Posted over 7 years ago. Visible to the public. Repeats.

Regex: Be careful when trying to match the start and/or end of a text

Ruby has two different ways to match the start and the end of a text:

  • ^ (Start of line) and $ (End of line)
  • \A (Start of string) and \z (End of string)

Most often you want to use \A and \z.

Here is a short example in which we want to validate the content type of a file attachment. Normally we would not expect content_type_1 to be a valid content type with the used regular expression image\/(jpeg|png). But as ^ and $ will match lines, it matches both content_type_1 and content_type_2. Using \A and \z will work as expected instead and excludes content_type_1.

content_type_1 = "image/jpeg\napplication/javascript" content_type_2 = "image/jpeg" # Using `^` and `$` content_type_1.match(/^image\/(jpeg|png)$/) # => <MatchData "image/jpeg" 1:"jpeg"> content_type_2.match(/^image\/(jpeg|png)$/) # => <MatchData "image/jpeg" 1:"jpeg"> # Using `\A` and `\z` content_type_1.match(/\Aimage\/(jpeg|png)\z/) # => nil content_type_2.match(/\Aimage\/(jpeg|png)\z/) # => <MatchData "image/jpeg" 1:"jpeg">


Newer Rails explicitly warns you, when you use ^ and $ in validations with a regular expression, as this might be a security risk.

Used validation in the model:

validates_format_of :content_type, :with => /^image\/(jpeg|png)$/

Resulting exception:

The provided regular expression is using multiline anchors (^ or $), which may present a security risk. Did you mean to use \A and \z, or forgot to add the :multiline => true option? (ArgumentError)

You can remove this warning by changing your validation like this (Be sure you really want to):

validates_format_of :content_type, :with => /^image\/(jpeg|png)$/, multiline: true
Growing Rails Applications in Practice
Check out our new e-book:
Learn to structure large Ruby on Rails codebases with the tools you already know and love.

Owner of this card:

Thomas Eisenbarth
Last edit:
10 months ago
by Emanuel De
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Thomas Eisenbarth to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more