[Esapi-user] RegExp for URL

Jim Manico jim.manico at owasp.org
Wed Feb 3 05:28:54 EST 2010


Mungo,

 > Also, as I'm using ESAPI 1.4.x, I missed the split off of 
validation.properties from ESAPI.properties. What's the reason for that?

This is only happening in the 2.0 branch. This change was not made to 
the ESAPI 1.4 branch.

 > Could I plead for unit tests for these fancy expressions?

Very reasonable request. You can add a new issue/feature request to the 
google tracker regarding our URL validation RegEx at 
http://code.google.com/p/owasp-esapi-java/issues/entry (via any Google 
account).

Cool?

Thanks kindly,
Jim


>
> Hi,
>
> It looks like the modified RegExp below is not in ESAPI 2.0 or 1.4.4 - 
> should it be?
> Could I plead for unit tests for these fancy expressions?
> Specifically, add a failing test before any new or modified RegExp.
> I get in a cold sweat thinking that ESAPI validation might block 
> legitimate URL references - this would not make me popular.
>
> Also, as I'm using ESAPI 1.4.x, I missed the split off of 
> validation.properties from ESAPI.properties. What's the reason for that?
>
> Thanks,
>
> Mungo Carstairs
> Senior Systems Developer
> Business Solutions
> Standard Life Employee Services Limited
> http://www.standardlife.com
>
> Tel:        +44 (0)131 246 2785
>
>
>
>
> Message: 1
> Date: Wed, 5 Aug 2009 12:40:04 -1000
> From: "Jim Manico" <jim.manico at owasp.org>
> Subject: Re: [OWASP-ESAPI] Two questionable Regex in default
>                 ESAPI.propertiesfile
> To: "Neil Matatall" <nmatatal at uci.edu>, "Chris Schmidt"
>                 <chrisisbeef at gmail.com>
> Cc: owasp-esapi at lists.owasp.org
> Message-ID: <D730AA21B22842E5943087A8A5D50ABC at workhorse>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I've also had to modify the URL regEx to include "(" and ")" - I 
> imagine it could use more changes.
>
> I have not added this to trunk yet, but I will... You might want to 
> include it in the quality branch...
> Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\(\\)\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&amp;%\\$#_]*)?$
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090805/87d5132f/attachment-0001.html 
>
>
> End of OWASP-ESAPI Digest, Vol 23, Issue 7
> ******************************************
>
>
>
> This e-mail is confidential and, if you are not the intended 
> recipient, please return it to us and do not retain or disclose it. We 
> filter and monitor e-mails in order to protect our system and the 
> integrity, confidentiality and availability of e-mails. We cannot 
> guarantee that e-mails are risk free and are not responsible for any 
> related damage or unauthorised alteration of e-mails by third parties 
> after sending.
>
> For more information on Standard Life group, visit our website 
> http://www.standardlife.com/
>
> Standard Life plc (SC286832), Standard Life Assurance Limited* 
> (SC286833) and Standard Life Employee Services Limited (SC271355) are 
> all registered in Scotland at Standard Life House, 30 Lothian Road, 
> Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services 
> Authority. 0131 225 2552. Calls may be recorded/monitored. Standard 
> Life group includes Standard Life plc and its subsidiaries.
>
> Please consider the environment. Think - before you print.
> ------------------------------------------------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>   


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100203/1c4e6152/attachment.html 


More information about the Esapi-user mailing list