ngx_lua location capture issue

agentzh agentzh at
Fri Oct 21 04:08:13 UTC 2011

On Fri, Oct 21, 2011 at 12:02 AM, Nginx User <nginx at> wrote:
> On 20 October 2011 14:48, agentzh <agentzh at> wrote:
> Take this regex for example: (?:^>[\w\s]*<\/?\w{2,}>)

Good lord!

Why are you using "^" here? Are you meant to match from the very start
of your $request_uri string?

And why are you escaping "/" ? It is *not* a special thing in the
regex syntax that requires escaping.

As years of Perl programmer, I must say your regex here is by no means correct.

> When I use my "incorrect" escaping in access_by_lua file ...
>       local query_string =,
> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
>                -- finds unquoted attribute breaking injections -- xss -- csrf
>                -- <impact>2</impact>
>                if query_string then
>                        ngx.exit(ngx.HTTP_BAD_REQUEST)
>                end

I'm not meant to help with Perl compatible regex usage, but here's my
working version:

    -- html/foo.lua
    local uri = "<impact>2</impact>"
    local regex = '(?:>[\\w\\s]*</?\\w{2,}>)';
    ngx.say("regex: ", regex)
    m =, regex, "oi")
    if m then
        ngx.say("[", m[0], "]")
        ngx.say("not matched!")

    # nginx.conf
    location /re {
        access_by_lua_file html/foo.lua;
        content_by_lua return;

GET /re yields

    regex: (?:>[\w\s]*</?\w{2,}>)


More information about the nginx mailing list