Loading ...
Sorry, an error occurred while loading the content.

Re: No RegExp Warning When Used With Replace

Expand Messages
  • douglascrockford
    ... Be consistently disciplined. That would be even nicer.
    Message 1 of 9 , Sep 21, 2012
    • 0 Attachment
      --- In jslint_com@yahoogroups.com, "benxwhite" <ben.a.white@...> wrote:
      >
      >
      > I can understand how . and [^...] might be dangerous in a "match" regular expression, but in a replace I cannot see the harm in them.
      >
      > My typical example would be something like this
      >
      > var phone = myNumber.replace(/[^+0-9]/g, '');
      >
      > In this case, I'm removing all the "dangerous" characters.
      > It would be nice if a regular expression error was not thrown when used with in a replace method.


      Be consistently disciplined. That would be even nicer.
    • benxwhite
      ... Funny, your JSLint code seems to do the exact thing I m suggesting is not a problem.
      Message 2 of 9 , Sep 25, 2012
      • 0 Attachment
        --- In jslint_com@yahoogroups.com, "douglascrockford" <douglas@...> wrote:
        >
        > --- In jslint_com@yahoogroups.com, "benxwhite" <ben.a.white@> wrote:
        > >
        > >
        > > I can understand how . and [^...] might be dangerous in a "match" regular expression, but in a replace I cannot see the harm in them.
        > >
        > > My typical example would be something like this
        > >
        > > var phone = myNumber.replace(/[^+0-9]/g, '');
        > >
        > > In this case, I'm removing all the "dangerous" characters.
        > > It would be nice if a regular expression error was not thrown when used with in a replace method.
        >
        >
        > Be consistently disciplined. That would be even nicer.
        >

        Funny, your JSLint code seems to do the exact thing I'm suggesting is not a problem.

        .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']')

        Should I believe your words or your code?
        If I wanted to be "consistently disciplined", what would be the alternative code?
      • douglascrockford
        ... What do you mean by funny? I don t see that statement in JSLint. JSLint does contain: /*jslint evil: true, nomen: true, regexp: true, todo: true */ return
        Message 3 of 9 , Sep 25, 2012
        • 0 Attachment
          --- In jslint_com@yahoogroups.com, "benxwhite" <ben.a.white@...> wrote:
          >
          >
          >
          > --- In jslint_com@yahoogroups.com, "douglascrockford" <douglas@> wrote:
          > >
          > > --- In jslint_com@yahoogroups.com, "benxwhite" <ben.a.white@> wrote:
          > > >
          > > >
          > > > I can understand how . and [^...] might be dangerous in a "match" regular expression, but in a replace I cannot see the harm in them.
          > > >
          > > > My typical example would be something like this
          > > >
          > > > var phone = myNumber.replace(/[^+0-9]/g, '');
          > > >
          > > > In this case, I'm removing all the "dangerous" characters.
          > > > It would be nice if a regular expression error was not thrown when used with in a replace method.
          > >
          > >
          > > Be consistently disciplined. That would be even nicer.
          > >
          >
          > Funny, your JSLint code seems to do the exact thing I'm suggesting is not a problem.
          >
          > .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']')
          >
          > Should I believe your words or your code?
          > If I wanted to be "consistently disciplined", what would be the alternative code?


          What do you mean by funny? I don't see that statement in JSLint. JSLint does contain:


          /*jslint
          evil: true, nomen: true, regexp: true, todo: true
          */

          return this.replace(/\{([^{}]*)\}/g, function (a, b) {


          Regexps are often used for input validation, and such validators often fail because . and [^ ] will match stuff in surprising ways. So by default, JSLint warns about these. It also provides a switch so that you can turn off the warning in cases where you are not doing input validation and are not concerned with what might be matched.

          So yes, you can do what JSLint does.
        • Joe Hansche
          I m curious because I want to learn: You re saying that regexp . and regexp [^ ] match inconsistently in different browsers, or is there a different
          Message 4 of 9 , Sep 26, 2012
          • 0 Attachment
            I'm curious because I want to learn:

            You're saying that regexp "." and regexp "[^ ]" match inconsistently in
            different browsers, or is there a different "surprising" that you're
            referring to?

            Is the surprising part the ECMAScript definition, or just browsers and
            their rogue implementations?

