

SaferWeb: Injects in Various Ruby Websites Through Regexp - homakov
http://homakov.blogspot.com/2012/05/saferweb-injects-in-various-ruby.html
I want it to be fixed. Documenting doesn't fix the vulnerability.
======
cduan
tl;dr: Use \A and \z rather than ^ and $ in regexps, because the latter two
match newlines in the middle of strings, whereas the former strictly only
match the beginning and end of strings.

I thought this was common knowledge, but it's a good reminder for anyone who
doesn't know.

~~~
getsat
This is absolutely not common knowledge. I have never seen an applicant use \A
or \Z instead of ^/$.

They typically also use and/or instead of &&/|| and potentially introduce
subtle bugs into their code when the former would suffice.

~~~
getsat
Er, the latter! You almost never need to use and/or compared to how frequently
you use &&/||. Sorry for the mistake.

------
VeejayRampay
While I would agree that ^$ are the standard and probably vastly used around
the Ruby world (so good job calling us on it Egor), it is nice to see
<http://rubular.com/> mention \A and \Z in its Regex Quick Reference.

~~~
homakov
rubular is a nice thing +1. But obviously mention in Quick Reference worth
nothing if we compare it with 999 books that use ^$ :(

------
Falling3
:( He called me a brogrammer...

~~~
homakov
whops

~~~
why-el
Seriously dude, your misplaced sense of humour is gonna ruin an otherwise
informing piece.

~~~
homakov
honestly, I have no idea what really brogrammer means :D Just sounds funny to
me. Removed that! Sorry if it was not called for, I did it not by purpose.

~~~
jrockway
I personally find the word "brogrammer" applicable to about 95% of Ruby
programmers.

