Hacker News new | past | comments | ask | show | jobs | submit login
SaferWeb: Injects in Various Ruby Websites Through Regexp (homakov.blogspot.com)
30 points by homakov on May 19, 2012 | hide | past | favorite | 15 comments



tl;dr: Use \A and \z rather than ^ and $ in regexps, because the latter two match newlines in the middle of strings, whereas the former strictly only match the beginning and end of strings.

I thought this was common knowledge, but it's a good reminder for anyone who doesn't know.


This is absolutely not common knowledge. I have never seen an applicant use \A or \Z instead of ^/$.

They typically also use and/or instead of &&/|| and potentially introduce subtle bugs into their code when the former would suffice.


Er, the latter! You almost never need to use and/or compared to how frequently you use &&/||. Sorry for the mistake.


NO. Every f-king book teaches us to use $^, every f-king article on the web. Stop breaking standards, we use it because we used too.

It has never been a common knowledge. Ask all rubyists your know and you will see it.


I have no ruby knowledge of any kind. Do you mean this is common knowledge in the relevant field?

The regular expressions I _am_ familiar with would work as expected and usually need a special modifier/flag to match over multiple lines. So - I learned something new.


A subtle problem with this "common knowledge": \z is different across languages.

In PCRE (Perl and Ruby), \z matches the end of a string; \Z matches the end of a string but allows for a single trailing newline.

In Python, \Z matches the end of a string. There is no \z.

In POSIX extended regexes, there is no \z or \Z. I think. Who knows, man.


I've never heard of this before. Not only is this surprising, the fix is ugly.


Captain Obvious:

All who says "I knew it" are just wanna look smarter than others. It's OK but it doesn't mean that others knew it.


While I would agree that ^$ are the standard and probably vastly used around the Ruby world (so good job calling us on it Egor), it is nice to see http://rubular.com/ mention \A and \Z in its Regex Quick Reference.


rubular is a nice thing +1. But obviously mention in Quick Reference worth nothing if we compare it with 999 books that use ^$ :(


:( He called me a brogrammer...


whops


Seriously dude, your misplaced sense of humour is gonna ruin an otherwise informing piece.


honestly, I have no idea what really brogrammer means :D Just sounds funny to me. Removed that! Sorry if it was not called for, I did it not by purpose.


I personally find the word "brogrammer" applicable to about 95% of Ruby programmers.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: