Escape "-", don't escape "}"

[twhb]

"-": this is a control within character sets. Escaping content for use within character sets is already fully supported except for this character, including escaping "]", which doesn't need escaping except within character sets.

"}": this isn't a control anywhere except within quantifiers. Within a quantifier, escaping this results in an invalid regex. escape-string-regexp doesn't, and can't possibly, support escaping strings meant for a quantifier context.

If you approve of the change, I'll make a PR.

[twhb]

It's been eight months with no response, please give this issue some attention.

At the very least the README should be updated to state that character sets aren't supported.

[dptole]

@twhb Considering what you said this should be the correct solution

var matchOperatorsRe = /[|\\{()[^$+*?.-]/g;

E.g.:

var matchOperatorsRe = /[|\\{()[^$+*?.-]/g;
'the characters {, (, ), [, ^, ?, +, *, . and - are to be escaped'
  .replace(matchOperatorsRe, '\\$&');
// 'the characters \\{, \\(, \\), \\[, \\^, \\?, \\+, \\*, \\. and \\- are to be escaped'

[jbruni]

Lodash version does not escape "-":
https://github.com/lodash/lodash/blob/master/escapeRegExp.js

In the other hand, bobince's version does:
https://stackoverflow.com/a/3561711

[dptole]

@jbruni I take back what I said. The character "-" need to be escaped only if inside a [ and ] block. These are escaped already so there is no need to escape "-".

var matchOperatorsRe = /[|\\{()[^$+*?.]/g;
var text = 'a-z [a-z]'
var escaped_text = text.replace(matchOperatorsRe, '\\$&')
var regexp = new RegExp(escaped_text)
regexp.test('a-z a') // false
regexp.test('a-z [a-z]') // true

[ujikit]

i have same problem.
try this sql pattern:
SELECT * FROM members WHERE username = 'admin'--' AND password = 'password' - --
string: = and - does not escaped.

[sindresorhus]

I have decided to add - so this module can be used to escape a string that will be inserted in the middle of a regex. I don't see the point of removing }. Better to leave it for the same reason as previously mentioned.

[sindresorhus]

@ujikit = doesn't need to be escaped.

[twhb]

Thanks for the update. What reason are you referring to when you say “as previously mentioned”, “so this module can be used to escape a string that will be inserted in the middle of a regex”? If that’s the case, then escaping “}” does not forward that goal: an escaped “}” is not valid anywhere that an unescaped “}” would not be interpreted literally.

[sindresorhus]

@twhb You might be right, but there's a reason it was added in the first place and why all other similar libraries escape it. I don't really have the time to prove you wrong. I'm happy to remove it if you manage to convince https://github.com/lodash/lodash/blob/master/escapeRegExp.js to remove it.

[steadicat]

FYI this breaks Unicode regexes:

[shreyasminocha]

@steadicat Could you please create an issue for that?