Regular Expression Tester
Test regular expressions with real-time matching, capture group highlighting, and match explanations.
How to Use the Regex Tester
- Enter your regular expression pattern in the pattern field.
- Set the flags you need (global, case-insensitive, multiline, etc.).
- Type or paste the test string you want to match against.
- View real-time highlighted matches, capture groups, and match details.
- Refine your pattern based on the visual feedback until it matches correctly.
What are Regular Expressions?
Regular expressions (regex or regexp) are patterns used to match character combinations in strings. They provide a powerful and flexible way to search, validate, extract, and replace text. Virtually every programming language supports regular expressions, making them an indispensable tool for text processing, input validation, log analysis, and data extraction. Regex syntax includes literal characters, character classes ([a-z], \d, \w), quantifiers (*, +, ?, {n,m}), anchors (^, $, \b), groups and capturing ((...))), alternation (|), and lookaheads/lookbehinds. Understanding these building blocks allows you to construct patterns for complex matching requirements like validating email formats, extracting URLs from text, or parsing structured log files. In security, regular expressions play a dual role. They are used defensively in input validation, WAF rules, and content filtering. However, poorly written regex patterns can create vulnerabilities. ReDoS (Regular Expression Denial of Service) occurs when catastrophic backtracking causes a regex engine to consume exponential time on crafted input. Overly permissive validation patterns may accept malicious input. When writing security-critical regex, avoid nested quantifiers, use atomic groups or possessive quantifiers where available, and always test against adversarial inputs.
Frequently Asked Questions
ReDoS exploits regular expressions with catastrophic backtracking, where certain patterns combined with specific input cause the regex engine to take exponential time. For example, the pattern (a+)+ applied to a long string of 'a's followed by a non-matching character can hang for minutes or hours. Avoid nested quantifiers and test patterns with tools that detect ReDoS vulnerabilities.
Greedy quantifiers (*, +, ?) match as much text as possible, then backtrack if needed. Lazy quantifiers (*?, +?, ??) match as little as possible, then expand. For example, against '<b>bold</b>', the greedy pattern <.*> matches the entire string, while the lazy <.*?> matches just '<b>'. Choose based on whether you want the longest or shortest possible match.
Capture groups, defined by parentheses (), save the matched text for later reference. Group 0 is always the full match, group 1 is the first set of parentheses, and so on. Named groups (?<name>...) provide descriptive labels. Use non-capturing groups (?:...) when you need grouping for alternation or quantifiers but do not need to capture the matched text.