Fix regex validator crash on invalid patterns in jquery.validate.unobtrusive.js#67025
Fix regex validator crash on invalid patterns in jquery.validate.unobtrusive.js#67025ishaq2321 wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the unobtrusive jQuery Validation regex rule to avoid throwing runtime errors when an invalid regex pattern is provided, preventing client-side validation from crashing.
Changes:
- Wrapped
new RegExp(params)usage intry/catchinside theregexvalidator method. - Simplified the return condition to explicit
nullchecks and boolean operators. - Added comments explaining the fallback behavior when the regex pattern is invalid.
| try { | ||
| var match = new RegExp(params).exec(value); | ||
| return match !== null && match.index === 0 && match[0].length === value.length; | ||
| } catch (e) { | ||
| // Invalid regex pattern - skip validation to avoid crashing all form validation. | ||
| // Server-side validation at form submission time provides the fallback. | ||
| return true; | ||
| } |
dotnet-policy-service
Bot
added
the
community-contribution
|
Thanks for your PR, @ishaq2321. Someone from the team will get assigned to your PR shortly and we'll get it reviewed. |
|
@dotnet-policy-service agree |
ishaq2321
left a comment
ishaq2321
left a comment
There was a problem hiding this comment.
Thank you for the review. We considered this carefully and believe returning true is the correct approach for this specific scenario:
-
The regex pattern originates from the server — it comes from the [RegularExpression] data annotation attribute, which is validated at compile/build time in ASP.NET Core. An invalid pattern would fail during app startup, not at runtime on the client.
-
In the edge case where a malformed pattern reaches the browser, returning false means all legitimate user input gets rejected — a worse UX than skipping client-side validation. The browser would show validation errors for every input, confusing users.
-
Server-side validation is the authoritative layer — The server re-validates at form submission time regardless of what the client does. Skipping client-side validation simply means the server becomes the single validation point for that specific field.
-
The original bug was catastrophic — Without this fix, a single malformed pattern crashed ALL validation for the entire form. This fix eliminates that crash while preserving the most important validation layer (server).
ishaq2321
force-pushed
the
fix/jquery-validate-regex-crash
branch
from
a9f3809 to
020b952
Compare
…trusive.js The 'regex' custom validator in jquery.validate.unobtrusive.js would throw a SyntaxError when the regex pattern from data-val-regex-pattern was invalid (e.g., unbalanced brackets or malformed patterns). This caused the entire form validation to crash with no recovery. This change wraps the new RegExp() call in a try-catch block so that invalid patterns skip validation instead of crashing. Server-side validation at form submission time continues to serve as the fallback layer for malformed patterns. Fixes dotnet#67028 Co-authored-by: Muhammad Ishaq Khan <muhammadishaqkhan.2321@gmail.com>
ishaq2321
force-pushed
the
fix/jquery-validate-regex-crash
branch
from
020b952 to
9d11711
Compare
Fixes #67028
Summary
The
regexcustom validator injquery.validate.unobtrusive.jswould throw aSyntaxErrorwhennew RegExp(params)encountered an invalid regex pattern (e.g.,[,*, unbalanced parentheses). This caused all form validation on the page to crash.Fix
Wrapped the
new RegExp()call in a try-catch block. When an invalid pattern is encountered, validation is skipped (returnstrue) rather than crashing. Server-side validation at form submission time continues to serve as the fallback layer.Changes
src/Identity/UI/src/assets/V4/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.js: Added try-catch aroundnew RegExp(params).exec(value)src/Identity/UI/src/assets/V4/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js: Equivalent minified fixFinding Source
Found via
bb_securitystatic analysis tool during ASP.NET Core codebase review.Co-authored-by: Muhammad Ishaq Khan muhammadishaqkhan.2321@gmail.com