Period needs to be escaped in regular expressions (antisamy.xml)

[GoogleCodeExporter]

Looking at antisamy.xml, SVN revision 137:

<regexp name="number" value="(-|\+)?([0-9]+(.[0-9]+)?)"/>
I assume the intent is to allow a decimal number, such as 1.5 (however, I'm
not sure that even makes sense, as many of the places where this is used
expect an integer). In fact, since the period is not escaped, it allows any
character.
For example, "1<0" or "+12x9" would match this regex.

This is probably also an issue in:
<regexp name="positiveNumber" value="(-|\+)?([0-9]+(.[0-9]+)?)"/>
<regexp name="angle" value="(-|\+)?([0-9]+(.[0-9]+)?)(deg|grads|rad)"/>
<regexp name="time" value="([0-9]+(.[0-9]+)?)(ms|s)"/>
<regexp name="frequency" value="([0-9]+(.[0-9]+)?)(hz|khz)"/>   
<regexp name="length"
value="((-|\+)?0|(-|\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
<regexp name="positiveLength"
value="((\+)?0|(\+)?([0-9]+(.[0-9]+)?)(em|ex|px|in|cm|mm|pt|pc))"/>
<regexp name="percentage" value="(-|\+)?([0-9]+(.[0-9]+)?)%"/>
<regexp name="positivePercentage" value="(\+)?([0-9]+(.[0-9]+)?)%"/>

Original issue reported on code.google.com by danr...@gmail.com on 23 Dec 2009 at 8:09

[GoogleCodeExporter]

Fixed in r139. Thanks!

Original comment by arshan.d...@gmail.com on 8 Mar 2010 at 6:14

• Changed state: Verified
• Added labels: Priority-Low
• Removed labels: Priority-Medium