Page History

Many classes, including allow inclusion of escape sequences in character and string literals; examples include {{Pattern}} and thoseas well as classes that support {{XML}} and {{SQL}} based actions by passing {{String}} arguments to methods, allow inclusion of escape sequences in character and string literals. According to the Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], Section 3.10.6, "Escape Sequences for Character and String Literals"

The character and string escape sequences allow for the representation of some nongraphic characters as well as the single quote, double quote, and backslash characters in character literals (§3.10.4) and string literals (§3.10.5).

In order to correctly Correctly use of escape sequences pertaining to in String literals , an depends on correct understanding of how they the escape sequences are interpreted is essential. For example, SQL statements written in Java, for example, sometimes require certain special escape characters or sequences (for instancee.g., sequences containing \t, \n, \r). In When representing SQL queries in Java String form, all escape sequences must be preceded by an extra backslash for correct interpretation.

As another example, consider the Pattern class that finds extensive use used in performing regular expression related tasks. A given String literal used for pattern matching is compiled into an instance of the Pattern type. If When the pattern to be matched contains an undesired escape sequence such as a '\n', to avoid it being interpreted by the Java bytecode compiler as an escape sequence, the Pattern class requires the literal to be preceded by a backslash:a sequence of characters that is identical to one of the Java escape sequences — '\' 'n', for example — the Java compiler will treat that portion of the string as a Java escape sequence, and will consequently transform the sequence into a newline character. Consequently, the programmer must precede the "\n" sequence with an additional backslash to prevent the Java compiler from treating it as an escape sequence. The string constructed from the resulting sequence

'\\n'

which now consequently contains the correct two-character sequence '\' 'n' and correctly denotes back references instead of a new linerather than newline.

In general, for a particular escape character of the form '\X', the equivalent Java representation is:

"\\X"

As an aside, this particular condition gains remarkable importance in automatic exploit signature detection systems and filters that rely on patter matching.

Noncompliant Code Example

This noncompliant code example defines a method splitWords() that finds matches between the String literal and the input sequence. Because '\b' is the escape sequence for a word boundary, the misleading notion The programmer believes that Java that String literals can be used as is , can convince the implementer that the pattern matches to the word boundaries and as a result, splits a given string into individual words. Instead, for regular expression patterns. Consequently, he initializes the string WORDS to "\b", expecting that the string literal will hold the escape sequence for matching a word boundary. However, the Java compiler treats the "\b" as a Java escape sequence, and the string WORDS silently compiles to a backspace character.

...

Bibliography

\[[JLS 2005|AA. Bibliography#JLS 05]\] 3.10.6 Escape Sequences for Character and String Literals
\[[API 2006|AA. Bibliography#API 06]\] [Class Pattern|http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html] "Backslashes, escapes, and quoting"
\[[API 2006|AA. Bibliography#API 06]\] [Package java.sql|http://java.sun.com/javase/6/docs/api/java/sql/package-summary.html]
\[[JLS 2005|AA. Bibliography#JLS 05]\] 3.10.6 Escape Sequences for Character and String Literals

...

IDS16-J. Do not use locale dependent methods on locale insensitive data      13. Input Validation and Data Sanitization (IDS)      IDS18-J. Check that inputs do not produce excessive resource consumption