JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 160220
  • Score
    100M100P100Q169442F
  • License MIT

Regular expression matching for URL's. Maintained, safe, and browser-friendly version of url-regex. Resolves CVE-2020-7661.

Package Exports

  • url-regex-safe

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (url-regex-safe) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

url-regex-safe

build status code coverage code style styled with prettier made with lass license npm downloads

Regular expression matching for URL's. Maintained, safe, and browser-friendly version of url-regex. Resolves CVE-2020-7661 for Node.js servers.

Table of Contents

Foreword

After discovering CVE-2020-7661 and disclosing it publicly (through my work on Spam Scanner and Forward Email) – I used an implementation of url-regex with some extra glue on top to filter out bad URL matches.

However after using it on Forward Email in production (which processes hundreds of thousands of emails per week), I found and documented several more core issues with url-regex.

Realizing that url-regex is no longer actively maintained, has 9 open pull requests as of this writing, and also lacked browser support – I decided to write this package for everyone and merge all the open pull requests.

This package should hopefully more closely resemble real-world intended usage of a URL regular expression, and also allowing the user to configure it as they wish. Please check out Forward Email if this package helped you, and explore our source code on GitHub which shows how we use this package.

Install

npm:

npm install url-regex-safe

yarn:

yarn add url-regex-safe

Usage

Node

We've resolved CVE-2020-7661 by including RE2 for Node.js usage. You will not have to manually wrap your URL regular expressions with new RE2(urlRegex()) anymore through url-regex-safe (we do it automatically for you).

const urlRegexSafe = require('url-regex-safe');

const str = 'some long string with url.com in it';
const matches = str.match(urlRegexSafe());

for (const match of matches) {
  console.log('match', match);
}

console.log(urlRegexSafe().test('github.com'));

Browser

Since RE2 is not made for the browser, it will not be used, and therefore CVE-2020-7661 is still an issue on the client-side. However it is not severe since the most it would do is crash the browser tab (as on the Node.js side it would have crashed the entire process and thrown an out of memory exception).

VanillaJS

This is the solution for you if you're just using <script> tags everywhere!

<script src="https://unpkg.com/url-regex-safe"></script>
<script type="text/javascript">
  (function() {
    var str = 'some long string with url.com in it';
    var matches = str.match(urlRegexSafe());

    for (var i=0; i<matches.length; i++) {
      console.log('match', matches[i]);
    }

    console.log(urlRegexSafe().test('github.com'));
  })();
</script>

Bundler

Assuming you are using browserify, webpack, rollup, or another bundler, you can simply follow Node usage above.

Options

Property Type Default Value Description
exact Boolean false Only match an exact String. Useful with regex.test(str) to check if a String is a URL. We set this to false by default in order to match String values such as github.com (as opposed to requiring a protocol or www subdomain). We feel this closely more resembles real-world intended usage of this package.
strict Boolean false Force URL's to start with a valid protocol or www. If it is false, then it will match the TLD against the list of valid TLD's using tlds.
auth Boolean false Match against Basic Authentication headers. We set this to false by default since it was deprecated in Chromium, and otherwise it leaves the user with unwanted URL matches (more closely resembles real-world intended usage of this package by having it set to false by default too).
parens Boolean false Match against Markdown-style trailing parenthesis. We set this to false because it should be up to the user to parse for Markdown URL's.
apostrophe Boolean false Match against apostrophes. We set this to false because we don't want the String background: url('http://example.com/pic.jpg'); to result in http://example.com/pic.jpg'. See this issue for more information.
ipv4 Boolean true Match against IPv4 URL's.
ipv6 Boolean true Match against IPv6 URL's.
tlds Array tlds Match against a specific list of tlds, or the default list provided by tlds.

Tips

You must override the default and set strict: true if you do not wish to match github.com by itself (though www.github.com will work if strict: false).

Unlike the deprecated and unmaintained package url-regex, we set strict and auth to false by default, so if you want to match that package's behavior out of the box, you will need to set these option values to true. Also note that we added parens and ipv6 options, setting parens to false and ipv6 to true, therefore you will need to set parens to true and ipv6 to false if you wish to match url-regex behavior. Lastly, we added an apostrophe option, which we set to false by default, but you should set to true if you wish to mirror url-regex default behavior.

Contributors

Name Website
Nick Baugh http://niftylettuce.com/
Kevin Mårtensson
Diego Perini

License

MIT © Nick Baugh