|
|
|
|
|
|
by ashearer
2298 days ago
|
|
|
Yes, I completely agree in the above case. The JSON input has a well-defined format and input validation should reject it outright. The issue is that when developers hear they should "reject bad input" in order to avoid vulnerabilities, they often interpret it as a call to reject any user input that isn't already known to be good. Since user inputs are often free text, like the name field, they wind up forbidding any input they hadn't specifically imagined, which doesn't align with any particular recipient's actual data requirement. It creates false-negative edge cases while only providing illusory help against vulnerabilities. |
|
|