allow regex in profile search (if possible without injection risks and all that)

[creesch]

See title

[eritbh]

wrt security - I'm pretty sure the only real risk incurred by allowing user-defined regular expressions is REDoS, e.g. a specially-crafted pattern causing the interpreter to hang. Browsers will prompt users to kill scripts hanging in the main thread, so it's not a huge deal, though in such a case Toolbox will obviously not work again until the page is reloaded.

It might be possible to automate such an attack by allowing URLs to specify that a search term in the profile view should be interpreted as a regular expression; while I don't think that's a terribly realistic attack, given it doesn't really do any harm other than annoying the person who opens the link, an easy mitigation would be to make regex searching an explicit option in the UI, and intentionally not expose that option as a URL param, so the behavior can't be automated.

[creesch]

Sounds good to me. That leaves a few other things to hash out

• Flags, do we want to allow the user to set them or do we go the simple route and basically set them ourselves (probably g, i and m in that case).
• Do we want to do anything else besides flags or just keep leave it up to the user?

I am leaning towards keeping it simple so setting the flags ourselves and not providing much more.