:Verdana">
<a style="color:#ffffff" href="https://www.cert.org/">Home</a> |
<a style="color:#ffffff" href="https://www.cert.org/meet_cert/meetcertcc.html">About</a> |
<a style="color:#ffffff" href="https://www.cert.org/contact_cert/">Contact</a> |
<a style="color:#ffffff" href="https://www.cert.org/faq/cert_faq.html">FAQ</a> |
<a style="color:#ffffff" href="https://www.cert.org/stats/">Statistics</a> |
<a style="color:#ffffff" href="https://www.cert.org/jobs/">Jobs</a> |
<a style="color:#ffffff" href="https://www.cert.org/legal_stuff/">Legal</a> |
<a style="color:#ffffff" href="https://www.securecoding.cert.org/confluence/display/seccode/Terms+and+Conditions">Legal</a>
<br/>
Copyright © 1995-2008 Carnegie Mellon University
</td>
</tr>
</table>
<!--END FOOTER -->
</body>
</html>
|