Another problem with custom sanitization code is that it may not be adequately maintained when new capabilities are added to the command interpreter or parser software.
This noncompliant code example demonstrates an XSS exploit.
, make you think hard about what you will accept; for example, "Is a leading for positive numbers optional, mandatory, or forbidden? Be careful to use anchors as needed; otherwise, it will search for that pattern anywhere in the string.
" The many ways that floating-point numbers can be represented could overheat your brain. Then, construct a regular expression to match those things alone. For example: $RE # match 1234567 or 1,234,567 $RE # match 1.2345.6789 $RE # match 014 but not 99 $RE # match 1,234,594 $RE # match 1,234 or 1234 $RE # match 123.456 or -0.123456 $RE # match xvii or MCMXCVIII $RE # match 9 or 256 or 12321 Some of these patterns, such as square, were not available in early module versions.
When available, their use is preferred over custom sanitization techniques because custom-developed sanitization can often neglect special cases or hidden complexities in the parser.This code uses the CGI module to display a web form and is adopted from an example from the documentation.The form queries the user for a name and displays the resulting name on the page when the user clicks But this code will happily parse image tags, HTML markup, Java Script, or any other commands an attacker may wish to send.This can be very true - at least if you make sure you have tests of all your endpoints.Personally I’m a huge fan of documenting as well as testing.
See the OWASP Development Guide article on Data Validation.