Construct "&" in Validator.URL is simple character class, not reference to ampersand

Description

From anton.sh...@gmail.com on March 17, 2014 16:17:40

What steps will reproduce the problem? 1. Match a string "a" to a subset of the regex: "^(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37;
$#_]*)?$"
2. Match a string "a" to a subset of the regex without a-z range: "^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37;
$#_]*)?$"
3. Match a string "a" to a subset of the regex without "amp;" substring: "^(\\/?)([A-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&&ESAPILEG-37;
$#_]*)?$" What is the expected output? What do you see instead? 1. "a" matches
2. "a" matches, but expected not to match, if & is a reference to ampersand
3. "a" does not match

Conclusion: & is a simple character class, not a reference to ampersand. What version of the product are you using? On what operating system? 2.1.0 Win7 Does this issue affect only a specified browser or set of browsers? - Please provide any additional information below. Java 1.6

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=322

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure