my $regex = qr/^.*$/m;
print "$regex\n";       # (?^um:^.*$) in 5.16.0
[download]

See perlre - Perl regular expressions for details.

I've not been able to find any details about the regexp output format in those perl docs. Is this documented anywhere.

And is there an alternative method to get the original regexp out of a variable?

MattLG

See Extended Patterns in the linked document.
لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ

Tangential observation: Pro forma untainting may be worse than none:

#!/usr/bin/perl -T
use 5.016;

my $regex =  qr/^.*$/;     # match anything, including an empty string

my @strings = ('delete everything',
               'overclock till cpu smokes',
               'we ownz you exec(nasty code here)',
               ' ',
               '',
              );

untaint(@strings);

sub untaint() {
    
    for my $elem(@strings) {
        if ( $elem =~ /$regex/ ) {
            say "Thank you, sucker. You are borked, really bad!";
        }else{
            say "Oh look, untainting did something more than merely al
+low any-old-badstruff to pass untaint. string untainted was -|$elem|-
+";
        }
    }
}
[download]

Execution produces:

C:\>untaint-bad.pl
Thank you, sucker. You are borked, really bad!
         |delete everything|' passed.
Thank you, sucker. You are borked, really bad!
         |overclock till cpu smokes|' passed.
Thank you, sucker. You are borked, really bad!
         |we ownz you exec(nasty code here)|' passed.
Thank you, sucker. You are borked, really bad!
         | |' passed.
Thank you, sucker. You are borked, really bad!
         ||' passed.
[download]

Err, sorry, what?

MattLG

"...my own CGI untainting library which uses regular expression variables like qr/^.*$/ to validate incoming data."

Err, your example regex validates nothing; untaints nothing. If it's merely a simple example that occured to you for the purposes of your question, fine; if you believe it's doing something useful, you err.

If you didn't program your executable by toggling in binary, it wasn't really programming!

G'day MattLG,

qr{...} does not return a string! See perlop - Regexp Quote-Like Operators for a description of what it does return. Here's an example:

$ perl -Mstrict -Mwarnings -E '
    say q{*** Using qr{}};
    my $re = qr{^.*$};
    say ref $re;
    say $re;

    say q{*** Using q{}};
    my $str = q{^.*$};
    say ref $str;
    say $str;
'
*** Using qr{}
Regexp
(?^u:^.*$)
*** Using q{}

^.*$
[download]

Related documentation:

• perlop - Quote and Quote-like Operators
• perlre - Modifiers
• perlre - Extended Patterns
• overload - Overloadable Operations

....qr{...} does not return a string!

Yes, I'm aware of that, otherwise it wouldn't work.

MattLG

Further to choroba's reply...

... is it safe just to remove the (?^: and the ) and send the middle bit through to the frontend javascript, or does this wrapper actually mean something ...

It actually means something.

Consider the two regexes /^xyz$/ and  /^xyz$/i for case-sensitive versus case-insensitive matching.

>perl -wMstrict -le
"my $qr1 = qr/^xyz$/;
 print $qr1;
 ;;
 my $qr2 = qr/^xyz$/i;
 print $qr2;
"
(?^:^xyz$)
(?^i:^xyz$)
[download]

Clearly, the two regexes have very different effects. This difference is lost if you simply strip away the wrapper. The same goes for the other modifiers you could use on a regex.

Take a look at the Extended Patterns section in perlre for the  "(?:pattern)" extended pattern, usually the third one in the section, near the beginning. The flags used may be slightly different in your version of Perl, but this grouping pattern is essentially the 'wrapper' you're talking about.

I don't know enough about Java regexes to be able to advise you about the path forward. Jeffrey Friedl has written the excellent (and expensive) Mastering Regular Expressions that could probably tell you all about this sort of conversion, but beyond that, I'm not sure what to say.