FEature: RegEx encoder

Question

FEature: RegEx encoder

Weltraumschaf opened this issue 5 years ago · 4 comments

Just did a quick look through the code and it looks like there is no encoder for RegEx context.

I'm just facing this issue: I have untrusted user input and must escape all RegEx meta characters to avoid possible crashes.

Answer 1 · 2019-06-20T20:32:42.000Z

java.util.regex.Pattern.quote(String)?

Answer 2 · 2019-06-20T21:02:45.000Z

Example of how this is being used, please? A special encoder should not be necesary.

…

-- Jim Manico @manicode

On Jun 20, 2019, at 1:32 PM, VsevolodGolovanov ***@***.***> wrote: java.util.regex.Pattern.quote(String)? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

Answer 3 · 2019-06-21T09:47:26.000Z

System.out.println(Pattern.matches("\\w+", "anything")); // true - matches any word

System.out.println(Pattern.matches(Pattern.quote("\\w+"), "anything")); // false - doesn't match any word
System.out.println(Pattern.matches(Pattern.quote("\\w+"), "\\w+")); // true - matches only "\w+" literally

Answer 4 · 2020-07-24T22:00:25.000Z

We politely cannot support this, we really want to focus on XSS defense in web pages. RegEx escaping is out of bounds for us.