Filtering Embedded String Errors via Methods

String Method Filters provides another means of filtering certain strings from the embedded strings errors reports. Instead of filtering them based upon patterns they contain, this category filters strings from the report based on methods, functions, or constructors into which they are passed.

Your code likely contains many method or functions that are passed string arguments. When you are sure that any string passed into function X is never displayed to the user, you can add the name of function X within the String Method Filters list and whenever Globalyzer sees that a string literal is passed as an argument to function X, it will ignore that string. In other words, it won't list it as a string that should be externalized into a resource file.

For example, the Java method:

javax.servlet.ServletRequestWrapper.getParameter(String s)

is in the list below, because although it takes a string argument, this string would never appear as text visible to an end user.

The Inherited column lists the name of the Rule Set that defined the string method filter. A value of 'No' indicates that the filter is local to the Rule Set. Local filters can be modified and/or deleted. Inherited filters can be overridden.

To disable a local string method filter, uncheck the box.

To create a filter, select the New String Method Filter link at the top of the page. This displays the Create String Method Filter form, shown below.

The page contains five fields (six fields if the language of the rule set is Java) used to describe a rule: Name, Pattern, Class or Variable Type(s) if Java, Description, Help Page, and Enabled.

Use the Name field to give your filter a brief, meaningful name.

The Pattern is technically a regular expression, but Globalyzer uses internal algorithms along with the expression to determine whether strings are being passed into these methods. For this reason there are rules that must be followed when specifying the pattern.

• Do not add trailing parentheses or any text after the method name itself.
• Globalyzer matches the exact text of the rule.
  Let's say you have a class called ShoppingCart and it has a member method setKey. This method takes a string argument and you want to make sure Globalyzer ignores strings passed to the ShoppingCart.setKey method. If your Rule Set is Java, you can achieve this by configuring the Class or Variable Type(s) field (currently only available for Java Rule Sets) in addition to the pattern field. You would configure:

  Pattern: setKey
  Class or Variable Type(s): fully.qualified.class.name.ShoppingCart

  For non-Java Rule Sets, you first need to confirm that ShoppingCart is instantiated with the same variable name throughout the code that you are scanning or create a separate rule for each ShoppingCart variable name. If in your code you have:

  ShoppingCart cart = new ShoppingCart();
cart.setKey("books");

  The pattern that you would enter in Create String Method Filter page would be:

  Pattern: cart\.setKey

• Note that when you include a variable name prior to the method name, you must escape any regex special characters such as the dot in this example.
• For more information on Regular Expression syntax, click here.

The Class or Variable Type(s) field is currently available for Java Rule Sets only. This field is a comma-separated list of fully qualified Class or Variable Type(s). It allows you to associate Classes/Types with the method name so filtering will only take place when the embedded string is passed to the method of a specified Class/Type. Let's say you want to filter strings passed to put method calls but only for the Java InputMap and ActionMap classes. You would configure:

     Pattern: put
     Class or Variable Type(s): javax.swing.InputMap, javax.swing.ActionMap

Below indicates what happens when the following code is scanned:

     InputMap imap = new InputMap(...);
     ActionMap amap = new ActionMap(...);
     SomeClass some = new SomeClass(...);

     imap.put("string"); // strings passed to put() will be filtered
     amap.put("string"); // strings passed to put() will be filtered
     some.put("string"); // strings passed to put() will be NOT be filtered

If the Class or Variable Type(s) field is left blank, then strings passed to all put method calls will be filtered.

Use the Description field to explain why this string can be filtered.

Use the Category field to set a category that can be enabled or disabled in bulk for a ruleset.

The Help Page field is where you can provide a URL link for the filter. This link may provide more information on the filter.

The Enabled field determines whether the filter is processed by Globalyzer (checked) or ignored by Globalyzer for now (unchecked).

Once you've provided the string method filter information, click the Create button. The Edit String Method Filters list redisplays, showing your changes.

If a string method filter is local to the Rule Set, it can be modified and/or deleted. Click on its name hyperlink from the Edit String Method Filters list. This displays the Edit String Method Filter page, shown below. All fields are modifiable. Press Update to save any changes. Press Delete to delete the filter. After updating or deleting, the Edit String Method Filters list redisplays, showing your changes.

If a string method filter inherited, it can be overridden. Maybe you want to disable the inherited filter in your Rule Set. Click on its name hyperlink from the Edit String Method Filters list. This displays the Override String Method Filter page, shown below. All fields are modifiable, but if you change the pattern field, you will end up creating an entirely new filter, rather than overriding the inherited one. Press Create to create the override string method filter. After creating, the Edit String Method Filters list redisplays, showing your local filter.

To return to the Customize Rule Set page, select the Back to Summary link.

 Configuring Rule Sets