What steps will reproduce the problem? 1. Instantiate a SimpleDateFormat object called myFormat
2. Make a call to ESAPI.validator().dateIsValid using the following arguments: "datetest4", "September 11, 2001' union select * from another_table where user_id like '%", myFormat, false What is the expected output? What do you see instead? I think it's reasonable to expect the library to report "September 11, 2001' union select * from another_table where user_id like '%" as an invalid date; but, the method returns true. What version of the product are you using? On what operating system? I fetched the source from http://owasp-esapi-java.googlecode.com/svn/trunk , revision 1867 , compiled using the Oracle JDK 6 Standard Edition (build 1.6.0_24-b07) in Eclipse configured for J2SE-1.5 compliance. The host OS was Windows 7. Does this issue affect only a specified browser or set of browsers? No. Please provide any additional information below. I added the following line to org.owasp.esapi.reference.ValidatorTest.java at line 330:
assertFalse(instance.isValidDate("datetest4", "September 11, 2001' union select * from another_table where user_id like '%", format, false));
and this assertion fails.
I believe I have traced the root cause to org.owasp.esapi.reference.validation.DateValidationRule.java line 97: