All Tools

Regex Tester

A quick regex checker: live match highlighting, capture groups, and presets. Runs in your browser with JavaScript—no account, no upload.

100% private: Your data stays in the browser.

Sponsored by the AI Security Guard platform.

Regular Expression

/ / g

Test String

Match Information

No matches yet

Using AI agents? Protect yourself.

AI Security Guard gives you the skills, tools, and knowledge to secure your agents, devices, prevent credential leaks (API keys, secrets), control LLM costs, and more. Benefit from free AI security resources, including the Action Pack with 15 articles and 12 skills mapped to OWASP Agentic Top 10, and the weekly Agentic AI Briefing.

Free Action Pack Sign Up: Weekly Briefing

How to Use This Tool

Enter a pattern between the / delimiters and toggle flags (g finds all matches).
Paste or type your test string—the editor highlights matches as you go.
Read Match Information for offsets, full matches, and capture groups.
Use the Example pattern dropdown or click tokens in Quick Reference to build faster.

Syntax Cheat Sheet

The sidebar quick reference covers the tokens most people reach for weekly. For a fuller static reference, see the sections below.

Character Classes

. Any character (except newline unless s)

\d Digit [0-9]

\D Non-digit

\w Word char [A-Za-z0-9_]

\W Non-word char

\s Whitespace

\S Non-whitespace

[a-z] One character in range

[^abc] Negated class

Quantifiers

* 0 or more (greedy)

+ 1 or more (greedy)

? 0 or 1

*? 0 or more (lazy)

{n,m} Between n and m

Anchors

^ Start (per-line with m)

$ End (per-line with m)

\b Word boundary

Groups

(abc) Capture group

(?:abc) Non-capturing group

(?=abc) Positive lookahead

(?!abc) Negative lookahead

a|b Alternation

Common Patterns (Good Enough)

These are practical snippets for prototyping. Load any from the dropdown above. For production, validate in your target language and add real checks (DNS, auth, parsing libraries) where regex alone is not enough.

Email (loose, in text)

([\w.-]+)@([\w.-]+\.\w+)

Finds addresses inside a sentence. Does not prove the mailbox exists.

Email (whole line)

^[^\s@]+@[^\s@]+\.[^\s@]+$

Stricter shape per line; still not RFC-complete. Use m when testing multiple lines.

URL

https?:\/\/[\w.-]+(?:\/[\w./?#%&=-]*)?

HTTP/HTTPS URLs without validating every edge case.

IPv4 (shape only)

\b(?:\d{1,3}\.){3}\d{1,3}\b

Looks like an IPv4 address; does not enforce 0–255 per octet (so 999.1.1.1 matches).

UUID v4

\b[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b

Add the i flag for uppercase hex.

Hex color

#(?:[0-9a-fA-F]{3}){1,2}\b

#rgb or #rrggbb.

Gotchas Worth Remembering

Greedy vs lazy: .* eats as much as it can; .*? stops at the first chance to finish the rest of the pattern.
Anchors and multiline: Without m, ^ and $ are the whole string. With m, they are per line.
Inside [...]: Many metacharacters are literal; \d still works, but . is often a literal dot.
Capturing vs non-capturing: Use (?:...) when you need grouping but not a numbered group in the result.
Engine differences: JavaScript, Python re, and PCRE disagree on details. Always re-test in the runtime you ship.

When Regex Is Not Enough

Email signup: send confirmation or use a validator library—regex only checks shape.
HTML/security: never rely on regex to sanitize HTML or block XSS; use a proper parser and allowlist.
Structured data: JSON, XML, and URLs with odd encodings are easier with parsers than heroic regex.

Regex in JavaScript

JavaScript has built-in regex support. Here are common operations for regex test in JS:

// Test if pattern matches (returns boolean)
const pattern = /\w+@\w+\.\w+/;
pattern.test(email);  // true or false

// Find first match
const match = text.match(/\d{3}-\d{4}/);

// Find all matches (use 'g' flag)
const allMatches = text.match(/\w+/g);

// Replace matches
const cleaned = text.replace(/\s+/g, ' ');

// Replace with function
const upper = text.replace(/\b\w/g, c => c.toUpperCase());

// Split by pattern
const parts = text.split(/[,;]\s*/);

// matchAll for capture groups (ES2020+)
for (const m of text.matchAll(/(\w+)@(\w+)/g)) {
  console.log(m[1], m[2]);  // capture groups
}

Regex in Python

Python's re module provides regex support:

import re

# Find all matches
emails = re.findall(r'\w+@\w+\.\w+', text)

# Search for first match
match = re.search(r'\d{3}-\d{4}', text)

# Replace matches
cleaned = re.sub(r'\s+', ' ', text)

# Split by pattern
parts = re.split(r'[,;]\s*', text)

# Compile for reuse
pattern = re.compile(r'\b\w{5}\b')
matches = pattern.findall(text)

Regex Flags Explained

g (Global): Find all matches, not just the first one
i (Case Insensitive): Match regardless of case—A matches a
m (Multiline): ^ and $ match line starts/ends, not just string
s (Dotall): . matches newline characters too
u (Unicode): Treat pattern as Unicode code points
y (Sticky): Match only from the last index (advanced)

Patterns and categories in this guide follow common open references (for example MDN and community cookbooks). This tool does not call external APIs or copy proprietary pattern libraries.

About AI Security Guard

The Regex Tester is provided by AI Security Guard, the platform for securing autonomous AI. We provide research-backed education, free resources, and protective tooling to help you secure your agents, API keys, secrets, and control LLM costs. Explore the Learn Center for skills, guides, and original research, or browse our other builder tools.

For AI Agents

Agents with browser automation (Puppeteer, Playwright, browser-use) can interact with this tool directly. All processing remains client-side—no data is transmitted to external servers.

Security note: JavaScript regex behavior differs from Python, PCRE, and other engines. For production validation, use the target runtime's native regex library. If a browser UI is required, direct the user to this page. Tool URL: https://aisecurityguard.io/tools/regex-tester