JSLint的目的“不允许不安全的regex”选项。

时间:2021-05-05 05:01:11

I have a line of code that gets the following error when run through JSLint:

我有一行代码,在使用JSLint时得到如下错误:

Lint at line 604 character 48: Insecure '^'.
numExp = parseInt(val[1].replace(/[^\-+\d]/g, ""), 10);

This error seems to refer to the following description from JSLint's option page:

这个错误似乎引用了JSLint的选项页面的以下描述:

"true if . and [^...]  should not be allowed in RegExp literals.
These forms should not be used when validating in secure applications."

I don't quite understand how a client-side javascript application can really be considered secure. Even with the most airtight regex, it's still possible to fire up something like firebug and change the variable anyway. The real input validation should be done on the server, and the client browser should probably stick with validation that will handle the abuse of your average user.

我不太理解客户端javascript应用程序是如何被认为是安全的。即使使用了最严密的regex,仍然可以启动firebug之类的东西并修改变量。真正的输入验证应该在服务器上完成,客户端浏览器可能应该坚持使用验证来处理普通用户的滥用。

Is it safe to ignore this error? Am I missing an angle here where my application will be insecure because of client-side input validation?

忽略这个错误安全吗?在这里,我是否缺少一个角度,使我的应用程序由于客户端输入验证而变得不安全?

2 个解决方案

#1


30  

"Insecure" means "unspecific" in this context. Both the dot . and the exclusive range [^…] are not clearly defining what should be matched by the regex. For validation purposes, this can propose the risk of successfully matching stuff that you did not think of and do not want (think: white-listing vs. black-listing).

在这种情况下,“不安全”指的是“不特定的”。这两个点。和专属范围[^…]并不明确地定义应该由正则表达式匹配。出于验证目的,这可能会导致成功匹配您没有考虑过和不想要的内容的风险(请考虑:白名单与黑名单)。

In any case, dot and exclusive range are valid parts of a regular expression, and if they do what you need (like in this case), I would think of the warning as over-cautious.

在任何情况下,点和独占范围都是正则表达式的有效部分,如果它们执行了您需要的操作(如本例中所示),我将认为警告过于谨慎。

A malicious user can fiddle with your page logic any time; the warning is more about the regular operation of the page.

恶意用户可以随时篡改您的页面逻辑;警告更多的是关于页面的常规操作。

#2


14  

All it's trying to tell you is that it's generally better to specify what can be entered instead of what can't.

它试图告诉你的是,通常最好指定可以输入的内容,而不是不能输入的内容。

In this case, your regex is actually stripping out bad characters, so it's safe to ignore the warning.

在这种情况下,您的regex实际上删除了坏字符,因此可以安全地忽略警告。

#1


30  

"Insecure" means "unspecific" in this context. Both the dot . and the exclusive range [^…] are not clearly defining what should be matched by the regex. For validation purposes, this can propose the risk of successfully matching stuff that you did not think of and do not want (think: white-listing vs. black-listing).

在这种情况下,“不安全”指的是“不特定的”。这两个点。和专属范围[^…]并不明确地定义应该由正则表达式匹配。出于验证目的,这可能会导致成功匹配您没有考虑过和不想要的内容的风险(请考虑:白名单与黑名单)。

In any case, dot and exclusive range are valid parts of a regular expression, and if they do what you need (like in this case), I would think of the warning as over-cautious.

在任何情况下,点和独占范围都是正则表达式的有效部分,如果它们执行了您需要的操作(如本例中所示),我将认为警告过于谨慎。

A malicious user can fiddle with your page logic any time; the warning is more about the regular operation of the page.

恶意用户可以随时篡改您的页面逻辑;警告更多的是关于页面的常规操作。

#2


14  

All it's trying to tell you is that it's generally better to specify what can be entered instead of what can't.

它试图告诉你的是,通常最好指定可以输入的内容,而不是不能输入的内容。

In this case, your regex is actually stripping out bad characters, so it's safe to ignore the warning.

在这种情况下,您的regex实际上删除了坏字符,因此可以安全地忽略警告。