Regex Tester
Enter a regular expression, toggle flags, and type a test string — matches highlight live and every capture group is broken out for you. Built on the same JavaScript engine your code runs on.
Flags
Highlighted matches
beltz@quantlabusa.dev
group 1: beltz
group 2: quantlabusa
group 3: dev
sales@example.com
group 1: sales
group 2: example
group 3: com
Quick reference
- \d — digit · \w — word char · \s — whitespace
- ^ — start · $ — end · . — any char (except newline)
- * — 0+ · + — 1+ · ? — 0 or 1 · {2,4} — range
- (abc) — group · (?<name>abc) — named group · [a-z] — class
How to read what this tool shows you
Type a pattern, pick your flags, and paste a test string. Every match is highlighted inline so you can see exactly what the engine grabbed, and each match is listed below with its start index, length, and a breakdown of every capture group. Named groups — the (?<name>...) syntax — are labeled by name. The whole thing recomputes as you type, so you can dial a pattern in by feel.
The global flag changes everything. Without g, the engine returns the first match and stops. With it, you get every non-overlapping match in the string. This tester handles the subtle trap that bites people writing their own match loops: a zero-width match (a pattern that can match the empty string) will loop forever unless you manually advance past it. We advance lastIndex for you, so empty matches do not hang the page.
A word on engine differences. This runs the browser's native JavaScript regex engine, so it mirrors what your front-end and Node.js code will do. But regex flavors are not interchangeable: a pattern that works in Python's re or PCRE may behave differently or be invalid here, and vice versa. Always test in the engine you will ship to. If your validation logic lives in several languages, that inconsistency is a real source of bugs we untangle during custom software builds.
Regex is a security surface, not just a utility. A carelessly written pattern with nested quantifiers — the classic (a+)+ shape — can be driven into exponential backtracking by a malicious input, freezing the thread that runs it. This is ReDoS, and it is a genuine denial-of-service vector when the regex touches user input on your server. Validating untrusted data with hand-rolled patterns is one of the things we scrutinize during a web application penetration test and our broader penetration testing engagements.
How to use it
Put your expression in the pattern box — no surrounding slashes needed, they are shown for clarity. Toggle flags with the buttons; the active set appears after the closing slash. Paste or type your test string and the matches highlight immediately, with a per-match breakdown of groups underneath. If your pattern is syntactically invalid, you will get the engine's error message instead of silent failure. Nothing leaves your browser, so a refresh resets the tool.
FAQs
Which regex flavor does this tester use?
It uses the JavaScript (ECMAScript) regular expression engine built into your browser via the native RegExp object. That means it matches exactly what your front-end code and Node.js will do. Be aware that flavors differ: lookbehind, named groups, and Unicode property escapes are supported in modern JavaScript but the syntax and feature set are not identical to PCRE, Python's re, or .NET. Test in the engine you will actually deploy to.
What do the flags g, i, m, s, u, and y do?
g (global) finds all matches instead of stopping at the first. i (ignore case) makes the match case-insensitive. m (multiline) makes ^ and $ match at line breaks rather than only the string's start and end. s (dotall) lets the dot match newline characters. u (unicode) enables correct handling of code points beyond the basic plane and Unicode property escapes. y (sticky) anchors each match to the current lastIndex position. Toggle them and watch the highlights update live.
How do capture groups and named groups show up?
Every set of parentheses in your pattern creates a numbered capture group, listed under each match in order. If you write a named group with the (?<name>...) syntax, it appears labeled by its name as well. This makes it easy to confirm that the part of the match you actually care about — the domain in an email, the year in a date — is being captured correctly before you wire the pattern into code.
Is my pattern or test data sent anywhere?
No. The pattern and the test string never leave your browser — matching runs entirely on your machine with the native RegExp engine. There are no network requests, no logging, and nothing stored after you close the tab. That makes it safe to test against real log lines or sample records without exposing them to a remote service.
Why is my regex slow or hanging on some inputs?
That is usually catastrophic backtracking — a pattern with nested quantifiers like (a+)+ can take exponential time on certain inputs, which is the basis of ReDoS (regular-expression denial of service) attacks. If a regex runs on user-supplied input on your server, an attacker can craft a string that pins your CPU. The fix is to avoid ambiguous nested quantifiers, anchor patterns, and prefer specific character classes. This is exactly the kind of issue we look for in a security review.
Related tools
Related engineering reading
All postsAPI Security Best Practices (2026)
Auth, rate limiting, input validation, secrets, and the OWASP API Top 10.
Read postPreventing Prompt Injection in AI Apps (2026)
Prompt injection as the new injection class, trust boundaries for tools and retrieval, and mitigations.
Read postPreventing SQL Injection in Modern Web Apps (2026)
Parameterized queries, ORMs, least-privilege DB roles, and why concatenation still breaches apps.
Read post
Input validation should not be a guessing game
From email and phone parsing to ReDoS-safe validation on untrusted input, getting regex right is part craft, part security. We build software that validates correctly and resists abuse — and we audit the patterns you already ship. Talk to us about a build or a security review.
Or reach us directly: (770) 652-1282 · beltz@quantlabusa.dev