RegExp.escape()

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

The RegExp.escape() static method escapes any potential regex syntax characters in a string, and returns a new string that can be safely used as a literal pattern for the RegExp() constructor.

When dynamically creating a RegExp with user-provided content, consider using this function to sanitize the input (unless the input is actually intended to contain regex syntax). In addition, don't try to re-implement its functionality by, for example, using String.prototype.replaceAll() to insert a \ before all syntax characters. RegExp.escape() is designed to use escape sequences that work in many more edge cases/contexts than hand-crafted code is likely to achieve.

Syntax

RegExp.escape(string)

Parameters

string

The string to escape.

Return value

A new string that can be safely used as a literal pattern for the RegExp() constructor. Namely, the following things in the input string are replaced:

  • The first character of the string, if it's either a decimal digit (0–9) or ASCII letter (a–z, A–Z), is escaped using the \x character escape syntax. For example, RegExp.escape("foo") returns "\\x66oo" (here and after, the two backslashes in a string literal denote a single backslash character). This step ensures that if this escaped string is embedded into a bigger pattern where it's immediately preceded by \1, \x0, \u000, etc., the leading character doesn't get interpreted as part of the escape sequence.
  • Regex syntax characters, including ^, $, \, ., *, +, ?, (, ), [, ], {, }, and |, as well as the / delimiter, are escaped by inserting a \ character before them. For example, RegExp.escape("foo.bar") returns "\\x66oo\\.bar", and RegExp.escape("(foo)") returns "\\(foo\\)".
  • Other punctuators, including ,, -, =, <, >, #, &, !, %, :, ;, @, ~, ', `, and ", are escaped using the \x syntax. For example, RegExp.escape("foo-bar") returns "\\x66oo\\x2dbar". These characters cannot be escaped by prefixing with \ because, for example, /foo\-bar/u is a syntax error.
  • The characters with their own character escape sequences: \f (U+000C FORM FEED), \n (U+000A LINE FEED), \r (U+000D CARRIAGE RETURN), \t (U+0009 CHARACTER TABULATION), and \v (U+000B LINE TABULATION), are replaced with their escape sequences. For example, RegExp.escape("foo\nbar") returns "\\x66oo\\nbar".
  • The space character is escaped as "\\x20".
  • Other non-ASCII line break and white space characters are replaced with one or two \uXXXX escape sequences representing their UTF-16 code units. For example, RegExp.escape("foo\u2028bar") returns "\\x66oo\\u2028bar".
  • Lone surrogates are replaced with their \uXXXX escape sequences. For example, RegExp.escape("foo\uD800bar") returns "\\x66oo\\ud800bar".

Exceptions

TypeError

Thrown if string is not a string.

Examples

Using RegExp.escape()

The following examples demonstrate various inputs and outputs for the RegExp.escape() method.

RegExp.escape("Buy it. use it. break it. fix it.");
// "\\x42uy\\x20it\\.\\x20use\\x20it\\.\\x20break\\x20it\\.\\x20fix\\x20it\\."
RegExp.escape("foo.bar"); // "\\x66oo\\.bar"
RegExp.escape("foo-bar"); // "\\x66oo\\x2dbar"
RegExp.escape("foo\nbar"); // "\\x66oo\\nbar"
RegExp.escape("foo\uD800bar"); // "\\x66oo\\ud800bar"
RegExp.escape("foo\u2028bar"); // "\\x66oo\\u2028bar"

Using RegExp.escape() with the RegExp constructor

The primary use case of RegExp.escape() is when you want to embed a string into a bigger regex pattern, and you want to ensure that the string is treated as a literal pattern, not as a regex syntax. Consider the following naïve example that replaces URLs:

function removeDomain(text, domain) {
  return text.replace(new RegExp(`https?://${domain}(?=/)`, "g"), "");
}

const input =
  "Consider using [RegExp.escape()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/escape) to escape special characters in a string.";
const domain = "developer.mozilla.org";
console.log(removeDomain(input, domain));
// Consider using [RegExp.escape()](/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/escape) to escape special characters in a string.

Inserting the domain above results in the regular expression literal https?://developer.mozilla.org(?=/), where the "." character is a regex wildcard character. This means the string will match the string with any character in place of the ".", such as developer-mozilla-org. Therefore, it would incorrectly also change the following text:

const input =
  "This is not an MDN link: https://developer-mozilla.org/, be careful!";
const domain = "developer.mozilla.org";
console.log(removeDomain(input, domain));
// This is not an MDN link: /, be careful!

To fix this, we can use RegExp.escape() to ensure that any user input is treated as a literal pattern:

function removeDomain(text, domain) {
  return text.replace(
    new RegExp(`https?://${RegExp.escape(domain)}(?=/)`, "g"),
    "",
  );
}

Now this function will do exactly what we intend to, and will not transform developer-mozilla.org URLs.

Specifications

Specification
RegExp.escape
# sec-regexp.escape

Browser compatibility

Desktop Mobile Server
Chrome Edge Firefox Opera Safari Chrome Android Firefox for Android Opera Android Safari on IOS Samsung Internet WebView Android Deno Node.js
escape No No 134 No 18.2 No 134 No 18.2 No No No No

See also

© 2005–2024 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/escape