ngx_lua location capture issue

agentzh agentzh at
Fri Oct 21 04:13:30 UTC 2011

On Fri, Oct 21, 2011 at 12:08 PM, agentzh <agentzh at> wrote:
>>       local query_string =,
>> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
>>                -- finds unquoted attribute breaking injections -- xss -- csrf
>>                -- <impact>2</impact>

BTW, it's bad practice to match against $request_uri directly because
query strings may be escaped according to URI escaping rules. (Yes!
there's escaping everywhere!)

For example, Forefox will escape "<a>3</a>" into "a=%3Ca%3E3%3C/a%3E",
which will surely never be matched by the regexes used here.

You can try ngx.unescape_uri to preprocess the $request_uri thing first, see:

Good luck!

More information about the nginx mailing list