I usually uses \^\ and \$\ to verify user input, e.g:
I uses following regexp to verify whether a user input is valid gmail email address:
|
|
But in fact it is potentially vulnerable!
According to the RegExp document, ^ and $ is matching to line head and line end!
So I might rush into pitfall when user try to fool me with following input:1"hacker@gmail.com\n<script>alert('bang!')</script>"
Since there is a \n in the string, so $ won’t really match to the end of the string but actually matched to the \n, then the whole string become a valid input, but actually it isn’t!
To avoid such issue, we should stick to \A and \z, which is literally means the the beginning of the string and end of the string!