vinothair / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Construct "&" in Validator.URL is simple character class, not reference to ampersand #322

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Match a string "a" to a subset of the regex: 
"^(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$"
2. Match a string "a" to a subset of the regex without a-z range: 
"^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$"
3. Match a string "a" to a subset of the regex without "amp;" substring: 
"^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$"

What is the expected output? What do you see instead?
1. "a" matches
2. "a" matches, but expected not to match, if & is a reference to ampersand
3. "a" does not match

Conclusion: & is a simple character class, not a reference to ampersand.

What version of the product are you using? On what operating system?
2.1.0 Win7

Does this issue affect only a specified browser or set of browsers?
-

Please provide any additional information below.
Java 1.6

Original issue reported on code.google.com by anton.sh...@gmail.com on 17 Mar 2014 at 8:17