1 |
10567
|
antonis.le
|
# The ESAPI validator does many security checks on input, such as canonicalization
|
2 |
|
|
# and whitelist validation. Note that all of these validation rules are applied *after*
|
3 |
|
|
# canonicalization. Double-encoded characters (even with different encodings involved,
|
4 |
|
|
# are never allowed.
|
5 |
|
|
#
|
6 |
|
|
# To use:
|
7 |
|
|
#
|
8 |
|
|
# First set up a pattern below. You can choose any name you want, prefixed by the word
|
9 |
|
|
# "Validation." For example:
|
10 |
|
|
# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
|
11 |
|
|
#
|
12 |
|
|
# Then you can validate in your code against the pattern like this:
|
13 |
|
|
# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull);
|
14 |
|
|
# Where maxLength and allowNull are set for you needs, respectively.
|
15 |
|
|
#
|
16 |
|
|
# But note, when you use boolean variants of validation functions, you lose critical
|
17 |
|
|
# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and
|
18 |
|
|
# and use the returned user input which is in canonical form. Consider the following:
|
19 |
|
|
#
|
20 |
|
|
# try {
|
21 |
|
|
# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull));
|
22 |
|
|
#
|
23 |
|
|
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
|
24 |
|
|
Validator.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
|
25 |
|
|
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
|
26 |
|
|
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
|
27 |
|
|
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
|
28 |
|
|
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
|