[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
- From: Achim <kirke12@xxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] RE: [Webappsec] [WEB SECURITY] Re: Comparisons of Web ApplicationFirewalls
- Date: Mon, 7 Jul 2008 22:59:02 +0200 (MEST)
On Mon, 7 Jul 2008, Arshan Dabirsiaghi wrote:
!! You should investigate standardized Unicode patterns like \p{L} and \p{N} which are extremely useful for doing cross-language input validation without getting deep into the weeds of Unicode character ranges [1]. You can also validate the data you're receiving against the locale you're receiving it from. For instance, \p{Greek} will tell you whether or not your letters are in the Greek character range.
!!
!! I can't say whether or not any WAF out there has this kind of capability (the few I've seen do not).
hmm, sounds like you have not seen much WAFs (no offence meant;-)
Most (all*) WAFs claim to support PCRE (I use "claim" as I didn't prove it),
and PCRE supports unicode properties, blocks and scripts very well.
On the other hand TCL does not support unicode properties, IIRC. So we can
imagine which WAF does not support such simple matches.
Conclusion: i18n or whatever character set is no reason to blame regex in WAFs,
I don't see a better way to handle interantional languages/characters than
with simple Unicode properties, scripts, blocks.
{-: Achim
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|