Unsafe URL validation regex
See original GitHub issueI discovered by accident that the regex used for URL validation is unsafe. Try running the following in your browser console:
/^https?:\/\/([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w\.\(\)%-]*)*\/?$/.test('https://d1qb2nb5cznatu.cloudfront.net/startups/i/262548-4bef7a1950ac2fb9034ca8cc4fd5a44d-medium_jpg.jpg?buster=1399656027')
This will cause your CPU to spike and probably crash your browser. I’m not sure what is it about that particular URL but it seems to be triggering some sort of bug.
Please consider using validator.js library instead of re-implementing validation rules. This library is still actively developed, been through many release cycles since 2013 and is well tested. If you keep maintaining your own rules you will run into issues like that down the road.
Keep up the good work.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:1
- Comments:7 (6 by maintainers)
Top Results From Across the Web
regex - What is the best regular expression to check if a string ...
Note: this regex is not 100% safe and may accept some strings which are not necessarily valid URLs but it does indeed validate...
Read more >Secure JavaScript URL validation - Snyk
Another way to validate a URL is by using a regular expression (regex) — or a string that forms a search pattern. We...
Read more >URL Validation
Validating URLs require complex regular expressions. ... We can then validate that it correctly identifies both good and bad URLs.
Read more >url-regex-unsafe - npm
Regular expression matching for URL's. Maintained, and browser-friendly version of url-regex. This package is vulnerable to CVE-2020-7661.
Read more >(Please) Stop Using Unsafe Characters in URLs
All unsafe characters must always be encoded within a URL. For example, the character # must be encoded within URLs even in systems...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
OK I added validator to the dev dependencies and I replaced some rules with their implementation, this should allow new rules to be imported from validator.js as well.
@logaretm What do you think about including the credit card validation that
validator.js
has?