blob: a38ae8069a7446ca55b5850525c86855b1f2da60 [file] [log] [blame]
Michael Hanl72c7b832015-09-03 08:42:15 +02001# The ESAPI validator does many security checks on input, such as canonicalization
2# and whitelist validation. Note that all of these validation rules are applied *after*
3# canonicalization. Double-encoded characters (even with different encodings involved,
4# are never allowed.
5#
6# To use:
7#
8# First set up a pattern below. You can choose any name you want, prefixed by the word
9# "Validation." For example:
10# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
11#
12# Then you can validate in your code against the pattern like this:
13# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull);
14# Where maxLength and allowNull are set for you needs, respectively.
15#
16# But note, when you use boolean variants of validation functions, you lose critical
17# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and
18# and use the returned user input which is in canonical form. Consider the following:
19#
20# try {
21# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull));
22#
Michael Hanlc0ed00f2016-06-23 14:33:10 +020023# Validator.SafeString=^[.;:\\-\\p{Alnum}\\p{Space}]{0,1024}$
24# Validator.password_cap=((?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).{8,20})
Michael Hanl72c7b832015-09-03 08:42:15 +020025Validator.SafeString=^[.;:,=\\*\/\/_()\\-0-9\\p{L}\\p{Space}]{0,1024}$
Michael Hanle17eaa52016-01-22 20:55:05 +010026Validator.email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
27Validator.ipddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
28Validator.url=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&%\\$#_]*)?$
Michael Hanlc0ed00f2016-06-23 14:33:10 +020029# Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
30# Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
Michael Hanle17eaa52016-01-22 20:55:05 +010031
Michael Hanlc0ed00f2016-06-23 14:33:10 +020032# as used by apache commons validator for strings
33# Validator.string=^[\\.;:,\\=&\\*\\/\\/_()\\[\\]@\\|\\-0-9\\p{L}\\p{Space}]{0,1024}$
34
Bodmo3d6bd352017-04-25 11:31:39 +020035#Validator.username=^[A-Za-z_.\\d]{6,15}$ by Hanl
36Validator.username=^[A-Za-z_.\\d]{3,20}$ # 21.04.17/FB
Michael Hanlc0ed00f2016-06-23 14:33:10 +020037Validator.password=^((?=.*\\d)(?=.*[A-Za-z])(?!.*[\\(\\)-]).{8,20})$