I just want to create a regular expression out of any possible string.
var usersString = "Hello?!*`~World()[]";
var expression = new RegExp(RegExp.escape(usersString))
var matches = "Hello".match(expression);
Is there a built-in method for that? If not, what do people use? Ruby has RegExp.escape. I don't feel like I'd need to write my own, there have got to be something standard out there.
The function linked in another answer is insufficient. It fails to escape ^ or $ (start and end of string), or -, which in a character group is used for ranges.
Use this function:
function escapeRegex(string) {
return string.replace(/[/\-\\^$*+?.()|[\]{}]/g, '\\$&');
}
While it may seem unnecessary at first glance, escaping - (as well as ^) makes the function suitable for escaping characters to be inserted into a character class as well as the body of the regex.
Escaping / makes the function suitable for escaping characters to be used in a JavaScript regex literal for later evaluation.
As there is no downside to escaping either of them, it makes sense to escape to cover wider use cases.
And yes, it is a disappointing failing that this is not part of standard JavaScript.
/ at all –
Beanie 'a\.b'==='a.b' :-) –
Fanfaronade a\.b in a pseudo-literal form "a\.b", which is misleading as it is not a valid string literal for that value (should be "a\\.b". Thanks for the unnecessary extra confusion, browsers. –
Fanfaronade quotemeta (\Q), Python re.escape, PHP preg_quote, Ruby Regexp.quote... –
Fanfaronade var e = /[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g; and then your function is return s.replace(e, '\\$&'); This way you only instantiate the RegExp once. –
Verniavernice " is special in regex syntax so I'm not sure what the benefit would be. –
Fanfaronade / in character classes, though it's better to escape it to accommodate some editors. See this question. –
Teresiateresina RegExp("1.3") returning /1.3/ which is totally unacceptable. Pi Marillion's answer below is working fine when fed with numbers that contain decimal points. –
Condyle RegExp constructor instead of Regexp.escape... –
Fanfaronade String(s).replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&'); This helps when your string is a number, for example. –
Procession no-useless-escape): Unnecessary escape character: \/ –
Sabinasabine /[$(-+.\/?[-^{|}]/ (saves 5 characters). You don't need to escape - because you already escaped [ and ] and that means there won't be character groups. Also, there are two character sequences that can be written as ranges. One between ( and + (40 through 43) and another between [ and ^ (91 through 94). –
Ramekin " to \" and ' to \'? str.replace(/[\-\[\]\/\{\}\(\)\"\'\*\+\?\.\\\^\$\|]/g, "\\$&"); –
Anadromous handlebarsjs helper or any other rendering engine, for example if I use handlebarsjs to render a JS file where I have var JSstr = '{{{myStr}}}'; where myStr = "I'm here". If I don't escape the quotes I get var JSstr = 'I'm here'. But I am aware that this is a very particular and specific situation. –
Anadromous myStr would not make the result correct even if quotes were escaped. If you are writing a string into a regex inside a string literal, you would need to regex-escape it first, and then string-literal-escape the results (so eg a backslash ends up as a quadruple-backslash). –
Fanfaronade <html data-jsstr="{{myStr}}">, using handlebars's normal HTML-escaping), and then reading the content of that attribute from static JS. –
Fanfaronade string.replaceAll(haystack, needle, replace) function. It calls haystack.replace( new RegExp( escape(needle), 'g' ), replace); but I just found an edge case where it breaks: 'string as a parameter', so if the replace param contains, for example, $' my function returns weird results. Any idea how to fix this? See developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/… –
Uncinate For anyone using Lodash, since v3.0.0 a _.escapeRegExp function is built-in:
_.escapeRegExp('[lodash](https://lodash.com/)');
// → '\[lodash\]\(https:\/\/lodash\.com\/\)'
And, in the event that you don't want to require the full Lodash library, you may require just that function!
escapeRegExp function. –
Antiseptic Most of the expressions here solve single specific use cases.
