Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.

If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the . meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.

Escape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the . meta-character.

The following example code checks that a URL redirection will reach the example.com domain, or one of its subdomains.

The check is however easy to bypass because the unescaped . allows for any character before example.com, effectively allowing the redirect to go to an attacker-controlled domain such as wwwXexample.com.

Address this vulnerability by escaping . appropriately: let regex = /^((www|beta)\.)?example\.com/.

MDN: Regular Expressions

OWASP: SSRF

OWASP: XSS Unvalidated Redirects and Forwards Cheat Sheet.