            I've used these before, and didn't know they were buggy, so if there's
            something weird about these, I'm just curious to know.
            On Sep 25, 2012 12:31 PM, "douglascrockford" <douglas@...> wrote:

            > **
            >
            >
            > --- In jslint_com@yahoogroups.com, "benxwhite" <ben.a.white@...> wrote:
            > >
            > >
            > >
            > > --- In jslint_com@yahoogroups.com, "douglascrockford" <douglas@> wrote:
            > > >
            > > > --- In jslint_com@yahoogroups.com, "benxwhite" <ben.a.white@> wrote:
            > > > >
            > > > >
            > > > > I can understand how . and [^...] might be dangerous in a "match"
            > regular expression, but in a replace I cannot see the harm in them.
            > > > >
            > > > > My typical example would be something like this
            > > > >
            > > > > var phone = myNumber.replace(/[^+0-9]/g, '');
            > > > >
            > > > > In this case, I'm removing all the "dangerous" characters.
            > > > > It would be nice if a regular expression error was not thrown when
            > used with in a replace method.
            > > >
            > > >
            > > > Be consistently disciplined. That would be even nicer.
            > > >
            > >
            > > Funny, your JSLint code seems to do the exact thing I'm suggesting is
            > not a problem.
            > >
            > >
            > .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,
            > ']')
            > >
            > > Should I believe your words or your code?
            > > If I wanted to be "consistently disciplined", what would be the
            > alternative code?
            >
            > What do you mean by funny? I don't see that statement in JSLint. JSLint
            > does contain:
            >
            > /*jslint
            > evil: true, nomen: true, regexp: true, todo: true
            > */
            >
            > return this.replace(/\{([^{}]*)\}/g, function (a, b) {
            >
            > Regexps are often used for input validation, and such validators often
            > fail because . and [^ ] will match stuff in surprising ways. So by default,
            > JSLint warns about these. It also provides a switch so that you can turn
            > off the warning in cases where you are not doing input validation and are
            > not concerned with what might be matched.
            >
            > So yes, you can do what JSLint does.
            >
            >
            >


            [Non-text portions of this message have been removed]
          • Felix E. Klee
            ... Where they refers to: [^...] .
            Message 5 of 9 , Sep 26, 2012
            • 0 Attachment
              Excerpt from <http://www.jslint.com/lint.html>:

              > They match more material than might be expected, allowing attackers to
              > confuse applications. These forms should not be used when validating
              > in secure applications.

              Where "they" refers to:

              [^...]
              .
            • Joe Hansche
              ... Thanks. Though, I thought Douglas pushes for competent scripts, and people who know what they re doing ? I, for one, understand what . and [^...]
              Message 6 of 9 , Sep 26, 2012
              • 0 Attachment
                On Sep 26, 2012 5:26 AM, "Felix E. Klee" <felix.klee@...> wrote:
                >
                >
                >
                > Excerpt from <http://www.jslint.com/lint.html>:
                >
                > > They match more material than might be expected, allowing attackers to
                > > confuse applications. These forms should not be used when validating
                > > in secure applications.

                Thanks.

                Though, I thought Douglas pushes for "competent" scripts, and people who
                "know what they're doing"? I, for one, understand what '.' and '[^...]'
                match, and it is not more than "might be expected," because I know what to
                expect. Not sure why this would be "confusing" ... If you use regexp, then
                you should know what it will match.

                >
                > Where "they" refers to:
                >
                > [^...]
                > .
                >
                >


                [Non-text portions of this message have been removed]
              • Felix E. Klee
                ... You could apply that to any of the rules that JSLint enforces: If you use X, then you should know what it will Y.
                Message 7 of 9 , Sep 26, 2012
                • 0 Attachment
                  On Wed, Sep 26, 2012 at 6:15 PM, Joe Hansche <madcoder@...> wrote:
                  > If you use regexp, then you should know what it will match.

                  You could apply that to any of the rules that JSLint enforces:

                  If you use X, then you should know what it will Y.
                • Joe Hansche
                  ... I agree :) Yet, JSLint specifically makes that assumption regarding allowing this in a function expression. ... [Non-text portions of this message have
                  Message 8 of 9 , Sep 26, 2012
                  • 0 Attachment
                    On Sep 26, 2012 12:22 PM, "Felix E. Klee" <felix.klee@...> wrote:
                    >
                    >
                    >
                    > On Wed, Sep 26, 2012 at 6:15 PM, Joe Hansche <madcoder@...> wrote:
                    > > If you use regexp, then you should know what it will match.
                    >
                    > You could apply that to any of the rules that JSLint enforces:
                    >
                    > If you use X, then you should know what it will Y.

                    I agree :)

                    Yet, JSLint specifically makes that assumption regarding allowing "this" in
                    a function expression.

                    >
                    >


                    [Non-text portions of this message have been removed]
                  Your message has been successfully submitted and would be delivered to recipients shortly.