http://simonwillison.net/2010-07-04T18:23:00+00:00Simon Willison2010-07-04T18:23:00+00:002010-07-04T18:23:00+00:00https://simonwillison.net/2010/Jul/4/escaping/#atom-tag

<p><strong><a href="http://simonwillison.net/2006/Jan/20/escape/#p-6">Escaping regular expression characters in JavaScript (updated)</a></strong></p> The JavaScript regular expression meta-character escaping code I posted back in 2006 has some serious flaws—I’ve just posted an update to the original post. <p>Tags: <a href="https://simonwillison.net/tags/escaping">escaping</a>, <a href="https://simonwillison.net/tags/javascript">javascript</a>, <a href="https://simonwillison.net/tags/regular-expressions">regular-expressions</a>, <a href="https://simonwillison.net/tags/recovered">recovered</a></p>

2009-12-15T22:10:29+00:002009-12-15T22:10:29+00:00https://simonwillison.net/2009/Dec/15/unicode/#atom-tag

<p><strong><a href="http://rishida.net/tools/conversion/">Unicode code converter</a></strong></p> Fantastically useful tool to convert strings of characters in to every unicode and/or escaping syntax you can possibly imagine. <p><small></small>Via <a href="http://open.blogs.nytimes.com/2009/12/15/what-were-trolling/">NYTimes Open Blog</a></small></p> <p>Tags: <a href="https://simonwillison.net/tags/escaping">escaping</a>, <a href="https://simonwillison.net/tags/tools">tools</a>, <a href="https://simonwillison.net/tags/unicode">unicode</a></p>

2009-04-14T09:26:04+00:002009-04-14T09:26:04+00:00https://simonwillison.net/2009/Apr/14/contextaware/#atom-tag

<p><strong><a href="http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html">Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems</a></strong></p> The Google Online Security Blog reminds us that simply HTML-escaping everything isn’t enough—the type of escaping needed depends on the current markup context, for example variables inside JavaScript blocks should be escaped differently. Google’s open source Ctemplate library uses an HTML parser to keep track of the current context and apply the correct escaping function automatically. <p><small></small>Via <a href="http://www.reddit.com/r/programming/comments/8c6os/hacker_targets_twitter_to_teach_the_company_a/c08u1k8">taviso</a></small></p> <p>Tags: <a href="https://simonwillison.net/tags/ctemplate">ctemplate</a>, <a href="https://simonwillison.net/tags/django">django</a>, <a href="https://simonwillison.net/tags/escaping">escaping</a>, <a href="https://simonwillison.net/tags/google">google</a>, <a href="https://simonwillison.net/tags/html">html</a>, <a href="https://simonwillison.net/tags/open-source">open-source</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/xss">xss</a></p>

2006-01-20T12:19:13+00:002006-01-20T12:19:13+00:00https://simonwillison.net/2006/Jan/20/escape/#atom-tag

