Input validation is performed to minimize malformed data from entering the system.Input Validation is NOT the primary method of preventing XSS, SQL Injection.Developing regular expressions can be complicated, and is well beyond the scope of this cheat sheet.
In summary, input validation should: Example validating the parameter “zip” using a regular expression.
private static final Pattern zip Pattern = Pattern.compile("^\d(-\d)?
White list validation is appropriate for all input fields provided by the user.
White list validation involves defining exactly what IS authorized, and by definition, everything else is not authorized.
Please note, email addresses should be considered to be public data.
Many web applications contain computationally expensive and inaccurate regular expressions that attempt to validate email addresses.If it's well structured data, like dates, social security numbers, zip codes, e-mail addresses, etc.then the developer should be able to define a very strong validation pattern, usually based on regular expressions, for validating such input.Detailed information on XSS prevention here: OWASP XSS Prevention Cheat Sheet Many websites allow users to upload files, such as a profile picture or more. Many web applications do not treat email addresses correctly due to common misconceptions about what constitutes a valid address.Specifically, it is completely valid to have an mailbox address which: At the time of writing, RFC 5321 is the current standard defining SMTP and what constitutes a valid mailbox address.Input validation can be used to detect unauthorized input before it is processed by the application.