Confirmed users
491
edits
WebAppSec/Secure Coding Guidelines: Difference between revisions
Jump to navigation
Jump to search
→Input Validation
(Created page with '=Introduction= The purpose of this page is to establish a concise and consistent approach to secure application development of Mozilla web applications and web services. The info…') |
|||
| Line 93: | Line 93: | ||
'''Attacks of Concern''': Introduction of Dirty/Malformed Data | '''Attacks of Concern''': Introduction of Dirty/Malformed Data | ||
===Goal of Input Validation=== | |||
Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below. | |||
Input Validation Must Be: | |||
* Applied to all user controlled data | |||
* Define the types of characters that can be accepted (often %20-%7E, though most special characters could be removed) | |||
* Defines a minimum and maximum length for the data (e.g. {1,25} ) | |||
'''Examples of Good Input Validation Approaches''' | |||
For each field define the types of acceptable characters and an acceptable number of characters for the input | |||
* Username: Letters, numbers, 3 to 10 characters | |||
* Firstname: Letters, single apostrophe, 1 to 30 characters | |||
* Simple Zipcode: Numbers, 5 characters | |||
===JavaScript vs Server Side Validation=== | ===JavaScript vs Server Side Validation=== | ||
| Line 116: | Line 130: | ||
* HTTP Headers | * HTTP Headers | ||
* Essentially anything in the HTTP request | * Essentially anything in the HTTP request | ||
===Validating Rich User Content=== | ===Validating Rich User Content=== | ||