Loading ...
Sorry, an error occurred while loading the content.

Re: Bug in rhino.js

Expand Messages
  • pauanyu
    ... Why? [^x]* matches everything except for x. When it says everything it means EVERYthing. That is the exact literal and precise interpretation of it. If
    Message 1 of 7 , Sep 13, 2009
    • 0 Attachment
      --- In jslint_com@yahoogroups.com, "tsepez" <tsepez@...> wrote:
      >
      > In additon to .* , you might want to flag things of the form [^x]* , which tend to match more than expected -- yes, I've been burned by this before.
      >

      Why? [^x]* matches everything except for x. When it says "everything" it means EVERYthing. That is the exact literal and precise interpretation of it. If you don't want that broad of scale, use something different, like [abc]*

      Would we need an option saying "tolerate regular expressions that contain imprecise (but very useful) expressions"?

      There are a bunch of regular expressions that literally NEED the form [^x]*. Consider matching a string, for instance:

      /"(?:\\"|[^"])*"/

      In this case the [^"] part is very necessary. You can't use a lazy star because of escapement. Just keep in mind that when you have a regular expression that has the form [^x] it means, *ANYTHING* other than 'x'. If you don't want to select *ANYTHING* other than 'x', then use a different form. That's what they're there for.

      Why would you expect [^x]* to mean something other than "anything except x"?
    • douglascrockford
      ... Good point. I have been burned too.
      Message 2 of 7 , Sep 13, 2009
      • 0 Attachment
        --- In jslint_com@yahoogroups.com, "tsepez" <tsepez@...> wrote:
        >
        > --- In jslint_com@yahoogroups.com, "douglascrockford" <douglas@> wrote:
        > >
        > > --- In jslint_com@yahoogroups.com, "jagarenbraperson" <jagarenbraperson@> wrote:

        > > > I also have a question: why not the dot in regexps?

        > > In secure input validation applications, . is an invitation to sloppiness, and sloppiness aids the enemy. The . tends to match more than you expect, and so can create holes.
        > >
        > In additon to .* , you might want to flag things of the form [^x]* , which tend to match more than expected -- yes, I've been burned by this before.

        Good point. I have been burned too.
      • iain_dalton
        ... I think you should have a more verbose message than unexpected . . There are real-life situations where . is probably OK, like a Greasemonkey script
        Message 3 of 7 , Sep 17, 2009
        • 0 Attachment
          douglascrockford wrote:
          >
          > tsepez wrote:
          >
          > > In additon to .* , you might want to flag things of the form [^x]* , which tend to match more than expected -- yes, I've been burned by this before.
          >
          > Good point. I have been burned too.

          I think you should have a more verbose message than "unexpected '.'". There are real-life situations where . is probably OK, like a Greasemonkey script that pulls the name after the # out of a URL with /.*#(.*)/.exec(url)[1].
        • Douglas Crockford
          ... Good. So it now warns about insecure, rather than unexpected, usage.
          Message 4 of 7 , Sep 18, 2009
          • 0 Attachment
            --- In jslint_com@yahoogroups.com, "iain_dalton" <iain.dalton@...> wrote:
            >
            > douglascrockford wrote:
            > >
            > > tsepez wrote:
            > >
            > > > In additon to .* , you might want to flag things of the form [^x]* , which tend to match more than expected -- yes, I've been burned by this before.
            > >
            > > Good point. I have been burned too.
            >
            > I think you should have a more verbose message than "unexpected '.'". There are real-life situations where . is probably OK

            Good. So it now warns about insecure, rather than unexpected, usage.
          Your message has been successfully submitted and would be delivered to recipients shortly.