From: "knu (Akinori MUSHA) via ruby-core" Date: 2024-02-15T09:45:58+00:00 Subject: [ruby-core:116775] [Ruby master Feature#20266] New syntax to escape embed strings in Regexp literal Issue #20266 has been updated by knu (Akinori MUSHA). I was also part of the discussion circle regarding this idea. The lack of support for easily escaping a string for regular expressions has led users to often omit it when it seems obvious that a string does not need escaping (for example, when it is alphanumeric) or when it "looks" practically okay to do so. However, omitting escaping for something like a domain name could potentially create a vulnerability since the dot is a meta character. Consider the scenario where the variable `hostname` is set to `"example.co.jp"`. In the expression `%r{\Ahttps://#{hostname}/.match?(callback_url)` where necessary escaping is omitted, it unwantedly matches `"https://example.co/jp/���"` which is a URL under a completely different domain. That's why I believe it is necessary for Ruby to provide an easy and readable way to escape a string in interpolation. It would help code reviewers and reviewees a lot if escaping costed just one character, whereas "Add Regexp.quote() here and here" can look scary and pedantic. ---------------------------------------- Feature #20266: New syntax to escape embed strings in Regexp literal https://bugs.ruby-lang.org/issues/20266#change-106799 * Author: usa (Usaku NAKAMURA) * Status: Open * Priority: Normal ---------------------------------------- # Premise When using embed strings in Regexp literal, it is interpreted as a part of the Regexp. ```ruby foo = "[a-z]" p /#{foo}/ #=> /[a-z]/ ``` So, currently we often have to escape the embed strings. ```ruby foo = "[a-z]" p /#{Regexp.quote(foo)}/ #=> /\[a\-z\]/ ``` This is very long and painful to write every time. So, I propose new syntax to escape embed strings automatically. # Proposal Adding new token `#{=` in Regexp literal: ```ruby foo = "[a-z]" p /#{=foo}/ #=> /\[a\-z\]/ ``` When `#{=` is used instead of `#{`, ruby calls `Regexp.quote` internally. # Compatibility Current ruby causes syntax error when using `#{=`, then there is no incompatibilty. # Out of scope of this proposal I do not propose about `#{=` in another literals. They are out of scope of this proposal. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/