Overview of data validation

You can use the Data Validation function to allow only explicitly defined characters in the input and output requests, and drop all the other data.

You can define your own validation rules for validating different request parameters. You can also encode data before you send it back to the user interface (UI).

Data validation can be done for various kinds of inputs such as parameter name, parameter value, cookie name, cookie value. The application also supports regular expression-based validation.

Input validator

The Input Validator finds all the validation rules that are registered for a particular input, and validates. The Validator is called by a request wrapper to validate request inputs.

By default, to validate request inputs such as parameter value, parameter name, the Input Validator uses the regular expressions that are provided by the application. The application-shipped regular expressions are defined in the regularexpressions/sc_regularexpressions.xml file (located inside the <INSTALL_DIR>/jar/platform_afc/9_5/platform_dv.jar) with an application override regular expression list that is defined in the isccs_regularexpressions.xml file (located inside <INSTALL_DIR>/repository/eardata/isccs/war/WEB-INF/regularexpressions).

Note: If you want to relax some of the validation rules for certain inputs, you must register all the custom validation rules with the Input Validator.

Validation rule

A validation rule validates and sanitizes the input. A validation rule contains a property as input identifier for which validation must happen. A validation is started whenever the corresponding input request is accessed. A validation rule must specify the name of the input, it must validate. For example, to validate the value of a parameter, the validation rule must specify the name of that particular parameter. Multiple inputs with the same name can exist. All the validation rules must be registered with the Input Validator to validate the corresponding input.

Some validation or sanitization rules are provided by the application. The application-shipped validation rules are defined in the validationrules/sc_validationrules.xml file (located inside the <INSTALL_DIR>/jar/platform_afc/9_5/platform_dv.jar) with an application override regular expression list that is defined in isccs_validationrules.xml file (located inside <INSTALL_DIR>/repository/eardata/isccs/war/WEB-INF/validationrules). These validation rules are started for all the inputs that belong to the same category. For example, all the HTTP Header names are validated against the HTTPHeaderName regular expression.

Note: No validation rules are defined for an input. The validation rules that are specified earlier are used to validate the input.

You can define the following types of validation rules:

Regular Expression-Based Validation Rule - This type of validation rule is designed to do regular expression-based validations. This validation rule type supports multiple allowlist and blocklist regular expressions.
Java Based Validation Rule - This type of validation rule is designed to do Java based validation and sanitization of inputs. This validation rule type validates an input and then calls the getValidInput() method of the implementation class.