jeff.williams at aspectsecurity.com
Tue Sep 28 18:01:56 EDT 2010
I strongly encourage organizations to use a reasonably limited whitelist
here. Just because the spec allows it does not mean that you have to
allow it in your application. Do you really need tilde and backtick?
You may want to try a regex that allows printable international
From: esapi-dev-bounces at lists.owasp.org
[mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Michael Coates
Sent: Tuesday, September 28, 2010 5:47 PM
To: Jim Manico
Subject: Re: [Esapi-dev] HTTPParameterValue
Allow %20-%7E (the actual values of course, not the hex representation).
This will eliminate the non-printable characters like null and line
breaks (%0A, %0C) and allow most everything else. One note, I'm not
sure if this will work well for international character sets.
As Jim points out, this should be a course grain filter. Any real
filtering is contextual within the app.
On 9/28/10 2:39 PM, Jim Manico wrote:
We currently use the following regular expression to validate
in the wrapper filters.
This is turning out to be horribly restrictive (for example, even email
addresses in input data get rejected).
We need some pretty detailed analysis on this regex to get it right.
Keep in mind, this is not to be used for contextual validation (real app
validation). This is just a sanity filter to make sure your inputs abide
Esapi-dev mailing list
Esapi-dev at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev