2

For this prototype url checker. Note all I'm trying to do is get the length checked at this point.

url:            /:\/\/(www\.)?.{1,200}\..{1,1800}/,

Jslint.com is giving error

Insecure '.'

I had a similar error with this negated character set on this SO post.

Given that backgroud, I think it is obvious jslint does not like allowing all or mostly all as a test pattern.

So, I simply need to replace the . with a valid character set for domains and the part after the domain.

For the domain I can simplify to 

[a-zA-Z0-9\-]

What is the character set for the part after the domain...i.e.after foo.com/

So there is 

//

followed by

www.(optional)

followed by 

foo.boo.moo.(note it matched up until the last .) ( this character set is listed above)

followed by

X

how do I lump all of X together:

http://www.foo.X

I'm not concerned with extracting ports or query information, I just need the character set for everything after the domain, to make the regex "secure" per jslint.

Note, I'm just trying to improve incrementally.

JavaScript, The Good Parts has a good URL checker on the regex chapter, but not what I need right now.

Cœur
  • 37,241
  • 25
  • 195
  • 267
  • 2
    Have a look at the [RFC](http://www.ietf.org/rfc/rfc1738.txt) and [this blog post](http://www.codinghorror.com/blog/2008/10/the-problem-with-urls.html). – Felix Kling Aug 24 '12 at 23:11
  • @Felix - that is from '94 and '08 –  Apr 24 '13 at 00:34

2 Answers2

1

The regular expression detail you looking for can be found in this answer on StackOverflow and RFC 3986

The specific characters and expression for a "host" are: [a-z0-9\-._~%]+

You may want to remember that valid URL's can be in the form of IP addresses (IPv4, IPv6 and IPvFuture), check out the linked RegEx for detail.

Community
  • 1
  • 1
Dean Taylor
  • 40,514
  • 3
  • 31
  • 50
1

You don't need to change your regular expression.

If the problem is just that JSLint is complaining about it, you can disable that option.

To test it on jslint.com, look in the Options section for:

[default]  . and [^...] in /RegExp/

and click it to set it to [true].

Then JSLint will accept your regular expression.

Or, you can use a special comment to disable the check. If you paste this test code into JSLint it will accept it without having to change the Option setting manually:

/*jslint regexp: true */
var test = /:\/\/(www\.)?.{1,200}\..{1,1800}/;

Here's the documentation for this option:

Tolerate . and [^...]. in /RegExp/

true if . and [^...] should be allowed in RegExp literals. They match more material than might be expected, allowing attackers to confuse applications. These forms should not be used when validating in secure applications.

It seems unlikely that there is anything "insecure" about the way you are using . in your regular expression, so I would just go ahead and override the JSLint setting.

(I see now that this is a very old question, but maybe this answer will be useful for someone else down the road.)

Michael Geary
  • 28,450
  • 9
  • 65
  • 75