Using a regular expression with string literal (new RegExp('[a-z]+')) instead of regular expression slash syntax (/[a-z]+/) should be done with caution.
Usually, to escape . (dot) symbol within a regular expression, a developer would use backslash. But when it's done within a string literal (new RegExp('\.')) JavaScript will first process the string itself and only then call RegExp constructor.
It means new RegExp('\.') is equivalent to /./, which unintendedly allows to match any character instead of the intended dot only.
This may result in some security issues. For example, consider the hostname matching regular expression new RegExp('www\.mysite\.com'). In this case an input of http://www-mysite.com/ will pass the validation.
Using a regular expression with string literal (
new RegExp('[a-z]+')) instead of regular expression slash syntax (/[a-z]+/) should be done with caution.Usually, to escape
.(dot) symbol within a regular expression, a developer would use backslash. But when it's done within a string literal (new RegExp('\.')) JavaScript will first process the string itself and only then call RegExp constructor.It means
new RegExp('\.')is equivalent to/./, which unintendedly allows to match any character instead of the intended dot only.This may result in some security issues. For example, consider the hostname matching regular expression
new RegExp('www\.mysite\.com'). In this case an input ofhttp://www-mysite.com/will pass the validation.