Regular Expression for SafeString

Question

I am using an inbuilt esapi validator. It is defined as follows:

Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$

I am not very familiar with regex and after some reading, I understand that this expression is matching alphanumerics and spaces.

I would like to extend this expression to include *,-()&+ and /. I tried doing the following but it doesnt seem to work

Validator.SafeString=^[.\\p{Alnum}\\p{Space}*,-()&+]{0,1024}$

Answer 1

I would create a separate entry in validation.properties, OWASP's intent for SafeString is to provide a guaranteed safe string for any application. By accepting characters that can be interpreted as code in Javascript, you no longer have a SafeString as intended by the API. That could have disastrous consequences if other parts of your application are utilizing SafeString as originally intended.

Use @Fede's first regex, but address it like this:

Validator.SomethingElse=^[.\\p{Alnum}\\p{Space}*,()&+-]{0,1024}$

And call it like this:

ESAPI.validator().isValidInput(CONTEXT, input, "SomethingElse", MAX_FIELD_LENGTH, true);

Note that the "true" mark corresponds to whether or not a string can be null.

Answer 2

You have to put the hyphen at the end since if you don't do it the hyphen works as range instead of a single char:

Validator.SafeString=^[.\\p{Alnum}\\p{Space}*,()&+-]{0,1024}$
                                                  ^--- here

Update: following avgvstvs comments:

From 1.7 to later, you would have to add the flag (?u) to the beginning of your regex in order for \w\s to work.

You could try also:

Validator.SafeString=(?u)^[.\\w\\s*,()&+-]{0,1024}$