Writing Secure Code
| ||
-
Do perform input validation on all input before passing it to a command processor.
-
Do handle the failure securely if an input validation check fails.
-
Do not pass unvalidated input to any command processor, even if the intent is that the input will just be data.
-
Do not use the deny-list approach, unless you are 100 percent sure you are accounting for all possibilities.
-
Consider avoiding regular expressions for input validation; instead, write simple and clear validators by hand.