New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Construct "&" in Validator.URL is simple character class, not reference to ampersand #327
Comments
It's unclear here what the exact problem is. What method are you using? Validation? The likely culprit here is canonicalization, and in 99% of cases where I've seen this problem come up, it's a legitmate problem. Meaning, ESAPI is doing the right thing. There's plenty of other missing context on this problem, is the input a URL? An email address? Recommend writing a small web app demonstrating the exact problem with the exact input, with the exact method call. Otherwise, @kwwall , I recommend closing this issue. |
Is what the creator of this issue saying is that the regex for Validator.URL in validation.properties contains '&' rather than '&'? Note that it is within [] and thus a character class. Here's what we have for it:
Is Anton simply stating that instead, it should be:
(or maybe '&', but I don't think '&' is special within [...]? If so, it would be an easy fix, but note that changing '&' to just '&' would remove ';' so that could be an unintended side-effect so we may need to re-add ';' separately. Thoughts? |
I'll throw this in unit-test later today. Your interpretation makes sense, but does ESAPI assume that these regexes are HTML-entity encoded? (I don't think so, but I'm suspicious now) |
I don't believe so either. I think the regex is likely wrong and should -kevin
|
Well... I changed |
Issue #327 got rid of misleading HTML entity in URL regex.
From anton.sh...@gmail.com on March 17, 2014 16:17:40
What steps will reproduce the problem? 1. Match a string "a" to a subset of the regex: "^(/?)([a-zA-Z0-9-.?,:'/\+=&%$#]*)?$"
2. Match a string "a" to a subset of the regex without a-z range: "^(/?)([A-Z0-9-.?,:'/\+=&%$#])?$"
3. Match a string "a" to a subset of the regex without "amp;" substring: "^(/?)([A-Z0-9-.?,:'/\+=&%$#]_)?$" What is the expected output? What do you see instead? 1. "a" matches
2. "a" matches, but expected not to match, if & is a reference to ampersand
3. "a" does not match
Conclusion: & is a simple character class, not a reference to ampersand. What version of the product are you using? On what operating system? 2.1.0 Win7 Does this issue affect only a specified browser or set of browsers? - Please provide any additional information below. Java 1.6
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=322
The text was updated successfully, but these errors were encountered: