ngx_lua location capture issue

Nginx User nginx at
Fri Oct 21 07:35:21 UTC 2011

On 21 October 2011 07:13, agentzh <agentzh at> wrote:
> On Fri, Oct 21, 2011 at 12:08 PM, agentzh <agentzh at> wrote:
>>>       local query_string =,
>>> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
>>>                -- finds unquoted attribute breaking injections -- xss -- csrf
>>>                -- <impact>2</impact>
> BTW, it's bad practice to match against $request_uri directly because
> query strings may be escaped according to URI escaping rules. (Yes!
> there's escaping everywhere!)
> For example, Forefox will escape "<a>3</a>" into "a=%3Ca%3E3%3C/a%3E",
> which will surely never be matched by the regexes used here.
> You can try ngx.unescape_uri to preprocess the $request_uri thing first, see:
> Good luck!

Thanks for the emails above.  I'll look into tackling the issues
raised in due course.
"/" is escaped because the original regex is from a php application
which uses "/" as a delimiter. I left it in place because the snippet
posted in just a part of the result of a series of "find and replace"
sequences on an xml file
that changes it to the lua format. "-- <impact>2</impact>" is not the
target but just a hang over from the original xml I couldn't find an
easy find and replace for to cater for all possible "<impact>" tags
and is there as a lua comment.

As said, things are working as expected for me at present in that the
resultant regexes are consistent with the target regexes from the xml
file so I am keeping them as they are. I will change them if/when I
see issues.

In any case, this is just a fallback I put in place when trying to
call the actual application and having just recompiled with rc17, I'll
look into having a go at that again.


More information about the nginx mailing list