Regular Expression (Regex)
Overview
Regular expressions in the Content Management API (CMA) allow pattern matching using the RE2 regular expression engine.
Previously, we used the JavaScript Regular Expressions engine. As of April 21st, 2025, we are using the RE2 expression engine to enhance security, performance, and maintainability, enforcing stricter regular expression evaluation.
The key benefits of the RE2 regular expression engine include:
Eliminating catastrophic backtracking: JavaScript's RegExp engine allows complex patterns that can lead to exponential runtime (ReDoS attacks). RE2 prevents these issues by enforcing stricter rules.
Better performance and efficiency: RE2 executes in linear time complexity, ensuring that regex evaluations do not impact system performance.
Improved security: By disallowing certain patterns like backreferences and nested quantifiers, RE2 mitigates risks associated with poorly constructed regex.
Consistency and predictability: Unlike JavaScript's RegExp, RE2 provides a more deterministic matching behavior that prevents unexpected behavior due to excessive backtracking.
Supported flags
Flag | Description |
|---|---|
| Case-insensitive matching |
| Multi-line matching (affects |
| Dot ( |
| Unicode support |
Unsupported features
The following features are no longer supported:
Global Flag (`g`): RE2 does not support the `g` flag. Instead, users should manually iterate over matches.
Important: Even though RE2 does not support the Global Flag (
g), it is ignored in the execution and accepted as an allowed flag in the validation.Lookaheads and Lookbehinds: Lookahead (`(?=...)`) and lookbehind (`(?<=...)`) assertions are not available in RE2.
Backreferences: Backreferences (`\1`, `\2`, etc.) are not supported in RE2.
Nested quantifiers are restricted: Patterns with nested quantifiers (`(a+)+`) are no longer accepted.
The global flag (g) is not supported and will be ignored during execution — how do I replace it?
JavaScript allows the global flag (g) to find multiple matches, but RE2JS does not support it.
Solution:
As our regex checks test for 0 versus 1 or more matches, removing the
gflag should be safe and will not impact the customer’s validation rule.
Important: We will not error out when a
gflag is set up. We will, however, not consider it during the execution of the regex in the validation step.
How do I fix a regex using lookaheads or lookbehinds?
If you were using look behinds ((?<=...) or (?<!...)), you must rewrite your regex without them.
Example fix:
Before (JavaScript RegExp, invalid in RE2) | After (RE2-Compatible Version) |
|---|---|
|
|
What should I do if my regex uses backreferences (\1, \2, etc.)?
Instead of using \1, enforce validation logic at the application level.
Example fix:
Before (JavaScript RegExp, invalid in RE2) | After (RE2-Compatible version) |
|---|---|
|
|
How do I handle nested quantifiers?
Nested quantifiers ((a+)+) can cause performance issues and are not supported in RE2JS.
Example fix:
Before (JavaScript RegExp, invalid in RE2) | After (RE2-Compatible version) |
|---|---|
|
|
Validation examples using RE2
E-mail validation
| Allowed values | Disallowed values |
| name@domain.com | special%char@domain.com |
| 1-2.3_4@domain.com | name@domain |
| name@sub.domain.com | notanemail.com |
RE2-compatible regex
^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$
URL validation
| Allowed values | Disallowed values |
| http://foo.com/food_food | special%char@domain.com |
| http://userid:password@example.com:8080 | name@domain |
RE2-compatible regex
^https?:\/\/[^\s/$.?#].[^\s]*$
US phone number validation
| Allowed values | Disallowed values |
| 1-123-456-7890 | 1_111-111-1111 |
| 1-123.555 1111 | 12345 |
| 18001114545 | 1-111-1a1-1111 |
RE2-compatible regex
^1[-.\s]?(\d{3})[-.\s]?(\d{3})[-.\s]?(\d{4})$
How to test your regex
We recommend using the RE2JS Playground to validate and test your regular expressions for RE2 compatibility.
If you have any questions or need assistance, contact our support team.