Security, Exceptions and logging
Types of exceptions:
1. Programming - like null pointer exceptions caused becuase of your code.
- These should never be caught.
2. Client code errors: XML parser fed with bad xml.
3. Resource related exceptions: Like file not found. Network error etc.
Handling exceptions:
Throw early catch late:
Catch late means catch it where you can deal with it meaning fully.
Better - Create a Custom exception class - should have
- What went wrong,
- Where it went wrong.
- data to help debugging.
Logging - what to log:
- Log input validation failures.
- Change in state and all operations on objects.
- Do not log sensitive data.
XSS:
- HTML data should be escaped as html entities.
- URL parameters should be url encoded (not url -parameters only)
- HTML attributes should he hex encoded.
- Dynamic javascript should be hex encoded.
- CSS should be \xx encoded and it might still not be safe ( so dont do it)
- JSON Embeded on page should be html encoded and decoded before parsing.
1. Programming - like null pointer exceptions caused becuase of your code.
- These should never be caught.
2. Client code errors: XML parser fed with bad xml.
3. Resource related exceptions: Like file not found. Network error etc.
Handling exceptions:
Throw early catch late:
Catch late means catch it where you can deal with it meaning fully.
Better - Create a Custom exception class - should have
- What went wrong,
- Where it went wrong.
- data to help debugging.
Logging - what to log:
- Log input validation failures.
- Change in state and all operations on objects.
- Do not log sensitive data.
XSS:
- HTML data should be escaped as html entities.
- URL parameters should be url encoded (not url -parameters only)
- HTML attributes should he hex encoded.
- Dynamic javascript should be hex encoded.
- CSS should be \xx encoded and it might still not be safe ( so dont do it)
- JSON Embeded on page should be html encoded and decoded before parsing.
| Permalink | 
