Let’s say you want to validate that an attribute contains only 2-10
lowercase characters, e.g. with validates_format_of. The appropriate
regex is obviously /^[a-z]{2,10}$/, right?
Wrong! Try it with “abc\nANYTHING YOU LIKE” - this is perfectly valid.
On the second look the reason is clear: ^ matches the start of a line, $
matches the end of a line. So as long as one line in the input matches,
the string is accepted, although it could contain absolute rubbish.
Chances are good that this will never happen, but when it does it can
create really interesting problems or in the worst case allow XSS/SQL
injection attacks.
The solution is to use \A and \Z instead of ^ and $:
/\A[a-z]{2,10}\Z/