Michael Hanl | 72c7b83 | 2015-09-03 08:42:15 +0200 | [diff] [blame] | 1 | # The ESAPI validator does many security checks on input, such as canonicalization |
| 2 | # and whitelist validation. Note that all of these validation rules are applied *after* |
| 3 | # canonicalization. Double-encoded characters (even with different encodings involved, |
| 4 | # are never allowed. |
| 5 | # |
| 6 | # To use: |
| 7 | # |
| 8 | # First set up a pattern below. You can choose any name you want, prefixed by the word |
| 9 | # "Validation." For example: |
| 10 | # Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ |
| 11 | # |
| 12 | # Then you can validate in your code against the pattern like this: |
| 13 | # ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); |
| 14 | # Where maxLength and allowNull are set for you needs, respectively. |
| 15 | # |
| 16 | # But note, when you use boolean variants of validation functions, you lose critical |
| 17 | # canonicalization. It is preferable to use the "get" methods (which throw exceptions) and |
| 18 | # and use the returned user input which is in canonical form. Consider the following: |
| 19 | # |
| 20 | # try { |
| 21 | # someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); |
| 22 | # |
Michael Hanl | c0ed00f | 2016-06-23 14:33:10 +0200 | [diff] [blame] | 23 | # Validator.SafeString=^[.;:\\-\\p{Alnum}\\p{Space}]{0,1024}$ |
| 24 | # Validator.password_cap=((?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).{8,20}) |
Michael Hanl | 72c7b83 | 2015-09-03 08:42:15 +0200 | [diff] [blame] | 25 | Validator.SafeString=^[.;:,=\\*\/\/_()\\-0-9\\p{L}\\p{Space}]{0,1024}$ |
Michael Hanl | e17eaa5 | 2016-01-22 20:55:05 +0100 | [diff] [blame] | 26 | Validator.email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$ |
| 27 | Validator.ipddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ |
| 28 | Validator.url=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$ |
Michael Hanl | c0ed00f | 2016-06-23 14:33:10 +0200 | [diff] [blame] | 29 | # Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$ |
| 30 | # Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$ |
Michael Hanl | e17eaa5 | 2016-01-22 20:55:05 +0100 | [diff] [blame] | 31 | |
Michael Hanl | c0ed00f | 2016-06-23 14:33:10 +0200 | [diff] [blame] | 32 | # as used by apache commons validator for strings |
| 33 | # Validator.string=^[\\.;:,\\=&\\*\\/\\/_()\\[\\]@\\|\\-0-9\\p{L}\\p{Space}]{0,1024}$ |
| 34 | |
Bodmo | 3d6bd35 | 2017-04-25 11:31:39 +0200 | [diff] [blame] | 35 | #Validator.username=^[A-Za-z_.\\d]{6,15}$ by Hanl |
| 36 | Validator.username=^[A-Za-z_.\\d]{3,20}$ # 21.04.17/FB |
Michael Hanl | c0ed00f | 2016-06-23 14:33:10 +0200 | [diff] [blame] | 37 | Validator.password=^((?=.*\\d)(?=.*[A-Za-z])(?!.*[\\(\\)-]).{8,20})$ |