Wording issue in CWE-107

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Wording issue in CWE-107

G. Ann Campbell
Hi,

CWE-107 speaks of unused validation forms, but I believe it should be fields instead.

From the code samples (emphasis mine):

private String zipcode;
// no longer using the phone form field
// private String phone;
private String email;

...
<field property="phone" depends="required,mask">
<arg position="0" key="prompt.phone"/>
<var>
<var-name>mask</var-name>
<var-value>^([0-9]{3})(-)([0-9]{4}|[0-9]{4})$</var-value>
</var>
</field>
...

From the description (emphasis mine):
However, the validator XML file, validator.xml, for the RegistrationForm class includes the validation form for the user input form field "phone" that is no longer used by the input form

This also occurs in the CWE title: Struts: Unused Validation Form.

I'm not familiar with Struts validation, so if the CWE is already correct as written, please excuse the noise.


Thx,
Ann

---
G. Ann CAMPBELL | SonarSource
Product Owner