The problem is more on using regular expression securely. If instantiating a "new RegExp..." can handle dynamic expressions, can we say it is preferred in terms of secure coding per se?
It rings a bell for me when I saw write-up for using RegExp Object (constructor) usage for dynamic creation of regular expression versus the literal pre-defined one. I read a number of forums, write-ups, and pages highlighting the benefits of literals in terms of performance, but not in terms of security.
literals: /[A-Z\d\s]/ constructor: new RegExp('[A-Z\d\s]')
Expected results would be on security.
Aucun commentaire:
Enregistrer un commentaire