Regex, HTML, and my sanity

re: Regex, HTML, and my sanity

James Geurts — Thu, 26 Feb 2004 17:46:00 GMT

Thanks for taking the time to detail how you came up with the solution.

re: Regex, HTML, and my sanity

Raymond Chen — Thu, 26 Feb 2004 17:49:00 GMT

I didn't mean that regexps shouldn't be involved at all. To me this was a job for using regexps partway and normal code the rest of the way.

By the way I think you forgot a + after the grouping. Otherwise you can't handle <A HREF="X" TARGET="Y">

I would have used something like

</?(\w+)(?:[^">]|"[^"]*")*>

to match a tag, and then used code to reject p and br.

Note that non-greedy matching doesn't mean "never ever match a quote"; it will do it if it forced to. So your code will match

<tag x="a"b">

since the non-greedy .*+ between the quotes matches a"b.

re: Regex, HTML, and my sanity

Michael Teper — Thu, 26 Feb 2004 17:51:00 GMT

I havent tried this (sorry!) but would your example handle "<br />" ?

re: Regex, HTML, and my sanity

Andrew — Thu, 26 Feb 2004 18:11:00 GMT

I know you aren't claiming to have a robust solution here, but off the top of my head I can think of several cases where your regex will fail

safe failures * (no promises:)

<BR> [using case-insensitive regex would solve this]

<tag blah='>' > [HTML allows single quotes]

<tag blah="\">" > [Escape sequences]

<tag blah=">" blah2=">" > [Multiple quoted attributes]

If you were going to be using this regex as an attempt to prevent script injection attacks (if only br and p are allowed (or other simple formatting), then cross site scripting attacks are prevented) you would find that it is easily circumvented.

for example:

<script blah='"' language='javascript'>
alert("you were just hacked");
</script blah='"'>

re: Regex, HTML, and my sanity

Raymond Chen — Fri, 27 Feb 2004 02:04:00 GMT

Actually \ escape sequences are not allowed in HTML, so that's a non-starter. But the other concerns are valid.

If this were for revoking script injecting attacks, I would just use a sledgehammer. Keep <P> and <BR> and change all other < and > to < and >.

Take Outs: The Digital Doggy Bag of Blog Bits for 26 February 2004

Enjoy Every Sandwich — Fri, 27 Feb 2004 10:36:00 GMT

Take Outs: The Digital Doggy Bag of Blog Bits for 26 February 2004

re: Regex, HTML, and my sanity

Per Soderlind — Fri, 27 Feb 2004 13:53:00 GMT

Nice challenge, I had to dust off my old Perl books :-)
I made a small correction to your regesp (I asume ignorecase is on)

</? # match < and </
\b # start group
(?! # start negative lookahead
\b(br|p)\b # group the words, prevents matching <pre>
) # end negative lookahead
\b # end group
[^>]+? # match everything except >
> # end of tag

with the comments removed, it looks like this:
</?\b(?!\b(br|p)\b)\b[^>]+?>

btw: If you want to match every tag, you should use <[^>]+>

An excellent tool for testing this is Expresso (http://www.ultrapico.com/expresso.htm)
and you'll find a lot of information at http://www.regular-expressions.info/

br,
Per

re: Regex, HTML, and my sanity

Eric TF Bat — Sun, 29 Feb 2004 23:16:00 GMT

Here's a question for you: my beard is too long; I need to shave; I have a chainsaw. How should I proceed?

re: Regex, HTML, and my sanity

AvonWyss — Sun, 07 Mar 2004 14:27:00 GMT

Note that your regex does not respect single quotes, which I believe are valid in HTML:

<bla attr='>'>

Will not be matched correctly.

re: Regex, HTML, and my sanity

Need_to_know — Tue, 10 Aug 2004 13:09:00 GMT

I have a typical case, where in I am searching for different procedures(start with p_ or sp_ or dbo.sp_ etc.). But I want to exclude the procedures under comments. ie., all proc's that fall in between /* to */

MBA

MBA — Sat, 18 Dec 2004 18:54:00 GMT

Helpful For MBA Fans.

Eric Gunnerson s C Compendium Regex HTML and my sanity | Hair Growth Products

Eric Gunnerson s C Compendium Regex HTML and my sanity | Hair Growth Products — Wed, 10 Jun 2009 05:39:51 GMT

PingBack from http://hairgrowthproducts.info/story.php?id=5382