From 7751e38ac10f206bbae29a0d41bce9153aeb40c1 Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Fri, 10 Jan 2025 18:36:31 +0200 Subject: [PATCH] tag update for 5.3.2 / 13.1.7 --- 5.0/en/0x13-V5-Validation-Sanitization-Encoding.md | 2 +- 5.0/en/0x21-V13-API.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md index fc14920727..e995f45468 100644 --- a/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md +++ b/5.0/en/0x13-V5-Validation-Sanitization-Encoding.md @@ -73,7 +73,7 @@ In many cases, software libraries will include safe or safer functions which wil | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **5.3.1** | [MODIFIED, SPLIT TO 5.3.13] Verify that output encoding for an HTTP response, HTML document, or XML document is relevant for the context required, such as encoding the relevant characters for HTML elements, HTML attributes, HTML comments, CSS, or HTTP header fields, to avoid changing the message or document structure. | ✓ | ✓ | ✓ | 116 | -| **5.3.2** | [DELETED, DUPLICATE OF 14.4.1] | | | | | +| **5.3.2** | [DELETED, COVERED BY 13.1.7] | | | | | | **5.3.3** | [MODIFIED, SPLIT TO 50.6.2] Verify that output encoding or escaping is used when dynamically building JavaScript content (including JSON), to avoid changing the message or document structure (to avoid JavaScript and JSON injection). | ✓ | ✓ | ✓ | | | **5.3.4** | [MODIFIED] Verify that data selection or database queries (e.g. SQL, HQL, NoSQL, Cypher) use parameterized queries, ORMs, entity frameworks, or are otherwise protected from SQL Injection and other database injection attacks. This should also be considered when writing stored procedures. | ✓ | ✓ | ✓ | 89 | | **5.3.5** | [DELETED, DUPLICATE OF 5.3.4] | | | | | diff --git a/5.0/en/0x21-V13-API.md b/5.0/en/0x21-V13-API.md index 8af8cd1aa0..6f4d10102f 100644 --- a/5.0/en/0x21-V13-API.md +++ b/5.0/en/0x21-V13-API.md @@ -20,7 +20,7 @@ This is a placeholder for future documentation requirements. | **13.1.4** | [DELETED, DUPLICATE OF 4.2.1] | | | | | | **13.1.5** | [DELETED, INSUFFICIENT IMPACT] | | | | | | **13.1.6** | [MODIFIED, MOVED FROM 13.2.6, LEVEL L2 > L3] Verify that per-message digital signatures are used to provide additional assurance on top of transport protections for requests or transactions which are highly sensitive or which traverse a number of systems. | | | ✓ | 345 | -| **13.1.7** | [MODIFIED, MOVED FROM 14.4.1] Verify that every HTTP response with a message body contains a Content-Type header field that matches the actual content of the response, including the charset parameter to specify safe character encoding (e.g., UTF-8, ISO-8859-1) according to IANA Media Types, such as "text/", "/+xml" and "/xml". | ✓ | ✓ | ✓ | 173 | +| **13.1.7** | [MODIFIED, MOVED FROM 14.4.1, COVERS 5.3.2] Verify that every HTTP response with a message body contains a Content-Type header field that matches the actual content of the response, including the charset parameter to specify safe character encoding (e.g., UTF-8, ISO-8859-1) according to IANA Media Types, such as "text/", "/+xml" and "/xml". | ✓ | ✓ | ✓ | 173 | | **13.1.8** | [ADDED] Verify that HTTPS-based endpoints either return an error or do not respond to unencrypted HTTP requests which contain sensitive data in the headers or body. If a client is erroneously sending unencrypted HTTP requests but the requests are being automatically redirected to HTTPS, this leakage of sensitive data may go undiscovered. | | ✓ | ✓ | | ## V13.2 Web Services