2

質問を簡単にさせてください。私が望むのは、ホワイトリスト正規表現パターンを使用して xss と sql インジェクションを回避しているため、文字列で許可されている文字は [A-Za-z0-9,()[]{}\"\: ./_\s] の発生を制限したい -- クライアントからのリクエストで - または jjdfasd-dsfads-12321 文字列を許可する必要があります

要するに、以下のテストケースが正常に実行されるはずです 

import java.util.regex.Pattern;


public class RegExTest {

private static Pattern xssAttackPattern;

private static final String XSS_ATTACK_REGULAR_EXPRESSION1 = "-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*";


public static Pattern getXSSAttackPattern1() {
    xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION1);
    return xssAttackPattern;
}

public static boolean hasXSSAttackOrSQLInjection1(String value) {

    if (getXSSAttackPattern1().matcher(value).matches()) {
        return true;
    }
    return false;
}



public static void main(String arg[]) {

    System.out.println(" :::::: Regular Expression ::::::");
    regexTest();

}

private static void regexTest() {

    String str1 = "-dsfdsfddsfd2112212s";
    String str2 = "--dsfdsfddsfd2112212s";
    String str3 = "-dsfdsfdd-sfd2112212s";
    String str4="http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";
    String str5="(.:[]{}";
    String str6="--";
    String str7="-";

    System.out.println("String::" + str1 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str1));
    System.out.println("String::" + str2 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str2));
    System.out.println("String::" + str3 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str3));
    System.out.println("String::" + str4 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str4));
    System.out.println("String::" + str5 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str5));
    System.out.println("String::" + str6 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str6));
    System.out.println("String::" + str7 + "::Result::"
            + hasXSSAttackOrSQLInjection1(str7));
}

}

4

1 に答える 1

2

現在の正規表現一致

  • a string consisting of a single - character, or
  • a string consisting of a sequence of letters, digits, and some special characters, or
  • an empty string

If you would like to change it to allow zero or one dash - only at the beginning of the string, remove the OR character | from your expression; if you would like to match at most one dash anywhere in the string, change expression to

[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*-?[A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]*

EDIT 1: If you need to avoid two consecutive dashes, you can use this expression with negative lookbehind:

([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*

The (?<!-)- part of the expression above matches a dash unless it is preceded by another dash.

EDIT 2: If you have strings of 10000+ length, a positive regex solution is not as good as a negative one. Instead of looking for myString.matches(positiveExpr), it is much more efficient to look for !myString.matches(negativeExpr), and use this expression for your negative match. In other words, instead of specifying an expression defining the string that you want, you could define a much simpler expression for the string that you do not want:

[^A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|--

NOTE: Sanitizing your strings is not the best way to avoid SQL injection attacks; using parameterized statements is.

于 2012-04-30T10:22:10.000 に答える