JSLint“不安全^”在正则表达式中 [英] JSLint "insecure ^" in regular expression

问题描述

JSLint报告以下行的不安全的^。这是为什么？或者只是在我想要否定角色类时抱怨？

JSLint reports Insecure '^' for the following line. Why is that? Or is it just going to complain any time I want to negate a character class?

// remove all non alphanumeric, comma and dash characters
"!$7s-gd,&j5d-a#".replace(/[^\w,\-]/g, '');

推荐答案

只有选择了选项才能执行此操作在底部：

It only will do this if you have the option selected at the bottom:

Disallow insecure . and [^...] in /RegExp/

来自文档：

如果是，则为true。在RegExp文字中不应该允许[^ ...]。在安全应用程序中进行验证时，不应使用这些表单。

true if . and [^...] should not be allowed in RegExp literals. These forms should not be used when validating in secure applications.

如果您使用<$ c启动正则表达式，请回答您的问题$ c> ^ 并且已经检查过，是的，它每次都会抛出错误。问题在于unicode字符，你几乎可以在那里使用任何东西，并且有可能出现安全问题或验证绕过问题。而不是禁止某些东西（可以被绕过），允许只有哪些字符有效。

So the answer your question, if you start a regex with ^ and it's checked, yes it'll throw the error every time. The issue is with unicode characters, you're allowing pretty much anything in there and there's potential for security issues, or validation bypassing issues. Instead of disallowing something (which can be bypassed), allow only what characters are valid.

这篇关于JSLint“不安全^”在正则表达式中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！