Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JSLint "insecure ^" in regular expression

JSLint reports Insecure '^' for the following line. Why is that? Or is it just going to complain any time I want to negate a character class?

// remove all non alphanumeric, comma and dash characters "!$7s-gd,&j5d-a#".replace(/[^\w,\-]/g, ''); 
like image 518
Thomas R Avatar asked Nov 05 '10 19:11

Thomas R


1 Answers

It only will do this if you have the option selected at the bottom:

Disallow insecure . and [^...] in /RegExp/ 

From the docs:

true if . and [^...] should not be allowed in RegExp literals. These forms should not be used when validating in secure applications.

So the answer your question, if you start a regex with ^ and it's checked, yes it'll throw the error every time. The issue is with unicode characters, you're allowing pretty much anything in there and there's potential for security issues, or validation bypassing issues. Instead of disallowing something (which can be bypassed), allow only what characters are valid.

like image 133
Nick Craver Avatar answered Oct 03 '22 20:10

Nick Craver