-
-
Notifications
You must be signed in to change notification settings - Fork 665
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
5.2.2 sounds like input validation #1640
Comments
edit: |
Actually, it's valid requirement. Point for sanitization is, if input validation can not be used, you need to send valid and safe input to next component (downstream) and therefore you need to be sure, that it only contains allowed characters and is with expected/safe length. |
Is there any certain problem to discuss or is there a need for improvement? I think it is suitable for "covering all sanitization cases" which does not have separate requirements per situation. ping @tghosth |
You think it is like a catch-all or something? It does seem a little vague... |
Thought about this but we don't love the fact that it references other requirements. On the other hand, not sure how to accomplish this as a "last resort/catch-all requirement" without doing so. |
Need to think more about it. |
I now think this is a duplicate of 5.1.3. I think we should do as follows:
What do you think @elarlang ? |
I stand for my comment in #1640 (comment)
For me the requirement must stay and I'm ok with the requirement as it is. Also, I have pointed and quoted to this requirement many times as the reason to not have some other requirement. So it's clear no for me to remove it. |
Ok so in that case maybe this clashes with the new 5.3.14 and we need to merge them @elarlang?
|
This requirement is important for a situation where output encoding is not possible. We should be clear that sanitization is required when there is no standard encoding or escaping that can be performed. Maybe in the intro text for the section. Suggested update discussed with @elarlang:
@set-reminder 7 days @tghosth to open a PR and also check intro text. |
⏰ Reminder
|
This requirement is in the sanitization section but sounds like input validation. The CWE also doesn't make sense to me.
The text was updated successfully, but these errors were encountered: