[hibernate-issues] [Hibernate-JIRA] Updated: (HV-473) Add option to Canonicalize String Input

Add option to Canonicalize String Input --------------------------------------- Key: HV-473 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-473 Project: Hibernate Validator Issue Type: Improvement Components: engine Affects Versions: 4.2.0.Final Environment: n/a Reporter: Chris Schmidt Fix For: 4.3.0.next Add the ability to enable canonicalization (normalization) of Strings prior to validation processing. By default this behavior should be enabled. Canonicalization is imperative in validation logic, without it - it is possible to bypass many validation contraints (string based) to perform things like encoding attacks (XSS, SQLi) and Path traversal attacks (RFI, LFI). This canonicalization should be configurable to allow Multiple or Mixed encoding in a string (with a default to fail validation if either condition is true) through the use of annotation: @Canonicalize(allowMixed=true, allowMultiple=true) @Pattern(regexp=".*") private String someString; This is necessary, especially when using validation on machine generated values (webservices, etc.) to allow a string to be canonicalized to it's base form even if there are multiple or mixed encodings in the string. However, this is not behavior that a normal application user would display - hence the approach of disallowing a string of this type by default. Please reference the OWASP ESAPI for an example of how to implement: http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/ja... For additional information on the importance of canonicalization in validation see: https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode Feel free to use the ESAPI Library or any of it's code to help Hibernate-Validator be more secure and complete!