What is the best regex for validating an email address?

For most cases use a simple safe pattern: /^[^@\s]+@[^@\s]+\.[^@\s]+$/ — it covers 99% of real-world emails and prevents header injection. For strict RFC 5322 compliance, see the "Strict Email Validation RFC 5322" pattern at https://regexlib.dev/regex/email-strict.

How do I write a strong password regex with at least 12 characters and a special character?

Use positive lookaheads: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*]).{12,}$ — enforces lowercase, uppercase, digit, special character, and a 12-char minimum. See https://regexlib.dev/regex/password-very-strong.

What is the regex for ISO 8601 datetime with timezone?

^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d{1,9})?(?:Z|[+-]\d{2}:\d{2})$ — accepts UTC (Z) or ±HH:MM offsets, with optional fractional seconds. Full reference at https://regexlib.dev/regex/iso-date-with-timezone.

How do I match a UUID v4 with regex?

^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ — the "4" before the third hyphen and the [89ab] before the fourth ensure version 4 and a valid variant. See https://regexlib.dev/regex/uuid-v4.

How can I detect leaked Stripe, AWS, or OpenAI API keys in code?

Use prefix-anchored patterns: Stripe sk_(live|test)_[A-Za-z0-9]{24,}, AWS AKIA[0-9A-Z]{16}, OpenAI sk-[A-Za-z0-9]{20,}T3BlbkFJ[A-Za-z0-9]{20,}, Google AIza[0-9A-Za-z_-]{35}. Combine in a single pre-commit hook to catch leaks.

Does regex validate that a date is real (e.g., not February 31)?

No. Regex checks the format only. Pair the regex with new Date(value) in JavaScript or datetime.fromisoformat() in Python to verify the calendar correctness.

What is the simplest regex for an IPv4 address with octet validation?

^(?:(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d?\d)$ — enforces each octet between 0 and 255. See https://regexlib.dev/regex/ipv4.

How do I extract all URLs from a text with regex?

Use the global flag with: /https?:\/\/[^\s<>"']+/g — call text.match(re) to get every match. See https://regexlib.dev/regex/url-extract.

Why does my regex work in JavaScript but not in Python or Java?

Different engines have different syntax. JavaScript uses ECMAScript regex, Python uses re (PCRE-like, no recursion), Java uses java.util.regex (no \K), and Go uses RE2 (no lookarounds). Use the per-language code snippets on each pattern page — they escape the pattern correctly for each language.

Is RegexLib free? Do I need to sign up?

Yes, regexlib.dev is 100% free, no signup, no ads, and no rate limits. You can copy any pattern, test it live, and use the snippets in your project without attribution.

Securitypopular

Basic XSS Detection Regex Pattern

Detects common XSS patterns.

Pattern

<script[^>]*>.*?<\/script>|javascript:|onerror=|onload=

Tested examples

<script>alert('XSS')</script>

javascript:alert(1)

normal text

<div>content</div>

Test it live

Live Regex TesterJS

2 matches

Pattern

Test string

Result

<script>alert('XSS')</script>
javascript:alert(1)

Match 1at index 0

<script>alert('XSS')</script>

Match 2at index 30

javascript:

Use it in your language

Use it in

// JavaScript / Node.js
const regex = /<script[^>]*>.*?<\/script>|javascript:|onerror=|onload=/;
const value = "<script>alert('XSS')</script>";
const isMatch = regex.test(value);
console.log(isMatch); // true / false

// Extract all matches
const matches = value.match(/<script[^>]*>.*?<\/script>|javascript:|onerror=|onload=/g) || [];

Frequently asked questions

How do I use the Basic XSS Detection regex pattern in JavaScript?

Wrap the pattern in slashes: const re = /<script[^>]*>.*?<\/script>|javascript:|onerror=|onload=/; — then call re.test(value) to check a single value, or value.match(re) to find matches. The "Use it in" snippets above give you the exact code for 9 languages.

Is this basic xss detection regex production-ready?

Yes — every pattern in the library is tested against valid and invalid examples. Still, regex is one layer in a defense-in-depth strategy: pair it with server-side validation (e.g. Luhn for credit cards, mod-97 for IBAN, real DNS lookup for emails) for critical inputs.

Why does my pattern fail in another language?

Different regex engines (PCRE, Java, Python, Go's RE2) support slightly different syntax. The most common gotchas: lookbehinds (not in RE2), named groups syntax, and how backslashes need to be escaped inside string literals. The code snippets above already escape correctly for each language.

Can I edit this pattern and test it live?

Yes — use the live tester above. Type your test string and toggle flags (g, i, m, s, u, y) to see matches highlighted instantly, including capture groups.

Related patterns

See all Security →

Security

All patterns Open regex tester Regex cheatsheet

Basic XSS Detection Regex Pattern

Tested examples

Test it live

Use it in your language

Tags

Frequently asked questions

Related patterns

SQL Injection Detection

Strong Password

JWT Token

Ultra-Secure Password

TOTP / OTP Code

AWS Access Key ID