Reword some regex safety warnings#12848
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the .NET API reference documentation to present more accurate guidance about regular expression safety, consolidating the primary warning at the Regex type level and updating an external reference to a ReDoS-focused resource.
Changes:
- Converts
Regextype-level remarks to Markdown and adds a centralized warning about usingRegexwith untrusted input, linking to OWASP ReDoS guidance. - Removes the prior constructor-level warning text that implied timeouts are a sufficient defense against all hostile inputs.
- Tweaks
RegexOptions.NonBacktrackingsummary text to point readers to the “Non-Backtracking mode” section of the options article.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| xml/System.Text.RegularExpressions/RegexOptions.xml | Clarifies the NonBacktracking option summary with a more specific docs pointer. |
| xml/System.Text.RegularExpressions/Regex.xml | Centralizes and rewords regex safety guidance in the type-level remarks and removes redundant constructor warnings. |
gewarren
left a comment
There was a problem hiding this comment.
I don't know why the GitOps policy we have to prevent edits to these files didn't fire, but System.Text.RegularExpressions has its source of truth for docs in the dotnet/runtime repo as of a few weeks ago. So please make these changes there instead: https://github.com/dotnet/runtime/blob/0a8142e2de2a05ac170dac8e9edffb41d059463b/src/libraries/System.Text.RegularExpressions/src/System/Text/RegularExpressions/Regex.cs#L24
I'm updating regex docs across the various docs repos. This is one part of that update.
Changes:
Related PRs: