2.4.2 Input Validation

This topic describes about Input Validation.

Oracle Banking Accounts is a web-based application, the request data from browser to server will be passed using request headers and request parameters. All the request fields coming from the client are validated using whitelist validation to prevent cross-site scripting.

User defined methods used for input validation, which checks each character of the request field with a range of allowed characters. In addition, OJET framework handles the input attribute validations. User defined methods escapeJavaScript(), escapeHTML() and escapeURL() will sanitize the output data before flushing it into client browser.

• escapeJavaScript() will escape all characters except immune JavaScript characters and alphanumeric characters in the ASCII character set. All other characters are encoded using the \\xHH or \\uHHHH notation for representing ASCII or Unicode sequences.
• escapeHTML() will escape the characters with equivalent HTML entities obtained from the lookup map. Lookup map will have entities such as amp, quot, lt, gt etc.
• escapeURL() will encode the URL using URLEncoder class.

Whitelist validation is also used to restrict Image/signature/excel upload and to check rights for every operation performed by user.