That's okay, but I prefer an "always works" approach.
function regExpEscape(literal_string) {
return literal_string.replace(/[-[\]{}()*+!<=:?.\/\\^$|#\s,]/g, '\\$&');
}
This will "fully escape" a literal string for any of the following uses in regular expressions:
new RegExp(regExpEscape(str))new RegExp('[' + regExpEscape(str) + ']')new RegExp('x{1,' + regExpEscape(str) + '}')Special Characters Covered:
-: Creates a character range in a character class.[ / ]: Starts / ends a character class.{ / }: Starts / ends a numeration specifier.( / ): Starts / ends a group.* / + / ?: Specifies repetition type..: Matches any character.\: Escapes characters, and starts entities.^: Specifies start of matching zone, and negates matching in a character class.$: Specifies end of matching zone.|: Specifies alternation.#: Specifies comment in free spacing mode.\s: Ignored in free spacing mode.,: Separates values in numeration specifier./: Starts or ends expression.:: Completes special group types, and part of Perl-style character classes.!: Negates zero-width group.< / =: Part of zero-width group specifications.Notes:
/ is not strictly necessary in any flavor of regular expression. However, it protects in case someone (shudder) does eval("/" + pattern + "/");., ensures that if the string is meant to be an integer in the numerical specifier, it will properly cause a RegExp compiling error instead of silently compiling wrong.#, and \s do not need to be escaped in JavaScript, but do in many other flavors. They are escaped here in case the regular expression will later be passed to another program.If you also need to future-proof the regular expression against potential additions to the JavaScript regex engine capabilities, I recommend using the more paranoid:
function regExpEscapeFuture(literal_string) {
return literal_string.replace(/[^A-Za-z0-9_]/g, '\\$&');
}
This function escapes every character except those explicitly guaranteed not be used for syntax in future regular expression flavors.
For the truly sanitation-keen, consider this edge case:
var s = '';
new RegExp('(choice1|choice2|' + regExpEscape(s) + ')');
This should compile fine in JavaScript, but will not in some other flavors. If intending to pass to another flavor, the null case of s === '' should be independently checked, like so:
var s = '';
new RegExp('(choice1|choice2' + (s ? '|' + regExpEscape(s) : '') + ')');
/ doesn't need to be escaped in the [...] character class. –
Enriquetaenriquez var e = /[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g; and then the function is like return s.replace(e, '\\$&');. To avoid manually escaping the escape string I want first to use the original function regExpEscape to escape your escape string (ees), then use e = new RegExp(ees,"g") and then function regExpEscapeFast(literal_string) { return literal_string.replace(e, '\\$&');}. I can't get it working. How to correctly escape the escape string? –
Rubidium /\#/u.test('#') does not compile. See my article: abareplace.com/blog/escape-regexp –
Gonfalon Mozilla Developer Network's Guide to Regular Expressions provides this escaping function:
function escapeRegExp(string) {
return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); // $& means the whole matched string
}
In jQuery UI's autocomplete widget (version 1.9.1) they use a slightly different regular expression (line 6753), here's the regular expression combined with bobince's approach.
RegExp.escape = function( value ) {
return value.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g, "\\$&");
}
, (which is not a metacharacter), and # and whitespace which only matter in free-spacing mode (which is not supported by JavaScript). However, they do get it right not to escape the the forward slash. –
Terresaterrestrial $.ui.autocomplete.escapeRegex(myString). –
Marvelofperu There is an ES7 proposal for RegExp.escape at https://github.com/benjamingr/RexExp.escape/, with a polyfill available at https://github.com/ljharb/regexp.escape.
Nothing should prevent you from just escaping every non-alphanumeric character:
usersString.replace(/(?=\W)/g, '\\');
You lose a certain degree of readability when doing re.toString() but you win a great deal of simplicity (and security).
According to ECMA-262, on the one hand, regular expression "syntax characters" are always non-alphanumeric, such that the result is secure, and special escape sequences (\d, \w, \n) are always alphanumeric such that no false control escapes will be produced.
.replace(/[^\w]/g, '\\$&') would work in the same way. –
Chemar new RegExp('🍎'.replace(/(?=\W)/g, '\\'), 'u') throws exception because \W matches each code unit of a surrogate pair separately, resulting in invalid escape codes. –
Buehrer .replace(/\W/g, "\\$&"); –
Pannier There is an ES7 proposal for RegExp.escape at https://github.com/benjamingr/RexExp.escape/, with a polyfill available at https://github.com/ljharb/regexp.escape.
An example based on the rejected ES proposal, includes checks if the property already exists, in the case that TC39 backtracks on their decision.
