[Esapi-user] RegExp for URL

Mungo Carstairs mungo_carstairs at standardlife.com
Wed Feb 3 05:25:16 EST 2010


Hi,

It looks like the modified RegExp below is not in ESAPI 2.0 or 1.4.4 - 
should it be?
Could I plead for unit tests for these fancy expressions?
Specifically, add a failing test before any new or modified RegExp.
I get in a cold sweat thinking that ESAPI validation might block 
legitimate URL references - this would not make me popular.

Also, as I'm using ESAPI 1.4.x, I missed the split off of 
validation.properties from ESAPI.properties. What's the reason for that?

Thanks,

Mungo Carstairs
Senior Systems Developer
Business Solutions
Standard Life Employee Services Limited
http://www.standardlife.com

Tel:    +44 (0)131 246 2785




Message: 1
Date: Wed, 5 Aug 2009 12:40:04 -1000
From: "Jim Manico" <jim.manico at owasp.org>
Subject: Re: [OWASP-ESAPI] Two questionable Regex in default
                 ESAPI.propertiesfile
To: "Neil Matatall" <nmatatal at uci.edu>, "Chris Schmidt"
                 <chrisisbeef at gmail.com>
Cc: owasp-esapi at lists.owasp.org
Message-ID: <D730AA21B22842E5943087A8A5D50ABC at workhorse>
Content-Type: text/plain; charset="iso-8859-1"

I've also had to modify the URL regEx to include "(" and ")" - I imagine 
it could use more changes.

I have not added this to trunk yet, but I will... You might want to 
include it in the quality branch...
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\(\\)\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&amp;%\\$#_]*)?$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090805/87d5132f/attachment-0001.html 


End of OWASP-ESAPI Digest, Vol 23, Issue 7
******************************************



This e-mail is confidential and, if you are not the intended recipient, 
please return it to us and do not retain or disclose it. We filter and 
monitor e-mails in order to protect our system and the integrity, 
confidentiality and availability of e-mails. We cannot guarantee that 
e-mails are risk free and are not responsible for any related damage or 
unauthorised alteration of e-mails by third parties after sending.

For more information on Standard Life group, visit our website 
http://www.standardlife.com/

Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) 
and Standard Life Employee Services Limited (SC271355) are all registered 
in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. 
*Authorised and regulated by the Financial Services Authority. 0131 225 
2552. Calls may be recorded/monitored. Standard Life group includes 
Standard Life plc and its subsidiaries.

Please consider the environment. Think - before you print.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100203/ff61251b/attachment.html 


More information about the Esapi-user mailing list