Posted over 6 years ago. Visible to the public. Repeats.

Regex: Be careful when trying to match the start and/or end of a text

Ruby has two different ways to match the start and the end of a text:

  • ^ (Start of line) and $ (End of line)
  • \A (Start of string) and \z (End of string)

Most often you want to use \A and \z.

Here is a short example in which we want to validate the content type of a file attachment. Normally we would not expect content_type_1 to be a valid content type with the used regular expression image\/(jpeg|png). But as ^ and $ will match lines, it matches both content_type_1 and content_type_2. Using \A and \z will work as expected instead and excludes content_type_1.

content_type_1 = "image/jpeg\napplication/javascript" content_type_2 = "image/jpeg" # Using `^` and `$` content_type_1.match(/^image\/(jpeg|png)$/) # => <MatchData "image/jpeg" 1:"jpeg"> content_type_2.match(/^image\/(jpeg|png)$/) # => <MatchData "image/jpeg" 1:"jpeg"> # Using `\A` and `\z` content_type_1.match(/\Aimage\/(jpeg|png)\z/) # => nil content_type_2.match(/\Aimage\/(jpeg|png)\z/) # => <MatchData "image/jpeg" 1:"jpeg">


Newer Rails explicitly warns you, when you use ^ and $ in validations with a regular expression, as this might be a security risk.

Used validation in the model:

validates_format_of :content_type, :with => /^image\/(jpeg|png)$/

Resulting exception:

The provided regular expression is using multiline anchors (^ or $), which may present a security risk. Did you mean to use \A and \z, or forgot to add the :multiline => true option? (ArgumentError)

You can remove this warning by changing your validation like this (Be sure you really want to):

validates_format_of :content_type, :with => /^image\/(jpeg|png)$/, multiline: true

Once an application no longer requires constant development, it needs periodic maintenance for stable and secure operation. makandra offers monthly maintenance contracts that let you focus on your business while we make sure the lights stay on.

Owner of this card:

Thomas Eisenbarth
Last edit:
4 days ago
by Emanuel De
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Thomas Eisenbarth to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more