jslint detects my following code as not secure:
/([^\n]+)([\n\s]*)/g
Later I learned there is a lint option:
". and [^...] in /RegExp/"
which you can find over here
Why is it not secure?
Asked
Active
Viewed 138 times
3
DanMan
- 11,323
- 4
- 40
- 61
Nicolas S.Xu
- 13,794
- 31
- 84
- 129
-
Provide the whole reproducible code chunk so that we could see that as well. – zerkms Jan 06 '15 at 04:08
-
1This would be a better duplicate: http://stackoverflow.com/a/4109254/251311 – zerkms Jan 06 '15 at 04:10
-
@Mörre it at least refers to the official documentation and cites it – zerkms Jan 06 '15 at 04:12
-
@zerkms Why? They all say the same thing. Pick any. You link to an answer - which is not a duplicate, you have to link to a question :) My link cites the jslint doc, as you seem to have overlooked. There is nothing else to gain. It does not matter. Pick any. Why are we having this conversation? – Mörre Jan 06 '15 at 04:13
-
1Am I the only who thinks that JSLint tries to do much more job than it intended to do? (not to mention it does it in a terrible manner) – zerkms Jan 06 '15 at 04:16
-
js lint is designed to guard again human mistakes and unreadble syntax, not errors or security risks – dandavis Jan 06 '15 at 04:18
-
1@dandavis: seems like it also tries to check the security as well. I will not be surprised if one day it will complain on grammar in code comments – zerkms Jan 06 '15 at 04:19
-
1@zerkms I agree, jshint is much better. Magic warnings like this give developers a false-sense of security. It would only be insecure in certain contexts. – Alexander O'Mara Jan 06 '15 at 04:20
1 Answers
2
The problem is with the [^...] character you're allowing almost anything in your regex and jshint detects a security risk.
This is what jslint docs says about [^...]:
true if . and [^...] should be allowed in RegExp literals. They match more material than might be expected, allowing attackers to confuse applications. These forms should not be used when validating in secure applications.
ianaya89
- 4,153
- 3
- 26
- 34