You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps will reproduce the problem? 1. Set IntrusionDetector.Disable=true in ESAPI.properties
2. Pass a double-encoded String to StringValidationRule.getValid(String context, String input)
3. An IntrusionException is thrown What is the expected output? What do you see instead? I would expect IntrusionException to not be thrown, thus respecting the property in ESAPI.properties. Please use labels and text to provide additional information. From the source code, it looks like StringValidationRule.getValid( String context, String input ) calls the one-argument DefaultEncoder.canonicalize(String input) which automatically enforces strict intrusion detection regardless of the value in ESAPI.properties.
The one argument canonicalize() method should be adjusted to use the value from ESAPI.properties instead of the hard-coded 'true' value for strict.
From augu...@gmail.com on September 28, 2010 16:02:08
What steps will reproduce the problem? 1. Set IntrusionDetector.Disable=true in ESAPI.properties
2. Pass a double-encoded String to StringValidationRule.getValid(String context, String input)
3. An IntrusionException is thrown What is the expected output? What do you see instead? I would expect IntrusionException to not be thrown, thus respecting the property in ESAPI.properties. Please use labels and text to provide additional information. From the source code, it looks like StringValidationRule.getValid( String context, String input ) calls the one-argument DefaultEncoder.canonicalize(String input) which automatically enforces strict intrusion detection regardless of the value in ESAPI.properties.
The one argument canonicalize() method should be adjusted to use the value from ESAPI.properties instead of the hard-coded 'true' value for strict.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=152
The text was updated successfully, but these errors were encountered: