diff --git a/articles.md b/articles.md index d45bfc6..8b17c77 100644 --- a/articles.md +++ b/articles.md @@ -70,7 +70,7 @@ the filename of the new article next to it. - `implied-eval.md` - ~~Implied eval is evil. Pass a function instead of a string~~ - Unexpected 'in'. Compare with undefined or use the hasOwnProperty method - - Insecure '{a}' + - `Insecure '{a}'` - Insecure ^ - `use-isnan.md` - ~~Use the isNaN function to compare with NaN~~ - `leading-decimal.md` - ~~A leading decimal point can be confused with a dot~~ - Missing '{a}' diff --git a/articles/insecure-hat.md b/articles/insecure-hat.md new file mode 100644 index 0000000..d89d8a1 --- /dev/null +++ b/articles/insecure-hat.md @@ -0,0 +1,50 @@ + + +### When do I get this error? + +The "Insecure ^" error is thrown when JSLint encounters a regular expression containing the negation operator ^. + +JSLint will only raise this warning if the `regexp` option is set to true. + +```javascript +"Hello Bob".match(/[^a-z]/g); +// Returns [ 'H', ' ', 'B' ] +``` + +### Why do I get this error? + +This error is raised to highlight **potentially dangerous matches** such as some special control characters. For example, an attacker might include a unicode character or an EOL character, which would get matched by the over-zealous not and may cause your application to respond in unexpected ways. + +It is safe to ignore or disable this error if you are only matching in order to dispose of the matched characters, for example: + + +```javascript +/*jslint regexp:true*/ // Allow ^ because we're only using it to remove the matching characters +"Hello Bob".replace(/[^A-Z]/g, ""); +/*jslint regexp:false*/ +// Returns "HB" +``` diff --git a/authors/hyeend.json b/authors/hyeend.json new file mode 100644 index 0000000..bdfb2eb --- /dev/null +++ b/authors/hyeend.json @@ -0,0 +1,6 @@ +{ + "name": "Howard Yeend", + "twitter": "user24", + "github": "user24", + "bio": "JavaScripter" +} \ No newline at end of file