JSLint "insecure ^" in regular expression

javascript regex jslint regex-negation
Thomas R picture Thomas R · Nov 5, 2010 · Viewed 16.9k times · Source

JSLint reports Insecure '^' for the following line. Why is that? Or is it just going to complain any time I want to negate a character class?

// remove all non alphanumeric, comma and dash characters
"!$7s-gd,&j5d-a#".replace(/[^\w,\-]/g, '');

Answer

Nick Craver picture Nick Craver · Nov 5, 2010

It only will do this if you have the option selected at the bottom: 

Disallow insecure . and [^...] in /RegExp/

From the docs:

true if . and [^...] should not be allowed in RegExp literals. These forms should not be used when validating in secure applications.

So the answer your question, if you start a regex with ^ and it's checked, yes it'll throw the error every time. The issue is with unicode characters, you're allowing pretty much anything in there and there's potential for security issues, or validation bypassing issues. Instead of disallowing something (which can be bypassed), allow only what characters are valid.

Related questions

How to split a long regular expression into multiple lines in JavaScript?

I have a very long regular expression, which I wish to split into multiple lines in my JavaScript code to keep each line length 80 characters according to JSLint rules. It's just better for reading, I think. Here's pattern sample: var …

Read More
How to validate an email address in JavaScript

Is there a regular expression to validate an email address in JavaScript?

Read More
Check whether a string matches a regex in JS

I want to use JavaScript (can be with jQuery) to do some client-side validation to check whether a string matches the regex: ^([a-z0-9]{5,})$ Ideally it would be an expression that returned true or false. I'm a JavaScript newbie, does …

Read More