> On Tue, Jun 30, 2026 at 11:18 PM Jeffrey Walton <
nolo...@gmail.com> wrote:
>>
>> On Tue, Jun 30, 2026 at 10:25 PM Kevin W. Wall <
kevin....@gmail.com> wrote:
>> >
>> > IIRC, the validation.properties is used exclusively by implementations of theValidator interface. Pretty much everything else uses ESAPI.properties. (I'm not sure of the historical reasons for this, but it dates back at least to the ESAPI 1.4 version. Maybe the Validator stuff started out as a separate library. IDK. Maybe ask @Jeff Williams if you're curious.)
>> >
>> > I think most (all?) of the other regexes in ESAPI.properties are associated with the HTTPUtilities interface.
>> >
>> > Lastly, regarding your comment about:
>> >
>> > > ... validation.properties got
>> > lopped-off in mid sentence
>> >
>> > Try checking the comments in
https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/resources/esapi/validation.properties, or if it's missing there as well, check the git history for those files.
>>
>> Yes, it looks like it is missing some text. Around line 29, the
>> comments start discussing potential missing canonicalization, and
>> introduces a partial example:
>>
>> // Line 29 below
>> # But note, when you use boolean variants of validation functions, you
>> lose critical
>> # canonicalization. It is preferable to use the "get" methods (which
>> throw exceptions)
>> # and use the returned user input which is in canonical form. Consider
>> the following:
>> #
>> # try {
>> # someObject.setEmail(ESAPI.validator().getValidInput("User Email",
>> input, "Email", maxLength, allowNull));
>> #
>> // whoops, the discussion stops there, at line 35.
>>