ESAPI Validator.isValidInput() isn't matching backslashes

Question

I'm trying to make an ESAPI validator that matches the following: alphanumerics, spaces, and " # & ' ( ) + , . / \ : ; @ -.

I've added this line to ESAPI.properties:

Validator.SiteNameString=^[a-zA-Z0-9 "#&'()+,./\\\\:;@-]+$

The data:

Site.name = "Site\\name \"#&'()+,./:;@-"

The call returns false:

ESAPI.validator().isValidInput("U_SITE_NAME", site.getName(), "SiteNameString", 100, true);

It works with everything else but the backslash.

I've tested other solutions I've found here and none of them worked.

On Kevin's advice I debugged the code and got this result:

Inside the DefaultValidator.isValidInput() call is a call to getValidInput() which calls ESAPI.encoder().canonicalize(input); This throws an IntrusionException. "Multiple (2x) encoding detected in Site\\name "#&'()+,./:;@-" It never tries to apply the validation pattern. 

So are double backslashes (double since backslash is the escape character) are not allowed in fields in validated HTML text fields?

Answer 1

This is just an unverified hunch, but I think I see what's going on now. By default, Encoder.canonicalize() will throw an IntrusionException if it thinks it detects either multiple (controlled by the property Encoder.AllowMultipleEncoding) or mixed (controlled by the property Encoder.AllowMixedEncoding) is found. The default Codecs that Encoder.canonicalize() considers are HTMLEntityCodec, PercentCodec, and JavaScriptCodec. I think the canonicalize() method that gets called scans the string, finds the '' and probably treating it as JavaScript encoded where it checks it via the JavaScriptCodec. (See the property Encoder.DefaultCodecList for details.) And thus if fails before it even checks the regex. Setting a breakpoint in the canonicalize() method and then stepping through the code from there should allow you to verify whether my hunch is correct. The way around it is you customize that. IIRC, there is some Javadoc in the Validator interface or the DefaultValidator class that explains how to do that. I'm up to my chin in other ESAPI issues for the moment so I can't provide a lot of assistance at the moment.