Character Limitations

Since the Admin GUI still uses some JSP and EJBCA at some occasions uses string concatenation to build SQL querys, we have to ban some characters to avoid XSS-attacks and SQL-injections:

banned character

explanation

\"

 

\n
\n is newline
\r
\r is carriage return
\\
\\ is backslash
;

 

!

 

\0
\0 is null
%

 

`

 

<

 

>

 

?

 

$

 

~

 

These characters will be replaced by /. ',' can be escaped ,'\,'. The current JavaScrips used in Admin GUI might also limit you ability to use any UTF-8 character.

org.cesecore.util.StringTools contains the full list of characters banned for different purposes.