HttpParamtervalue for allowing Xml Data #337
Comments
|
What you're asking for is illegal according to the HTTP 1.1 specification. Please note that the characters The proper place for HTML/XML content is NOT in an HTTP header. Re-architect your communication protocol to conform to web standards! Seriously, as an attacker, I live for finding nonstandard implementations like this, because they're nearly always proprietary and innately exploitable. Keep HTML/XML content in the request body where they belong. @kwwall -- recommend closing. |
|
@xeno6696 is correct, what bhuvanes...@gmail.com is asking for is forbidden by the spec, so we definitely should NOT allow it or otherwise try to support it. An attacker of course can pass whatever "evil" characters that they wish in HTTP request headers, but that doesn't mean that OWASP should do something to encourage developers to accept that. Am I closing this. #willnotfix |
From bhuvanes...@gmail.com on July 14, 2014 14:54:30
Hi All,
I'm trying to modify the validator.httpParamterValue which is having the value as
Validator.HTTPParameterValue=^[\p{L}\p{N}.-/+=_ !$*?@:%]{0,1000}$.
I'm, unable to parse the xml input :
JLTF53SR00CIndividualIndividualADMSRaddJLTF53SR00C00010.
Please provide me a regex which would pass the entire input xml for HttpParamter value.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=334
The text was updated successfully, but these errors were encountered: