\Q...\E for unsafe regex interpolation?

[MarcMush]

julia/doc/src/manual/strings.md

Lines 1030 to 1031 in e84634e

	julia> regex_name = Regex("[\"( ]\\Q$name\\E[\") ]") # interpolate value of name
	r"[\"( ]\QJon\E[\") ]"

julia/doc/src/manual/strings.md

Lines 1040 to 1042 in e84634e

	Note the use of the `\Q...\E` escape sequence. All characters between the `\Q` and the `\E`
	are interpreted as literal characters (after string interpolation). This escape sequence can
	be useful when interpolating, possibly malicious, user input.

these lines seem to indicate that \Q and \E can be used in a regex with unsafe, even malicious content, but I believe it can be easily defeated (name = "\\E.*\\Q")

Should the docs be updated to clarify this?

I found 2 PRs for escaping a regex but they are not merged (#29643 and #31989)

[StefanKarpinski]

Agree that this is not a good solution to protecting against potentially malicious content being spliced into a regex. I think we do have some functions for safely splicing literal content into regexes though...

[Keno]

Should regex interpolation try to do the safe thing by default with a flag to turn it off? We could do a similar thing to commands where if you interpolate another regex it gets interpreted, but if you interpolate a string it gets whatever processing is necessary applied to make it literal.

[StefanKarpinski]

Should regex interpolation try to do the safe thing by default with a flag to turn it off?

How would that work? There is no interpolation into regexes, just interpolated strings passed to the Regex constructor.

[Keno]

How would that work? There is no interpolation into regexes, just interpolated strings passed to the Regex constructor.

This was an unrelated comment. If that were available, the documentation could suggest to use it instead of saying anything about \Q and \E.