I have the following regular expression validator to detect whether an input string contains HTML/script tags and if so cause a vaidation error:
<asp:TextBox ID="txt" runat="server" />
<asp:RegularExpressionValidator
ControlToValidate="txt"
runat="server"
ID="regexVal"
EnableClientScript="true" Display="Dynamic"
ErrorMessage="Invalid Content"
Text="!"
ValidationExpression=">(?:(?<t>[^<]*))" />
When I run the page hosting this markup I get a scipt error with the message "Syntax Error in Regular Expression". However when I take the same regex and run it using Regex class from System.Text.RegularExpressions everything works fine: Like so:
Regex r = new Regex(">(?:(?<t>[^<]*))");
r.IsMatch(@"<b>This should cause a validation error</b>");
r.IsMatch("this is fine");
What am I missing
UPDATE: The error seems to be happening in the following js function in WebResource.axd:
function RegularExpressionValidatorEvaluateIsValid(val) {
var value = ValidatorGetValue(val.controltovalidate);
if (ValidatorTrim(value).length == 0)
return true;
var rx = new RegExp(val.validationexpression); //this is the line causing the error
var matches = rx.exec(value);
return (matches != null && value == matches[0]);
}
I think the problem is that JavaScript does not understand .NET's regular expression syntax for grouping.
When you set EnableClientScript
to true
on the RegularExpressionValidator
ASP.NET re-creates your regular expression in JavaScript to enable client-side validation on you controls. In this case, JavaScript doesn't support the syntax for named groups (?<t>...)
and non-capturing groups (?:...)
. While these features work in .NET JavaScript is struggling with them.
From RegularExpressionValidator Control (General Reference) on MSDN :
On the client, JScript regular expression syntax is used. On the server, Regex syntax is used. Because JScript regular expression syntax is a subset of Regex syntax, it is recommended that you use JScript regular expression syntax in order to yield the same results on both the client and the server.
There are two ways you can correct this:
EnableClientScript
to false
.(...)
syntax should work correctly in both JavaScript and .NET. You would then use ordinal number references to access captured values ($1
, $2
, etc.). Something like >[^<]*
should work as intended. See Grouping Constructs on MSDN.I'd like to point out a couple of other issues:
>[^<]*
which will be simpler and work exactly the same way. It won't capture any values in the original string, but since you're using it in an ASP.NET validation control this shouldn't matter.RegularExpressionValidator
will only work if the match is successful. In your case, your validation will pass if your textbox contains something like >blah
. I think you want it to work the other way around.>[^<]*
, the regular expression will still not work how I think you intend it to. The validation control tries to match all text in the textbox. So if I enter >blah
in the textbox, it will match, but <b>blah</b>
won't because the regular expression says that the string must start with a >
. I would suggest trying something like .*>.*[^<]*
to allow text before the >
.I managed to find the root cause but not sure what exactly can be the resolution.
Using Firebug Console in FF3.5, run this to trigger all the client-side validator:
for(var _v=0; _v<Page_Validators.length; _v++){
ValidatorValidate(Page_Validators[_v]);
}
then enter some text into the txt
textbox and run the script again, an exception is thrown:
"invalid quantifier ?[^<]*))"
Somehow the regex string can't be parsed by the browser's regex engine. I haven't been able to find the alternative regex for it.
This did the trick for me:
(^[^<>]*$)|(^[^>]*$)|(^[^<]*$)
I wanted to allow the user to be able to use one < or > but not . (This does fail on >anything< but I can live with that)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With