First off, how nice of you to quote only the first and last part of my comment while paraphrasing the middle part as if you're telling me something new:
> Beyond the rules applicable to the specific type of input (for example: it should be a correctly UTF-8 encoded string with a maximum length)
versus
> You aren't understanding. You should only need one regex per input.
Also you're hopping between sanitation and validation as if you believe they're the same thing. My original example was a case of doing specifically validation badly and you specifically spoke about validation in your original comment. You then replied with a comment suggesting one should apply encoding, specifically escaping, to inputs. That is not called validation.
Apparently with this most recent comment we're back to validation.
At this point I don't know how to talk to you because you seem to make this conversation about something new with each comment and I'm past humoring it.
> Also you're hopping between sanitation and validation as if you believe they're the same thing. My original example was a case of doing specifically validation badly and you specifically spoke about validation in your original comment. You then replied with a comment suggesting one should apply encoding, specifically escaping, to inputs. That is not called validation.
You know what, I admit my writing isn't excellent. I'm fully aware of the difference between sanitization and validation and frequently lump them together in technical conversations. Input validation/sanitization along with OUTPUT encoding, are major security controls that should be present in your application and proper use of these techniques will protect you most of the time with your dependencies have a security flaw.
> At this point I don't know how to talk to you because you seem to make this conversation about something new with each comment and I'm past humoring it.
You replied to me saying that regex whitelists on untrusted input was "a horrible idea" and "objectively wrong". You argued that libraries should safely handle the untrusted input for you. You argued that validation/sanitization should not happen immediately upon receipt on the input. These points are just wrong. I'm not trying to be a dick, and I think its possible to have a constructive conversation here.
Full disclosure: My day job is as a web application pentester. I've tested/reviewed hundreds of applications.
I don't expect devs to be experts on security, but what triggered my ORIGINAL comment was all the software engineers ITT bashing open source libraries without considering security in their own code.
> Beyond the rules applicable to the specific type of input (for example: it should be a correctly UTF-8 encoded string with a maximum length)
versus
> You aren't understanding. You should only need one regex per input.
Also you're hopping between sanitation and validation as if you believe they're the same thing. My original example was a case of doing specifically validation badly and you specifically spoke about validation in your original comment. You then replied with a comment suggesting one should apply encoding, specifically escaping, to inputs. That is not called validation.
Apparently with this most recent comment we're back to validation.
At this point I don't know how to talk to you because you seem to make this conversation about something new with each comment and I'm past humoring it.