Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does MVC validation not work for "<" and ">"?

I have this MVC application, and I want to be able to allow a user to be able to enter a username that is 6 to 255 characters long, including special characters that I deem fit. I have a simple regex for this:

[RegularExpression(@"^([a-zA-Z0-9!\@#\$%\^&\(\)-_\+\.'`~/=\?\{\}\|]){6,255}$", ErrorMessageResourceType = typeof(AdminResource), ErrorMessageResourceName = "UserNameFormatError")]

The validation works to a certain extent. It will not let you enter in a username shorter than 6 characters, and it will not let you enter one longer than 255, and it will also let you use all of the special characters I have listed. Interestingly though, it will also let you use "<" and ">", which I don't want to let it use, because then you start getting some errors on the backend because security stuff thinks you are trying to inject malicious code or w/e. That's beside the point, how come the validation allows use of those when they are not included in the regex?

like image 447
Skrubb Avatar asked Jun 12 '26 04:06

Skrubb


1 Answers

The dash seems to be the culprit. Except at the beginning of the group, it would denote a range. So you are allowing everything between ) and _. You can escape or move it.

like image 165
Andrew Barber Avatar answered Jun 14 '26 01:06

Andrew Barber