Regex Tester

Regular expression fundamentals — the patterns worth memorizing

A handful of regex patterns cover the vast majority of practical use cases. The dot (.) matches any character except a newline. The asterisk (*) means zero or more of the preceding element; the plus (+) means one or more; the question mark (?) means zero or one (optional). Anchors: ^ matches the start of a string (or line with the m flag), $ matches the end.

Character classes use square brackets: [abc] matches a, b, or c; [a-z] matches any lowercase letter; [^abc] matches anything NOT a, b, or c. Shorthand character classes: \d matches any digit (equivalent to [0-9]), \w matches any word character (letters, digits, underscore), \s matches any whitespace. Their uppercase inverses (\D, \W, \S) match the opposite.

Capture groups use parentheses: (\d+) captures one or more digits as a group you can reference in replacements with $1. Non-capturing groups use (?:…) when you want grouping for precedence but don't need to capture. Lookaheads (?=…) and lookbehinds (?<=…) match a position without consuming characters — essential for complex find-and-replace patterns.

Regex flags — what each one does

JavaScript regex flags modify how the engine interprets the pattern and which matches are returned.

The g (global) flag returns all matches rather than stopping at the first. Without it, string.match() returns only the first match. The i (case insensitive) flag makes [a-z] match uppercase letters too, so /hello/i matches "Hello", "HELLO", and "hello".

The m (multiline) flag changes the meaning of ^ and $. Without m, these anchors match the start and end of the entire string. With m, they also match at the start and end of each embedded newline — essential for processing multi-line text line by line.

The s (dot-all) flag makes the dot (.) match newline characters. Without it, . matches any character except \n and \r. With s, patterns like .* will match across line breaks, which is useful for extracting multi-line HTML blocks.

The u (unicode) flag enables full Unicode mode, which is important for matching characters outside the Basic Multilingual Plane (emoji, many Asian scripts) and enables Unicode property escapes like \p{L} (any Unicode letter). The y (sticky) flag anchors each match to the lastIndex position, useful for building incremental tokenizers.

Common regex patterns for real-world use

Email validation: The only regex-compatible validation is a loose check for user@domain.tld format — /^[^\s@]+@[^\s@]+\.[^\s@]+$/. A fully RFC 5322-compliant email regex is notoriously complex (several kilobytes). For real validation, send a confirmation email rather than relying on regex.

URL matching: /https?:\/\/[^\s]+/ catches most URLs in plain text. For stricter matching with query strings and fragments, use a dedicated URL-parsing library rather than regex.

Phone numbers: Phone formats vary so wildly by country that a universal regex is not practical. For US numbers: /\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/. For international numbers, use a library like libphonenumber.

ISO date: /^\d{4}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01])$/ validates YYYY-MM-DD format. Note this accepts dates like 2023-02-31 — calendar validity requires logic, not regex.

Password strength: /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*]).{8,}$/ uses lookaheads to require at least one lowercase, uppercase, digit, and symbol, with a minimum length of 8.

Catastrophic backtracking — why some regex patterns cause server outages

Catastrophic backtracking (also called ReDoS — Regular Expression Denial of Service) is a class of performance bug where certain regex patterns, combined with specific inputs, cause the regex engine to explore an exponentially large number of possible matches. The result is that a single string can take minutes, hours, or effectively forever to process — making it a denial-of-service vector if user-supplied input is matched against a vulnerable pattern.

The classic dangerous pattern is nested quantifiers on overlapping character classes: (a+)+ or (\w+\s?)+ against a long string with no match. The engine tries every possible way to split the input between the inner and outer groups, and the number of attempts grows exponentially with input length. A string of 30 'a' characters followed by a non-matching character can cause millions of backtrack attempts.

Real-world incidents: Cloudflare suffered a global outage in 2019 from a regex with excessive backtracking deployed in their WAF; Stack Overflow went down in 2016 for the same reason. Node.js's built-in URL parser was found to contain a ReDoS vulnerability in 2021.

To avoid ReDoS: never use nested quantifiers ((a+)+), avoid ambiguous alternation patterns where multiple branches can match the same text, and use possessive quantifiers or atomic groups if your engine supports them (JavaScript's new linear-time engine in V8, available with the 'v' flag, eliminates backtracking entirely for supported syntax). Always test patterns against adversarial inputs before deploying to production.