开发者

JSLint reports "Insecure ^" for my regex -- what does that mean?

开发者 https://www.devze.com 2023-01-03 15:45 出处:网络
I\'m trying to get my Javascript code 100% JSLint clean. I\'ve got a r开发者_Go百科egular expression:

I'm trying to get my Javascript code 100% JSLint clean.

I've got a r开发者_Go百科egular expression:

 linkRgx = /https?:\/\/[^\s;|\\*'"!,()<>]+/g;

JSLint reports:

 Insecure '^'

What makes the use of the negation of the character set "insecure" ?


[^\s;|\\*'"!,()<>] matches any ASCII character other than the ones listed, and any non-ASCII character. Since JavaScript strings are Unicode-aware, that means every character known to Unicode. I can see a lot of potential for mischief there.

Rather than disable the warning, I would rewrite the character class to match the characters you do want to allow, as this regex from the Regular Expressions Cookbook does:

/\bhttps?:\/\/[-\w+&@#/%?=~|$!:,.;]*[\w+&@#/%=~|$]/g


(answering my own question) I did some digging... JSLint documentation says:

Disallow insecure . and [^...]. in /RegExp/ regexp: true if . and [^...] should not be allowed in RegExp literals. These forms should not be used when validating in secure applications.

What I have done is disable the JSLint error for the offending line (as I'm not dealing with needing to be secure from potentially malicious user input:

/*jslint regexp: false*/
.... Javascript statement(s) ....
/*jslint regexp: true*/


You should use:

/*jslint regexp: true*/
linkRgx = /https?:\/\/[^\s;|\\*'"!,()<>]+/g;
/*jslint regexp: false*/
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号