16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
36 lines
1.2 KiB
Plaintext
36 lines
1.2 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Using reluctant quantifiers (also known as lazy or non-greedy quantifiers) in patterns can often lead to needless backtracking, making the regex needlessly inefficient and potentially vulnerable to https://www.regular-expressions.info/catastrophic.html[catastrophic backtracking]. Particularly when using ``++.*?++`` or ``++.+?++`` to match anything up to some terminating character, it is usually a better idea to instead use a greedily or quantified negated character class containing the terminating character. For example ``++<.+?>++`` should be replaced with ``<[^>]*>`` or ``<[^>]+>``.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,python]
|
|
----
|
|
|
|
r'<.+?>'
|
|
r'".*?"'
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,python]
|
|
----
|
|
r'<[^>]+>'
|
|
r'"[^"]*"'
|
|
----
|
|
|
|
|
|
=== Exceptions
|
|
|
|
This rule only applies in cases where the reluctant quantifier can easily be replaced with a negated character class. That means the repetition has to be terminated by a single character or character class. Patterns such as the following, where the alternatives without reluctant quantifiers are more complicated, are therefore not subject to this rule:
|
|
|
|
|
|
[source,python]
|
|
----
|
|
/<!--.*?-->/
|
|
-/\*.*?\*/-
|
|
----
|
|
|