Explain a regex token by token, inspect flags, and review maintainability, security, and performance risks in the browser.
Enter a regex pattern and flags to get a token-by-token explanation.
Example: `^(?:https?):\/\/[\w.-]+$` with `i`
Requires the match to start here.
Groups tokens without storing a capture.
Matches the literal character "h".
Matches the literal character "t".
Matches the literal character "t".
Matches the literal character "p".
Matches the literal character "s".
Makes the previous token optional.
Closes the current group.
Matches the literal character ":".
Escapes the next character or token.
Escapes the next character or token.
Matches one character from the listed set or range.
Repeats the previous token at least once.
Requires the match to end here.
Share this calculation
The link keeps basic share tracking.
The tool breaks a regular expression into character classes, groups, quantifiers, anchors, alternations, and escaped tokens, then turns those parts into readable notes.
It is meant for understanding why a pattern matches, where it is broad, and which parts may be difficult to maintain, not only for confirming that a pattern compiles.
The explanation follows JavaScript RegExp behavior; MDN's Regular expressions reference is the baseline for atoms, assertions, groups, character classes, and flags.
For ECMAScript compatibility, backreferences, lookahead, lookbehind, and Unicode flag behavior should still be checked in the target runtime; this tool explains intent but does not guarantee runtime support.
`i` changes case sensitivity, `g` searches globally, `m` changes start and end anchors across lines, and `s` allows the dot token to include line terminators.
`u` and newer `v` affect Unicode interpretation, so flag choice matters heavily for emoji, combined characters, and Unicode property escapes.
The token list moves from left to right and separates the visible symbol, short meaning, and structural effect for each item.
When groups and alternations are nested, read from the outer boundaries first; confirm anchors and main branches before inspecting character classes and repeat counts.
OWASP's Regular Expression Denial of Service guidance explains that nested repetition and overlapping alternatives can cause exponential slowdowns in some regex engines.
Before using user-facing patterns such as `(.+)+`, `(a|aa)+`, or broad unbounded repeats in production, add timeouts, input length limits, and server-side tests.
The tool explains patterns in the browser; it is not a security filter, HTML sanitizer, password policy engine, or access-control decision system.
For critical validation, combine official platform documentation, unit tests, and negative examples; mask sensitive production samples before pasting them into online tools.
Syntax and flag notes are based on MDN Web Docs JavaScript Regular expressions: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions
Performance and security warnings are based on OWASP Regular Expression Denial of Service: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS