Is regular expression matching desirable to the maintainer or is it missing for some reason.
VBO Search & Replace looks like a very nice setup, adding regex as an "advanced" option would be very simple.
The only reason I see not to is it's VERY dangerous, a regex is not nearly as predictable and it's effects can be different on each node depending on content. If you get it really wrong using a <span.*</span> instead of a <span.*?</span> you could delete most of all your posts.
I've added it and used it. I could post a patch, but only if it's welcome.
And having used it on my own site I think a "test run" option would be really useful and I want to add that first.
| Comment | File | Size | Author |
|---|---|---|---|
| #13 | 2679733-13.patch | 3.75 KB | tenken |
| #8 | 2679733-8.patch | 2.36 KB | ymeiner |
Comments
Comment #2
haleagar commentedComment #3
npacker commentedPlease post the patch, I'd like to at least see it.
With Backup and Migrate I don't think the risk is that large. I can see only exposing regex matching as an advanced option helping.
Comment #4
AnticoVeneziano commentedit would be very useful!
perfect for hunting down the typos in long texts,
especially when written by inexperienced users
please...
Comment #5
ElemAm024 commentedI second this - please post the patch! The ability to do a regex search would be SO useful
Comment #6
tenken commentedI'd be happy to use the patch. I would like to do a regex search, and then a string replace with a token value. Your patch would be 1/2 the work needed.
Comment #7
knipnehpets commentedI'd love the patch. Could you send it to me? Rgds,
Ditto #7, if this had Regex *and* Tokens, it would be a killer module
As it is, very useful, because it lets me alter fields in commerce product types (other ones are typically restricted to nodes).
Comment #8
ymeiner commentedI gave it a shot,
please look at my diff.
The extra option allows to use regex and cancels whatever is in the prefix, suffix, exact match and case sensitive since we can put it all in the regexp.
* There is an extra fix there for a mistake in a var ($settings vs $options)
Comment #9
damienmckennaComment #10
tenken commentedPatch in #8 works for me on a test website. We may end up using it in production as well as I've reviewed the patch and see no issues at this time.
Comment #11
npacker commentedThis will need some additional work before release as preg_replace presents an arbitrary PHP execution attack surface via the "e" flag.
Comment #12
npacker commentedComment #13
tenken commentedHere is a reroll of the patch against current -dev.
Originally I found this StackOverflow approach to striping the e modifier, which this patch is inspired from.
https://stackoverflow.com/q/7243073
Since php does not provide a way to disable the e modifier at runtime, the simplest solution I have opted to implement was to scan for the modifier and if found deny any vbo processing to occur until the enduser provides a regex that does not make use of the e modifier. For added UX I have amended the description of the advanced form item to note that "e" modifier is not permitted.
Although, this issue appears to only exist in PHP < 7.0, I have additionally I've added a check for the php version in the code.
http://php.net/manual/en/reference.pcre.pattern.modifiers.php
Comment #14
tenken commentedI believe the supplied patch now meets the needs of assuring additional security for the e modifier. Additional feedback from the community, bot(s), or the maintainer is appreciated.
Comment #15
npacker commentedThis looks like a sound solution to me.
Comment #17
npacker commentedCommitted to the dev branch. I added in a permission to control access to the regular expression option as there is a lot of potential to nuke a site with this capability. Thanks to all that contributed.