Got more questions? Find advice on: ASP | SQL | XML | Windows
in Search
Welcome to RegexAdvice Sign in | Join | Help

Michael Ash's Regex Blog

Regex Musings

JScript Bug

I saw a comment on the Regexlib that expression

        ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,15}$
didn’t work for JavaScript.  
I responded mainly because the alternative offered didn’t wasn’t really an equivalent expression.   But when I looked at the original I really didn’t see why it shouldn’t work in JavaScript and there is any. This does work fine in JavaScript.  However it DOES NOT work in Jscript (or VBScript).
 
This expression is suppose to match a string of 8 to 15 characters containing at least one digit and one lowercase and one uppercase English letter. 
The suggested use is for password requirements.

 

There appears to a bug with the client-side Microsoft regex engines. 

 

Here’s what’s expected to happen.  Each look-ahead test is executed one at a time. 

1) Is there a digit in the string?

2) Is there a lowercase letter in the string?

3) Is there a uppercase letter in the string?

If all three are true the final test for the string being 8 to 15 characters is executed.  If this is also true we have a match.  This is how the engine works in .Net (and other non-Microsoft regex engines)

 

Here is what’s happening in with the client-side (VBScript/Jscript) Microsoft regex engines.

1)      Is there a digit, followed by 7 to 14 characters

2)      Is there a lowercase English letter, followed by 7 to 14 characters

3)      Is there a uppercase English letter, followed by 7 to 14 characters

 

After one look-ahead finds the character it’s looking for it tries to satisfy the .{8,15} portion of the regex.  It does this for each look-ahead making the regex rather sporadic in its matching. Using the Regexlib's testing tool while 123456aB7 should match , like it does in .Net, it doesn’t because the letters aren’t follow 7 more characters after the lowercase and 7 after the uppercase.  However aB12345678 matches because there are 7 characters (but not the same 7) after each letter case and the digit.  So in effect this forces the input to be at least 10 characters because the client-side evaluation isn’t possible in fewer characters.  And all the look-ahead conditions must be satisfied by  the 8th character to the left of the end of the string.

 

Published Tuesday, October 05, 2004 11:26 AM by mash
Filed under:
Anonymous comments are disabled