Nasty pitfall: don't use ^ and $ in validation regexes!

Let’s say you want to validate that an attribute contains only 2-10
lowercase characters, e.g. with validates_format_of. The appropriate
regex is obviously /^[a-z]{2,10}$/, right?

Wrong! Try it with “abc\nANYTHING YOU LIKE” - this is perfectly valid.
On the second look the reason is clear: ^ matches the start of a line, $
matches the end of a line. So as long as one line in the input matches,
the string is accepted, although it could contain absolute rubbish.
Chances are good that this will never happen, but when it does it can
create really interesting problems or in the worst case allow XSS/SQL
injection attacks.

The solution is to use \A and \Z instead of ^ and $:
/\A[a-z]{2,10}\Z/

Andreas S. wrote:

injection attacks.

The solution is to use \A and \Z instead of ^ and $:
/\A[a-z]{2,10}\Z/

Good to know, thanks for the tip.


Jack C.
[email protected]

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs