yii2 icon indicating copy to clipboard operation
yii2 copied to clipboard
verified publisher icon yiisoft

Bug: RegularExpressionValidator creates invalid regex in client-side

Open Head0nF1re opened this issue 10 months ago • 4 comments

Issue

In "yiisoft/yii2": "~2.0.45", the yii\validators\RegularExpressionValidator generates an invalid client-side regex for hexadecimal.

Given a pattern validation rule in a Form like ['foo', 'match', 'pattern' => '/^[\x00-\xFF]{8,72}$/'], the Html::escapeJsRegularExpression, inside the getClientOptions method, returns '/^[\u00-\uFF]{8,72}$/'. The former regex, which is valid in jquery 3.7.1 (seems to be the version being used by the framework), matches a word like "password" while the latter doesn't (because of the w in this case).

I believe this preg_replace in Html::escapeJsRegularExpression is the culprit:

$pattern = preg_replace('/\\\\x\{?([0-9a-fA-F]+)\}?/', '\u$1', $regexp);

Head0nF1re avatar Feb 09 '25 21:02 Head0nF1re

@Head0nF1re a pull request with a test would be awesome to have. Then reproducing it will be easy and it won't ever break again. Do you have some time for it?

samdark avatar Feb 10 '25 08:02 samdark

@samdark I will have a look ~~tomorrow~~ this week

Head0nF1re avatar Feb 10 '25 23:02 Head0nF1re

"regex valid with jquery" (c).

Are you sure you know what you are doing?

mgrechanik avatar Apr 29 '25 13:04 mgrechanik

@mgrechanik The wording was odd but it was just to give extra context that may or may not be useful.

jquery is JavaScript, but AFAIK (with my limited use/knowledge of jquery and/or JS) different jquery versions support different browser/ECMAScript features. Also, different browser engines may have a different set of support for the language specification. And, the specification may add features with each version - for example if you go to https://tc39.es/ecma262/ you can see that the 2024 version added something new:

ECMAScript 2024, the 15th edition, added facilities for resizing and transferring ArrayBuffers and SharedArrayBuffers; added a new RegExp /v flag for creating RegExps with more advanced features for working with sets of strings;

I'm not saying that the above feature is relevant for this issue, I'm just giving you an example.

All this to say that I basically said what I said to give more context.

Anyway, I reported the bug but I'm not working on it. I don't use yii2, I just used it once to test something, so I didn't feel like using my time to work on the issue.

Head0nF1re avatar May 11 '25 18:05 Head0nF1re