java - Why my two test case failed for given Regex Pattern -

when run testcase program, 2 str29 , str32 testcase failed, need regex pattern can success test cases.

my test class given below :

package com.csam.wsc.enabling.core.util.test;  import java.util.regex.pattern;  public class regularextest {      private static pattern xssattackpattern;         // pattern whilte list character      private static final string xss_attack_regular_expression = "([a-za-z0-9,()[\\\\]{}\\\":./_\\\\s]|(?<!-)-)*";      public static void main(string arg[]) {         testsqlorxssinjectionaswhitelistapproach();     }      private static pattern getxssattackpattern() {         xssattackpattern = pattern.compile(xss_attack_regular_expression);         return xssattackpattern;     }      public static boolean hasxssattackorsqlinjection(string value) {         if (getxssattackpattern().matcher(value).matches())             return false;         return true;     }      public static void testsqlorxssinjectionaswhitelistapproach() {          string str0 = "";         string str1 = ",:4,5}{a{,}1{}r,'ee4534:r,p],[a},{1}}{a{,}345:,";         string str2 = "a";         string str3 = "a#";         string str4 = "#";         string str5 = "#'";         string str6 = "123";         string str7 = "as";         string str8 = "{#}";         string str9 = "#{}";         string str10 = "!";         string str11 = "'124";         string str12 = "123'";         string str13 = "'";         string str14 = "''";         string str15 = "hello";         string str16 = "<>";         string str17 = "<>/?\":;";         string str18 = "!@#$%^&*()_+}{|\":<>?,./[]\\";         string str19 = "good";         string str20 = "a\\%27";         string str21 = ".";         string str22 = "/";         string str23 = "_";         string str24 = ".'";         string str25 = "/_";         string str26 = "_.";         string str27 = "http://rss.cnn.com/rss/edition_business.rss";         string str28 = "http://rss.cnn.com/rss/edition_business.rss?id=121132511$@#$@$@#%242444+gfghgfhg";         string str29 = "communication in progress...";         string str30 = "(";         string str31 = ")";         string str32 = "(.:[]{} ";         string str33 = "(.:[]{} #";         string str34 = "&";         string str35 = "$";         string str36 = "-dsfdsfddsfd2112212s";         string str37 = "--dsfdsfddsfd2112212s";         string str38 = "-dsfdsfdd-sfd2112212s";         string str39 = "--";         string str40 = "-";           assertfalse(str0);         asserttrue(str1);         assertfalse(str2);         asserttrue(str3);         asserttrue(str4);         asserttrue(str5);         assertfalse(str6);         assertfalse(str7);         asserttrue(str8);         asserttrue(str9);         asserttrue(str10);         asserttrue(str11);         asserttrue(str12);         asserttrue(str13);         asserttrue(str14);         assertfalse(str15);         asserttrue(str16);         asserttrue(str17);         asserttrue(str18);         assertfalse(str19);         asserttrue(str20);         assertfalse(str21);         assertfalse(str22);         assertfalse(str23);         asserttrue(str24);         assertfalse(str25);         assertfalse(str26);         assertfalse(str27);         asserttrue(str28);         assertfalse(str29);         assertfalse(str30);         assertfalse(str31);         assertfalse(str32);         asserttrue(str33);         asserttrue(str34);         asserttrue(str35);         assertfalse(str36);         asserttrue(str37);         assertfalse(str38);         asserttrue(str39);         assertfalse(str40);       }      public static void assertfalse(string value) {         boolean result = hasxssattackorsqlinjection(value);         string var = "undefined";         if (result == false) {             var = "success";         } else {             var = "fail";         }         system.out.println("for given string -> " + value + " -> " + var);     }      public static void asserttrue(string value) {         boolean result = hasxssattackorsqlinjection(value);         string var = "undefined";         if (result == true) {             var = "success";         } else {             var = "fail";         }         system.out.println("for given string -> " + value + " -> " + var);     } } 

here's regex string literal:

"([a-za-z0-9,()[\\\\]{}\\\":./_\\\\s]|(?<!-)-)*" 

the real regex is:

([a-za-z0-9,()[\\]{}\":./_\\s]|(?<!-)-)* 

i see 2 major problems here.

1. unlike flavors, java allows embed character class in character class. regex not match square brackets ([ or ]) because [\\] interpreted embedded character class matches backslash.

2. \\\\s in string literal becomes \\s in regex. meant \s, class shorthand whitespace character, it's literal backslash followed s.

you need escape square brackets , fix escaping of \s. regex matches sample strings:

([a-za-z0-9,()\[\]{}":./_\s\\]|(?<!-)-)* 

when create character class literal backslash in it, put backslash last. find little easier read way, , if mess things up, it's more throw exception silently match wrong thing.

note quotation mark (") doesn't need escaped regex parser, java parser. means need 1 backslash in string literal, not three. here's final, string literal form of regex:

"([a-za-z0-9,()\\[\\]{}\":./_\\s\\\\]|(?<!-)-)*"