[Esapi-dev] Issue 116 in owasp-esapi-java: Global HTTP Validation Rules -> some possible improvements

Kevin W. Wall kevin.w.wall at gmail.com
Sun Nov 7 12:35:24 EST 2010 

OK, I see the \p{L} mentioned as in:

[\p{L}&&[^\p{Lu}]]  	Any letter except an uppercase letter (subtraction)

but I see no mention of \p{N}.  By extrapolation, I would assume that
\p{N} means "any number", but given that the more common \d is used
to represent this (well, specifically, [0-9]), if that's what it *does*
mean, then let's use \d, as it's more well understood. The \d notation
goes all the way back to very early versions of Perl, and may even
predate that and go all the way back to Henry Spencer's regex C libraries.

So can someone confirm about the intended mean of '\p{N}' ??? (Note:
I'm using the unquoted version here. It's '\\p{N}' as it appears in
Validation.properties.)  If it is supposed to represent 'any number',
why not use '\d' instead???

-kevin

On 11/07/2010 01:46 AM, Jim Manico wrote:
> http://download.oracle.com/javase/1.5.0/docs/api/java/util/regex/Pattern.html
> 
> 
> Under the "Classes for Unicode blocks and categories" section.
> 
> - Jim
> 
>> On 11/06/2010 03:58 AM, owasp-esapi-java at googlecode.com wrote:
>>> Updates:
>>>      Cc: kevin.w.wall manico.james planetlevel jeff.wil... at owasp.org
>>>
>>> Comment #4 on issue 116 by chrisisbeef: Global HTTP Validation Rules ->
>>> some possible improvements
>>> http://code.google.com/p/owasp-esapi-java/issues/detail?id=116
>>>
>>> Can we get a couple of stars on this if the regex's look good - if all
>>> is well I will commit new regex's.
>>>
>> I'm still trying to figure out what this part of the regex means.
>> I don't even see it documented in java.util.regex.Pattern for JDK 1.6.*
>>
>>    Validator.HTTPParameterValue=^[\\p{L}\\p{N}.\\-/+=_ !$*?@]{0,1000}$
>>                                    ^^^^^ ^^^^^
>>                               What do these mean???
>>
>> I did find the "L" listed here:
>> <http://download.oracle.com/javase/6/docs/api/java/lang/Character.html#DIRECTIONALITY_LEFT_TO_RIGHT>
>>
>>
>> so I suppose the \p{L} could refer to that, but I didn't find
>> \p{N} listed in the java.lang.Character class' javadoc at all.
>>
>> --------------------
>> * 
>> http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html
>>
>> -kevin
> 
> 


-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-dev mailing list