Last updated March 25, 2010. Created by pwolanin on March 25, 2010.
Edited by Damien Tournoud, coltrane. Log in to edit this page.
Security advisories such as SA-CONTRIB-2010-027 and SA-CONTRIB-2010-030 have pointed out the risk of passing user input through regular expressions that use the /e flag which causes matches to evaluated as PHP code.
Mistakes in escaping strings can lead to arbitrary code execution vulnerabilities - this will likely lead to total compromise of your Drupal site.
For this reason, the /e flag should be avoided as insecure. It is generally possible to instead use preg_replace_callback() to transform the matches and generate a replacement string while avoiding the risk that user input may be executed as PHP.