Input Validation & Data Handling Controls

eXpress badging® enforces strict input validation, sanitization, and encoding controls across the Veonics® Portal to protect against injection, data corruption, and malware.

⌨️ All practices are aligned with  OWASP  Recommendations (Open Worldwide Application Security Project) and NIST CSF 2.0.


🖥️ Client-Side Validation

Q: Do you rely on client-side validation?

  • Answer: No

  • Client-side validation (e.g., browser JavaScript checks) is used only for usability improvements, not as a security control.

  • All security validation is enforced server-side.


🖧 Server-Side Validation

Q: Do you perform server-side validation on all entry points of the application?

  • Answer: Yes

  • All user input is validated on the server before being processed or stored.

  • This includes form fields, API requests, and file uploads.

📄 Supporting Documentation: Veonics Portal Cybersecurity & Compliance Overview


🔄 Centralized Input Validation

Q: Is there a centralized approach for input validation?

  • Answer: Yes

  • The Veonics® Portal uses centralized validation libraries to enforce consistent rules across all entry points.

  • Ensures uniform handling of text fields, numeric inputs, and special characters.


🚫 Input Filtering

Q: Do you perform input filtering for known bad data that can cause faults or unexpected behavior?

  • Answer: Yes

  • Input filters reject SQL injection attempts, malformed HTML/JS, and invalid character sets.

  • Filters are updated regularly in line with OWASP top 10 threats.

  • Example: <script> tags and SQL operators are stripped or escaped before processing.

📄 Supporting Documentation: Application Development & Maintenance Policy


🔐 Input/Output Encoding

Q: Do you perform input/output encoding?

  • Answer: Yes

  • Data displayed back to users is HTML encoded to prevent cross-site scripting (XSS).

  • Output encoding is enforced on all web-facing fields.


🗄️ Parameterized Queries

Q: Do you use parameterized queries or stored procedures for database access?

  • Answer: Yes

  • All database access uses parameterized queries to prevent SQL injection.

  • Direct concatenation of user inputs is prohibited.

📄 Supporting Documentation: The Veonics Portal History & System Architecture


📂 File Upload Restrictions

Q: If the web application allows file uploads, do you limit extensions and scan files?

  • Answer: Yes

  • Allowed extensions: .jpg, .jpeg, .png, .gif (photo uploads only).

  • All uploaded files undergo virus/malware scanning before being accepted.

  • Metadata is validated to confirm the file matches its extension (no disguised executables).

📄 Supporting Documentation: How to Securely Transfer ID Badge Project Files Using the Upload Center


📊 NIST CSF 2.0 Alignment

Function Example Practice
Protect (PR) Centralized input validation, parameterized queries
Detect (DE) Filtering of known malicious input
Respond (RS) Logs and alerts for rejected payloads
Recover (RC) Continuous OWASP-aligned updates

 

Last Update: 9/1/2025