Code:
if (!Object.prototype.hasOwnProperty.call(RegExp, 'escape')) {
RegExp.escape = function(string) {
// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping
// https://github.com/benjamingr/RegExp.escape/issues/37
return string.replace(/[.*+\-?^${}()|[\]\\]/g, '\\$&'); // $& means the whole matched string
};
}
Code Minified:
Object.prototype.hasOwnProperty.call(RegExp,"escape")||(RegExp.escape=function(e){return e.replace(/[.*+\-?^${}()|[\]\\]/g,"\\$&")});
// ...
var assert = require('assert');
var str = 'hello. how are you?';
var regex = new RegExp(RegExp.escape(str), 'g');
assert.equal(String(regex), '/hello\. how are you\?/g');
There is also an npm module at:
https://www.npmjs.com/package/regexp.escape
One can install this and use it as so:
npm install regexp.escape
or
yarn add regexp.escape
var escape = require('regexp.escape');
var assert = require('assert');
var str = 'hello. how are you?';
var regex = new RegExp(escape(str), 'g');
assert.equal(String(regex), '/hello\. how are you\?/g');
In the GitHub && NPM page are descriptions of how to use the shim/polyfill for this option, as well. That logic is based on return RegExp.escape || implementation;, where implementation contains the regexp used above.
The NPM module is an extra dependency, but it also make it easier for an external contributor to identify logical parts added to the code. ¯\(ツ)/¯
Another (much safer) approach is to escape all the characters (and not just a few special ones that we currently know) using the unicode escape format \u{code}:
function escapeRegExp(text) {
return Array.from(text)
.map(char => `\\u{${char.charCodeAt(0).toString(16)}}`)
.join('');
}
console.log(escapeRegExp('a.b')); // '\u{61}\u{2e}\u{62}'
Please note that you need to pass the u flag for this method to work:
var expression = new RegExp(escapeRegExp(usersString), 'u');
This is a shorter version.
RegExp.escape = function(s) {
return s.replace(/[$-\/?[-^{|}]/g, '\\$&');
}
This includes the non-meta characters of %, &, ', and ,, but the JavaScript RegExp specification allows this.
. is missed. And (). Or not? [-^ is strange. I don't remember what is there. –
Woolly a-z or 0-9 or denotes a range with explicit code points like \u0000-\u001f. It's hard to read when you write [!-|] (for example), which unless you refer to an ASCII table, you wouldn't know that it covers upper and lower case character. \u0021-\u007c may not tell you exactly what characters, but it shows you how many characters there are in the range, then you can proceed to investigate what is in the range –
Hottempered escapeRegExp = function(str) {
if (str == null) return '';
return String(str).replace(/([.*+?^=!:${}()|[\]\/\\])/g, '\\$1');
};
XRegExp has an escape function:
XRegExp.escape('Escaped? <.>');
// -> 'Escaped\?\ <\.>'
More on: http://xregexp.com/api/#escape
Rather than only escaping characters which will cause issues in your regular expression (e.g.: a blacklist), consider using a whitelist instead. This way each character is considered tainted unless it matches.
For this example, assume the following expression:
RegExp.escape('be || ! be');
This whitelists letters, number and spaces:
RegExp.escape = function (string) {
return string.replace(/([^\w\d\s])/gi, '\\$1');
}
Returns:
"be \|\| \! be"
This may escape characters which do not need to be escaped, but this doesn't hinder your expression (maybe some minor time penalties - but it's worth it for safety).
There has only ever been and ever will be 12 meta characters that need to be escaped to be considered a literal.
It doesn't matter what is done with the escaped string, inserted into a balanced regex wrapper or appended. It doesn't matter.
Do a string replace using this
var escaped_string = oldstring.replace(/[\\^$.|?*+()[{]/g, '\\$&');
]? –
Impeach I borrowed bobince's answer above and created a tagged template function for creating a RegExp where part of the value is escaped and part isn't.
