On Nov 8, 2018, at 7:55 PM, John Hardin <jhar...@impsec.org> wrote: > > I left it case-sensitive; is there some reason the entities cannot be coded > as (e.g.) n ? I kinda doubt it, so it should *probably* be > case-insensitive to avoid trivial bypass.
I think it should be insensitive, sorry for that oversight on my part. You could just use the second, cleaner regex instead. That is case-insensitive by design. I think they should perform identically (except for case), and the second one is more compact and may scan faster (fewer 'or' tests). Cheers. --- Amir
