RegExp \A \z doesnt work, but thats what Rails 4 requires

Question

I recently switched to Rails 4 and the security requirements no longer seem to allow the use of regular expressions in the style of /^..$/. The error states that regular expressions should instead be written in the style of /\A..\z/. Making this change seems to resolve all of my server side validation issues, but unfortunately it also broke all of my client side validation in javascript.

A simple example. I want to validate a username to be letters, number, or periods.

The old regex looked like /^[0-9a-zA-Z.]+$/ and worked both server side (Rails 3.x) and client side

new RegExp( /^[0-9a-zA-Z.]+$/ ).test('myuser.name') = true

The new regex looks like /\A[0-9a-zA-Z.]+\z/ and works server side but fails client side

new RegExp( /\A[0-9a-zA-Z.]+\z/ ).test('myser.name') = false

So I'm clearly doing something wrong, but I can't seem to find any explanations. I checked that \A..\z are valid regex to make sure that its not some Rails-specific hack and it seems to be legit.

Any ideas?

Answer 1

JavaScript does not support \A or \z in its RegExp.

Here's some raw data, first for JavaScript:

var a = "hello\nworld"
(/^world/).test(a) // false
(/^world/m).test(a) // true
(/hello$/).test(a) // false
(/hello$/m).test(a) // true

Next, for ruby:

a = "hello\nworld"
a.match(/^world/) # => #<MatchData "world">
a.match(/\Aworld/) # => nil
a.match(/hello$/) # => #<MatchData "hello">
a.match(/hello\z/) # => nil

From this, we see that ruby's \A and \z are equivalent to JavaScript's ^ and $ as long as you don't use the multiline m modifier. If you are concerned about the input having multiple lines, you're simply going to have to translate your regular expressions between these two languages with respect to these matching characters.

Answer 2

As a workaround for \A\a \Z\z lack of support, you can add a "sentinel" character (or characters) to the end of the input string.

Please, note that:

1. the sentinel character(s) should be something which very low chances of being used in the input string.
2. should not be used in sensitive stuff (such as user verification or something) since a workaround like this can be easily exploitable.

In this specific case, since only [0-9a-zA-Z.] are allowed, something like ¨ or ~ is ok.

Example:

let inputString = 'myuser.name';
inputString = '¨0' + inputString + '¨1';
let result = new RegExp( /¨0[0-9a-zA-Z.]+(?=¨1)/ ).test(inputString);
inputString.replace(/^¨0/, '').replace(/¨1$/, '');

If you're worried that, for some reason, the input string might have the selected characters you're using, you can escape them.