Reputation: 19153
JSLint reports "Insecure ^" for my regex -- what does that mean?
I'm trying to get my Javascript code 100% JSLint clean.
I've got a regular expression:
linkRgx = /https?:\/\/[^\s;|\\*'"!,()<>]+/g;
JSLint reports:
Insecure '^'
What makes the use of the negation of the character set "insecure" ?
Upvotes: 9
Views: 4931
Answers (3)
Reputation: 2910
You should use:
/*jslint regexp: true*/
linkRgx = /https?:\/\/[^\s;|\\*'"!,()<>]+/g;
/*jslint regexp: false*/
Upvotes: 0
Reputation: 19153
(answering my own question) I did some digging... JSLint documentation says:
Disallow insecure . and [^...]. in /RegExp/ regexp: true if . and [^...] should not be allowed in RegExp literals. These forms should not be used when validating in secure applications.
What I have done is disable the JSLint error for the offending line (as I'm not dealing with needing to be secure from potentially malicious user input:
/*jslint regexp: false*/
.... Javascript statement(s) ....
/*jslint regexp: true*/
Upvotes: 5
Reputation: 75242
[^\s;|\\*'"!,()<>] matches any ASCII character other than the ones listed, and any non-ASCII character. Since JavaScript strings are Unicode-aware, that means every character known to Unicode. I can see a lot of potential for mischief there.
Rather than disable the warning, I would rewrite the character class to match the characters you do want to allow, as this regex from the Regular Expressions Cookbook does:
/\bhttps?:\/\/[-\w+&@#/%?=~|$!:,.;]*[\w+&@#/%=~|$]/g
Upvotes: 8
Related Questions
- JSLint - Unexpected '\' before '.'
- What's wrong with this regex? JSLint is throwing an error
- JSLint "insecure ^" in regular expression
- Is there a way to make JSLint happy with this regex?
- Insecure '^' jshint issue
- JSLint Regexp Violation Quandry
- Why does JSLint report 'bad escapement' on this code?
- Unescaped '^' with jslint
- Purpose of JSLint "disallow insecure in regex" option
- Why does JSLint returns 'bad escapement' on this line of code?