<p id="p-0">JavaScript's support for regular expressions is generally pretty good, but there is one notable omission: an escaping mechanism for literal strings. Say for example you need to create a regular expression that removes a specific string from the end of a string. If you know the string you want to remove when you write the script this is easy:</p> <div class="highlight highlight-source-js"><pre><span class="pl-k">var</span> <span class="pl-s1">newString</span> <span class="pl-c1">=</span> <span class="pl-s1">oldString</span><span class="pl-kos">.</span><span class="pl-en">replace</span><span class="pl-kos">(</span><span class="pl-pds"><span class="pl-c1">/</span><span class="pl-s">R</span><span class="pl-s">e</span><span class="pl-s">m</span><span class="pl-s">o</span><span class="pl-s">v</span><span class="pl-s">e</span><span class="pl-s"> </span><span class="pl-s">f</span><span class="pl-s">r</span><span class="pl-s">o</span><span class="pl-s">m</span><span class="pl-s"> </span><span class="pl-s">e</span><span class="pl-s">n</span><span class="pl-s">d</span><span class="pl-cce">$</span><span class="pl-c1">/</span></span><span class="pl-kos">,</span> <span class="pl-s">''</span><span class="pl-kos">)</span><span class="pl-kos">;</span></pre></div> <p id="p-1">But what if the string to be removed comes from a variable? You'll need to construct a regular expression from the variable, using the RegExp constructor function:</p> <div class="highlight highlight-source-js"><pre><span class="pl-k">var</span> <span class="pl-s1">re</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-v">RegExp</span><span class="pl-kos">(</span><span class="pl-s1">stringToRemove</span> <span class="pl-c1">+</span> <span class="pl-s">'$'</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">var</span> <span class="pl-s1">newString</span> <span class="pl-c1">=</span> <span class="pl-s1">oldString</span><span class="pl-kos">.</span><span class="pl-en">replace</span><span class="pl-kos">(</span><span class="pl-s1">re</span><span class="pl-kos">,</span> <span class="pl-s">''</span><span class="pl-kos">)</span><span class="pl-kos">;</span></pre></div> <p id="p-2">But what if the string you want to remove may contain regular expression metacharacters - characters like $ or . that affect the behaviour of the expression? Languages such as Python provide functions for escaping these characters (see <a href="https://docs.python.org/2/library/re.html#re.escape" title="Python re module contents">re.escape</a>); with JavaScript you have to write your own.</p> <p id="p-3">Here's mine:</p> <div class="highlight highlight-source-js"><pre><span class="pl-v">RegExp</span><span class="pl-kos">.</span><span class="pl-en">escape</span> <span class="pl-c1">=</span> <span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-s1">text</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">!</span><span class="pl-smi">arguments</span><span class="pl-kos">.</span><span class="pl-c1">callee</span><span class="pl-kos">.</span><span class="pl-c1">sRE</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">var</span> <span class="pl-s1">specials</span> <span class="pl-c1">=</span> <span class="pl-kos">[</span> <span class="pl-s">'/'</span><span class="pl-kos">,</span> <span class="pl-s">'.'</span><span class="pl-kos">,</span> <span class="pl-s">'*'</span><span class="pl-kos">,</span> <span class="pl-s">'+'</span><span class="pl-kos">,</span> <span class="pl-s">'?'</span><span class="pl-kos">,</span> <span class="pl-s">'|'</span><span class="pl-kos">,</span> <span class="pl-s">'('</span><span class="pl-kos">,</span> <span class="pl-s">')'</span><span class="pl-kos">,</span> <span class="pl-s">'['</span><span class="pl-kos">,</span> <span class="pl-s">']'</span><span class="pl-kos">,</span> <span class="pl-s">'{'</span><span class="pl-kos">,</span> <span class="pl-s">'}'</span><span class="pl-kos">,</span> <span class="pl-s">'\\'</span> <span class="pl-kos">]</span><span class="pl-kos">;</span> <span class="pl-smi">arguments</span><span class="pl-kos">.</span><span class="pl-c1">callee</span><span class="pl-kos">.</span><span class="pl-c1">sRE</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-v">RegExp</span><span class="pl-kos">(</span> <span class="pl-s">'(\\'</span> <span class="pl-c1">+</span> <span class="pl-s1">specials</span><span class="pl-kos">.</span><span class="pl-en">join</span><span class="pl-kos">(</span><span class="pl-s">'|\\'</span><span class="pl-kos">)</span> <span class="pl-c1">+</span> <span class="pl-s">')'</span><span class="pl-kos">,</span> <span class="pl-s">'g'</span> <span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-k">return</span> <span class="pl-s1">text</span><span class="pl-kos">.</span><span class="pl-en">replace</span><span class="pl-kos">(</span><span class="pl-smi">arguments</span><span class="pl-kos">.</span><span class="pl-c1">callee</span><span class="pl-kos">.</span><span class="pl-c1">sRE</span><span class="pl-kos">,</span> <span class="pl-s">'\\$1'</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span></pre></div> <p id="p-4">This deals with another common problem in JavaScript: compiling a regular expression once (rather than every time you use it) while keeping it local to a function. <code>argmuments.callee</code> inside a function always refers to the function itself, and since JavaScript functions are objects you can store properties on them. In this case, the first time the function is run it compiles a regular expression and stashes it in the sRE property. On subsequent calls the pre-compiled expression can be reused.</p> <p id="p-5">In the above snippet I've added my function as a property of the <code>RegExp</code> constructor. There's no pressing reason to do this other than a desire to keep generic functionality relating to regular expression handling the same place. If you rename the function it will still work as expected, since the use of <code>arguments.callee</code> eliminates any coupling between the function definition and the rest of the code.</p> <p><strong>Update 18th Feb 2025</strong>: 19 years after I published this <code>RegExp.escape()</code> has <a href="https://simonwillison.net/2025/Feb/18/tc39proposal-regex-escaping/">made it into the language</a>!</p> <p>Tags: <a href="https://simonwillison.net/tags/escaping">escaping</a>, <a href="https://simonwillison.net/tags/javascript">javascript</a>, <a href="https://simonwillison.net/tags/regular-expressions">regular-expressions</a></p>