一个正则表达式的空白字符会引起注入吗？ [英] can a regex whitespace character cause an injection?

问题描述

如果我想验证< textarea> 的输入，并希望它包含，例如，只包含数值，但甚至想要给用户插入新行的可能性，我可以用javascript正则表达式选择想要的字符，甚至包括空格字符。

if I want to validate the input of a <textarea>, and want it to contain, for example, only numerical values, but even want to give users the possibility to insert new lines, I can selected wanted characters with a javascript regex that includes even the whitespace characters.

/[0-9\s]/

问题是：即使我认为最后一个选项是不可能的，还是任何其他类型的攻击，是否可以使用白字符来执行注入，XSS？

The question is: do a whitecharacter can be used to perform injections, XSS,even if I think this last option is impossible, or any other type of attack ?

谢谢

推荐答案

/ [0我相信-9 \ s] / 应该是一个安全的白名单。但是，您确实需要确保它检查整个输入;我认为你的意思是 / ^ [0-9 \ s] * $ / 。

/[0-9\s]/ should be a safe whitelist to use, I believe. You do need to ensure that it checks the entire input, though; I think you mean /^[0-9\s]*$/.

还要记住，当然，您必须在服务器端验证它，而不仅仅是在浏览器中。攻击者可以轻松绕过JavaScript验证码。

Also remember, of course, that you have to validate it server-side, not just in the browser. Attackers can easily bypass JavaScript validation code.

这篇关于一个正则表达式的空白字符会引起注入吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！