13.3.1 implies that input validation is enough for security #1594
Assignees
Labels
2) Awaiting response
Awaiting a response from the original poster
Will be closed if no response/opposite arguments
Comments
|
English is not my native language so I'm not able to read from "validation of each input field before any processing of that data takes place" that it is "enough for security". Taken SQL injection as an example, then this is not something what you can fix or defend on XML validation layer. With XSD schema validation you need to validate, that input XML is with expected structure and this is the first step of the input handling. The requirement does not limit it to be the only and/or last step. Can you please redefine or rephrase the problem with the requirement 13.3.1? |
elarlang
added
the
2) Awaiting response
|
ping @jmanico |
|
Fair argument, happy to close this out. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13.3.1 (also briefly mentioned here #1552) implies that input validation is enough to protect data.
Inputs into API's may need validation or possibly sanitization for HTML input, or even encoding in some cases to protect against injection, or query parameterization to protect from SQl. Even valid data can sometimes cause injection! Validation is not always "the way" and sometimes it does not secure data, such as a valid email can still be a SQLi vector like jim'or'!=@manicode.com
The text was updated successfully, but these errors were encountered: