Graham Sutherland / Polynomialprotip: ALWAYS use regular expression literals in JavaScript and TypeScript and any other language that supports it, instead of writing your regex out in a string. I cannot count how many critical security bugs I have found over the years from someone writing a regex like "^en\.wikipedia\.org$", which is incorrect because the \. is treated as *string* escape sequence (an invalid one that just produces .) which then results in the regex being "^en.wikipedia.org$" which matches "enowikipedia.org".
this doesn't just come up in domain name allowlisting, it's eeeeverrryyywhere. the double escapes ALWAYS catch people out. use the regex literals, they'll save your ass. and if your language or toolchain or linter has a strict mode that can yell at you about bogus escape sequences in strings (or in regex literals too, for that matter) then turn it on and turn it up to 11.
imo languages should default to making invalid string escape sequences a compile error. so please go yell at (by which I mean "politely but firmly ask") your neighbourhood language standards committee to be strict on this. by default. so I don't keep finding this bug class for another 15 years.
Niels Abildgaard@gsuberland Javascript now has RegExp.escape for if you really really need a string-based regex (e.g. generating from data).
Good advice in this thread!