search

OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
483 stars 112 forks source link

FEature: RegEx encoder #29

Closed Weltraumschaf closed 4 years ago

Weltraumschaf commented 5 years ago

Just did a quick look through the code and it looks like there is no encoder for RegEx context.

I'm just facing this issue: I have untrusted user input and must escape all RegEx meta characters to avoid possible crashes.

VsevolodGolovanov commented 5 years ago

java.util.regex.Pattern.quote(String)?

jmanico commented 5 years ago

Example of how this is being used, please? A special encoder should not be necesary.

-- Jim Manico @Manicode

On Jun 20, 2019, at 1:32 PM, VsevolodGolovanov notifications@github.com wrote:

java.util.regex.Pattern.quote(String)?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

VsevolodGolovanov commented 5 years ago 
System.out.println(Pattern.matches("\\w+", "anything")); // true - matches any word

System.out.println(Pattern.matches(Pattern.quote("\\w+"), "anything")); // false - doesn't match any word
System.out.println(Pattern.matches(Pattern.quote("\\w+"), "\\w+")); // true - matches only "\w+" literally
jmanico commented 4 years ago

We politely cannot support this, we really want to focus on XSS defense in web pages. RegEx escaping is out of bounds for us.