ngx_lua location capture issue

Nginx User nginx at
Thu Oct 20 16:02:39 UTC 2011

On 20 October 2011 14:48, agentzh <agentzh at> wrote:
> As I said, try using external .lua file and
> content/rewrite/access/set_by_lua_file to avoid nginx string escaping
> issues.

Understood. However, when I follow your instructions on this, things
fail. They seem to work my way.

Take this regex for example: (?:^>[\w\s]*<\/?\w{2,}>)

When I use my "incorrect" escaping in access_by_lua file ...

       local query_string =,
"(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
		-- finds unquoted attribute breaking injections -- xss -- csrf
		-- <impact>2</impact>
		if query_string then

... the debug log entry is ....

[debug] 24803#0: *154 lua regex cache miss for match regex
"(?:^>[\w\s]*<\/?\w{2,}>)" with options "io"
[debug] 24803#0: *154 lua compiling match regex
"(?:^>[\w\s]*<\/?\w{2,}>)" with options "io" (compile once: 1)
[debug] 24803#0: *154 lua saving compiled regex (0 captures) into the
cache (entries 6)
[debug] 24803#0: *154 regex "(?:^>[\w\s]*<\/?\w{2,}>)" not matched on
string "/trackip/?searchip=" starting from 0

I.E. the match regex,  "(?:^>[\w\s]*<\/?\w{2,}>)" is the same as the original.

I don't know why, but it works and the "correct" escaping does not.

So I'm sticking with this until I start to see problems.


More information about the nginx mailing list