[Esapi-user] Strange results with validator.getValidInput and SafeString

Allan Greenier agreenier at snet.net
Wed Jan 13 20:12:59 EST 2010

I am consulting for a large organization that is considering using ESAPI 1.4.

The organization can not use open source rfc, so ESAPI 2.0rfc isn't an option. 

A colleague has altered the Swingset to run against ESAPI 1.4, that is he's swapped out the 2.0 jar. His job has been been  to get SwingSet running on Websphere 6.1, a challenge all it's own.

I have bult a simple webapp, making a few calls against the 1.4 jar.

We both have experienced the same strange behavior with validator.getValidInput

Something that runs correctly on the Swingset With Tomcat all in one fails on our apps.

I've entered allan into mine, it runs against SafeString

Here is the error - I've added canonical to the Exception logging, as I thought maybe for some reason it was different that input. It's not.
Invalid input. Please conform to: ^[p{L}p{N}.]{0,1024}$ with a maximum length of 100 input=allan canonical=allan
Now I'm no Regex expert but I think I understand SafeString, or at least I thought I did.

After seeing the same failure as my colleague's I wrote this simple java routine to test the regex. It prints out false.

public static void regex()


String test = "allan";

 String safeString = "^[\p{L}\p{N}.]{0,1024}$";

Pattern p = Pattern.compile(safeString);



I have two questions.
1.Isn't SafeString a broken regex?
2. How in the world does Swingset With Tomcat all in one find a match when two other identical implementations do not?

Thanks. We really like ESAPI. It has been a real challenge getting it to "behave".

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100113/b733f179/attachment.html 

More information about the Esapi-user mailing list