Unless the business will allow updating "bad" regexes on a daily basis and support someone to research new attacks regularly, this approach will be obviated before long.Rather than accept or reject input, another option is to change the user input into an acceptable format Any characters which are not part of an approved list can be removed, encoded or replaced.
For example, interest rates fall within permitted boundaries.
Some documentation and references interchangeably use the various meanings, which is very confusing to all concerned.
This confusion directly causes continuing financial loss to the organization.
For example, the web / presentation tier should validate for web related issues, persistence layers should validate for persistence issues such as SQL / HQL injection, directory lookups should check for LDAP injection, and so on.
Business rules are known during design, and they influence implementation.
For example, if you use HTML entity encoding on user input before it is sent to a browser, it will prevent most XSS attacks.