Regex for Encoded HTML

Question

I'd like to create a regex that will match an opening <a> tag containing an href attribute only:

<a href="doesntmatter.com">

It should match the above, but not match when other attributes are added:

<a href="doesntmatter.com" onmouseover="alert('Do something evil with Javascript')">

Normally that would be pretty easy, but the HTML is encoded. So encoding both of the above, I need the regex to match this:

<a href="doesntmatter.com" >

But not match this:

<a href="doesntmatter.com" onmouseover="alert('do something evil with javascript.')" >

Assume all encoded HTML is "valid" (no weird malformed XSS trickery) and assume that we don't need to follow any HTML sanitization best practices. I just need the simplest regex that will match A) above but not B).

Thanks!

Answer 1

The initial regular expression that comes to mind is /<a href=".*?">/; a lazy expression (.*?) can be used to match the string between the quotes. However, as pointed out in the comments, because the regular expression is anchored by a >, it'll match the invalid tag as well, because a match is still made.

In order to get around this problem, you can use atomic grouping. Atomic grouping tells the regular expression engine, "once you have found a match for this group, accept it" -- this will solve the problem of the regex going back and matching the second string after not finding a > a the end of the href. The regular expression with an atomic group would look like:

/<a (?>href=".*?")>/

Which would look like the following when replacing the characters with their HTML entities:

/<a (?>href=".*?")>/

Answer 2

I don't see how matching one is different from the other? You're just looking for exactly what you just wrote, making the portion that is doesntmatter.com the part you capture. I guess matching for anything until " (not "?) can present a problem, but you do it like this in regex:

(?:(?!").)*

It essentially means:

• Match the following group 0 or more times
  • Fail match if the following string is """
  • Match any character (except new line unless DOTALL is specified)

The complete regular expression would be:

/<a href="(?>(?:[^&]+|(?!").)*)">/s

This is more efficient than using a non-greedy expression.

Credit to Daniel Vandersluis for reminding me of the atomic group! It fits nicely here for the sake of optimization (this pattern can never match if it has to backtrack.)

I also threw in an additional [^&]+ group to avoid repeating the negative look-ahead so many times.

Alternatively, one could use a possessive quantifier, which essentially does the same thing (your regex engine might not support it):

/<a href="(?:[^&]+|(?!").)*+">/s

As you can see it's slightly shorter.

Answer 3

Hey! I had to do a similar thing recently. I recommend decoding the html first then attempt to grab the info you want. Here's my solution in C#:

private string getAnchor(string data)
    {
        MatchCollection matches;
        string pattern = @"<a.*?href=[""'](?<href>.*?)[""'].*?>(?<text>.*?)</a>";
        Regex myRegex = new Regex(pattern, RegexOptions.Multiline);
        string anchor = "";

        matches = myRegex.Matches(data);

        foreach (Match match in matches)
        {
            anchor += match.Groups["href"].Value.Trim() + "," + match.Groups["text"].Value.Trim();
        }

        return anchor;
    }

I hope that helps!