RegExp.escape = text => text.replace(/[\-\[\]{}()*+?.,\\\^$|#\s]/g, '\\$&');
RegExp.escaped = flags =>
function (regexStrings, ...escaped) {
const source = regexStrings
.map((s, i) =>
// escaped[i] will be undefined for the last value of s
escaped[i] === undefined
? s
: s + RegExp.escape(escaped[i].toString())
)
.join('');
return new RegExp(source, flags);
};
function capitalizeFirstUserInputCaseInsensitiveMatch(text, userInput) {
const [, before, match, after ] =
RegExp.escaped('i')`^((?:(?!${userInput}).)*)(${userInput})?(.*)$`.exec(text);
return `${before}${match.toUpperCase()}${after}`;
}
const text = 'hello (world)';
const userInput = 'lo (wor';
console.log(capitalizeFirstUserInputCaseInsensitiveMatch(text, userInput));For our TypeScript fans...
interface RegExpConstructor {
/** Escapes a string so that it can be used as a literal within a `RegExp`. */
escape(text: string): string;
/**
* Returns a tagged template function that creates `RegExp` with its template values escaped.
*
* This can be useful when using a `RegExp` to search with user input.
*
* @param flags The flags to apply to the `RegExp`.
*
* @example
*
* function capitalizeFirstUserInputCaseInsensitiveMatch(text: string, userInput: string) {
* const [, before, match, after ] =
* RegExp.escaped('i')`^((?:(?!${userInput}).)*)(${userInput})?(.*)$`.exec(text);
*
* return `${before}${match.toUpperCase()}${after}`;
* }
*/
escaped(flags?: string): (regexStrings: TemplateStringsArray, ...escapedVals: Array<string | number>) => RegExp;
}
The functions in the other answers are overkill for escaping entire regular expressions (they may be useful for escaping parts of regular expressions that will later be concatenated into bigger regexps).
If you escape an entire regexp and are done with it, quoting the metacharacters that are either standalone (., ?, +, *, ^, $, |, \) or start something ((, [, {) is all you need:
String.prototype.regexEscape = function regexEscape() {
return this.replace(/[.?+*^$|({[\\]/g, '\\$&');
};
And yes, it's disappointing that JavaScript doesn't have a function like this built-in.
(text)next and insert it in: (?: + input + ). Your method will give the resulting string (?:\(text)next) which fails to compile. Note that this is quite a reasonable insertion, not some crazy one like re\ + input + re (in this case, the programmer can be blamed for doing something stupid) –
Hottempered \ should be escaped, since your regex will leave \w intact. Also, JavaScript doesn't seem to allow trailing ), at least that is what Firefox throws error for. –
Hottempered ` in the answer. Thanks! –
Enriquetaenriquez ) –
Hottempered This one is the permanent solution.
function regExpEscapeFuture(literal_string) {
return literal_string.replace(/[^A-Za-z0-9_]/g, '\\$&');
}
Just published a regex escape gist based on the RegExp.escape shim which was in turn based on the rejected RegExp.escape proposal. Looks roughly equivalent to the accepted answer except it doesn't escape - characters, which seems to be actually fine according to my manual testing.
Current gist at the time of writing this:
const syntaxChars = /[\^$\\.*+?()[\]{}|]/g
/**
* Escapes all special special regex characters in a given string
* so that it can be passed to `new RegExp(escaped, ...)` to match all given
* characters literally.
*
* inspired by https://github.com/es-shims/regexp.escape/blob/master/implementation.js
*
* @param {string} s
*/
export function escape(s) {
return s.replace(syntaxChars, '\\$&')
}
Here is a replaceAll version.
Uses the string.includes function and a ternary to add the escape backslash instead of a regex.
const escapeRegexNonRegex = s => s.split('').map(a => "/-^$*+?.|()[]{}".includes(a) ? "\\" + a : a).join('');
const escapeRegex = s => s.replaceAll(/./g, a => "/-^$*+?.|()[]{}".includes(a) ? "\\" + a : a);
const usersString = "\\/-^$*+?.|()[]{}Hello";
const escapedString = escapeRegex(usersString);
const expression = new RegExp(escapedString);
const matches = usersString.match(expression);
console.log(matches);If you are a VS Code user, you can use the Replace command with regex already enabled (press Alt+R to toggle regex mode).
For example, we can escape console.log(42);:
Simply select a span of text and press Ctrl+H (or Ctrl+Shift+H for Search: Replace in Files).
The editor will automatically escape the selected text.
Tested with VS Code v1.87.2
© 2022 - 2024 — McMap. All rights reserved.
RegExp.escapeis currently worked on and anyone who thinks they have valuable input is very welcome to contribute. core-js and other polyfills offer it. – Esmeralda