Reputation: 243
Let me make my question Simple what I want is I am using white list Regex pattern to avoid xss and sql injection so as my allowed character in string is [A-Za-z0-9,()[]{}\"\:./_\s] and I want to restrict occurrence of -- in any coming request from client but it should allow - or jjdfasd-dsfads-12321 string
In short it below test cases should run successfully
import java.util.regex.Pattern;
public class RegExTest {
private static Pattern xssAttackPattern;
private static final String XSS_ATTACK_REGULAR_EXPRESSION1 = "-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*";
public static Pattern getXSSAttackPattern1() {
xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION1);
return xssAttackPattern;
}
public static boolean hasXSSAttackOrSQLInjection1(String value) {
if (getXSSAttackPattern1().matcher(value).matches()) {
return true;
}
return false;
}
public static void main(String arg[]) {
System.out.println(" :::::: Regular Expression ::::::");
regexTest();
}
private static void regexTest() {
String str1 = "-dsfdsfddsfd2112212s";
String str2 = "--dsfdsfddsfd2112212s";
String str3 = "-dsfdsfdd-sfd2112212s";
String str4="http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";
String str5="(.:[]{}";
String str6="--";
String str7="-";
System.out.println("String::" + str1 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str1));
System.out.println("String::" + str2 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str2));
System.out.println("String::" + str3 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str3));
System.out.println("String::" + str4 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str4));
System.out.println("String::" + str5 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str5));
System.out.println("String::" + str6 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str6));
System.out.println("String::" + str7 + "::Result::"
+ hasXSSAttackOrSQLInjection1(str7));
}
}
Upvotes: 2
Views: 5967
Reputation: 727017
You current regex matches
-
character, orIf you would like to change it to allow zero or one dash -
only at the beginning of the string, remove the OR character |
from your expression; if you would like to match at most one dash anywhere in the string, change expression to
[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*
EDIT 1: If you need to avoid two consecutive dashes, you can use this expression with negative lookbehind:
([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*
The (?<!-)-
part of the expression above matches a dash unless it is preceded by another dash.
EDIT 2: If you have strings of 10000+ length, a positive regex solution is not as good as a negative one. Instead of looking for myString.matches(positiveExpr)
, it is much more efficient to look for !myString.matches(negativeExpr)
, and use this expression for your negative match. In other words, instead of specifying an expression defining the string that you want, you could define a much simpler expression for the string that you do not want:
[^A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|--
NOTE: Sanitizing your strings is not the best way to avoid SQL injection attacks; using parameterized statements is.
Upvotes: 2