38 lines
1.1 KiB
Plaintext
38 lines
1.1 KiB
Plaintext
Using reluctant quantifiers (also known as lazy or non-greedy quantifiers) in patterns can often lead to needless backtracking, making the regex needlessly inefficient and potentially vulnerable to https://www.regular-expressions.info/catastrophic.html[catastrophic backtracking]. Particularly when using ``++.*?++`` or ``++.+?++`` to match anything up to some terminating character, it is usually a better idea to instead use a greedily or possessively quantified negated character class containing the terminating character. For example ``++<.+?>++`` should be replaced with ``<[^>]{plus}{plus}>``.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
<.+?>
|
|
".*?"
|
|
----
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
<[^>]++>
|
|
"[^"]*+"
|
|
----
|
|
|
|
or
|
|
|
|
|
|
----
|
|
<[^>]+>
|
|
"[^"]*"
|
|
----
|
|
|
|
|
|
== Exceptions
|
|
|
|
This rule only applies in cases where the reluctant quantifier can easily be replaced with a negated character class. That means the repetition has to be terminated by a single character or character class. Patterns such as the following, where the alternatives without reluctant quantifiers are more complicated, are therefore not subject to this rule:
|
|
|
|
|
|
----
|
|
<!--.*?-->
|
|
/\*.*?\*/
|
|
----
|
|
|