Andreas Schwarz
2006-Jul-28 17:28 UTC
[Rails] Nasty pitfall: don''t use ^ and $ in validation regexes!
Let''s say you want to validate that an attribute contains only 2-10
lowercase characters, e.g. with validates_format_of. The appropriate
regex is obviously /^[a-z]{2,10}$/, right?
Wrong! Try it with "abc\nANYTHING YOU LIKE" - this is perfectly valid.
On the second look the reason is clear: ^ matches the start of a line, $
matches the end of a line. So as long as one line in the input matches,
the string is accepted, although it could contain absolute rubbish.
Chances are good that this will never happen, but when it does it can
create really interesting problems or in the worst case allow XSS/SQL
injection attacks.
The solution is to use \A and \Z instead of ^ and $:
/\A[a-z]{2,10}\Z/
--
Posted via http://www.ruby-forum.com/.
Jack Christensen
2006-Jul-31 13:49 UTC
[Rails] Nasty pitfall: don''t use ^ and $ in validation regexes!
Andreas Schwarz wrote:>Let''s say you want to validate that an attribute contains only 2-10 >lowercase characters, e.g. with validates_format_of. The appropriate >regex is obviously /^[a-z]{2,10}$/, right? > >Wrong! Try it with "abc\nANYTHING YOU LIKE" - this is perfectly valid. >On the second look the reason is clear: ^ matches the start of a line, $ >matches the end of a line. So as long as one line in the input matches, >the string is accepted, although it could contain absolute rubbish. >Chances are good that this will never happen, but when it does it can >create really interesting problems or in the worst case allow XSS/SQL >injection attacks. > >The solution is to use \A and \Z instead of ^ and $: >/\A[a-z]{2,10}\Z/ > > >Good to know, thanks for the tip. -- Jack Christensen jackc@hylesanderson.edu