URL Input Validation on AS Java
Besides output encoding, which is the most effective way to protect Web applications against XSS, there is the possibility to validate the input instead of output encoding.
Input or data validation does not mean input encoding. Input encoding must be prevented in any case, and if available it must be removed because it leads to situations where it is unclear if the data is already encoded. Web servers should always decode the content once and Web clients should always encode the content once. Most often, input encoding leads to situations where the content is encoded twice. The data validation allows write data to Web clients without output encoding.
Situations where sanitizing could solve problems are the contexts with ...NEVER PUT UNTRUSTED DATA HERE... , which are described in the examples in the previous topics.
We also recommend using whitelist filtering to further increase protection.
The class URLChecker with the static method isValid() performs a syntax check of the URL and throws an exception if there are characters or sequences (for example, <script ) in the URL.
For more information, see the Javadocs for the package com. sap .security. core . server . csi at http://help.sap.com/javadocs for SAP NetWeaver <Release> → Composition Environment → Security.
Normalization of a path means validation and removal of path traversals.
Example:
http://www.server.com/path1/path2/../.././././etc/passwd => http://www.server.com/etc/passwd
For AS Java, use the methods pathNormalization() and urlNormalization() in the class Canonicalization .
For more information, see the Javadocs for the package com.sap.security.core.server.csi at http://help.sap.com/javadocs for SAP NetWeaver <Release> → Composition Environment → Security.