From d646e37789618237e4f2d01d808d337ea7c561fb Mon Sep 17 00:00:00 2001 From: JSap0914 Date: Sat, 27 Jun 2026 18:50:11 +0900 Subject: [PATCH] fix(isFloat): reject sign-only + decimal-separator combinations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit isFloat('+.') and isFloat('-.') returned true because the early-return blacklist only checked for the sign and separator individually, missing the combined form. Same false positive occurs for the comma-decimal locales ('+,'/'-,' with e.g. de-DE) and for the Arabic decimal separator ('+٫'/'-٫' with ar-JO). Extend the guard to also reject '+' and '-' for the dot and comma separators (existing behavior for the characters in isolation is kept) and derive the locale's separator to cover non-latin separators. Closes #2090 --- src/lib/isFloat.js | 5 ++++- test/validators.test.js | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/lib/isFloat.js b/src/lib/isFloat.js index 84bdc782c..544fae806 100644 --- a/src/lib/isFloat.js +++ b/src/lib/isFloat.js @@ -6,7 +6,10 @@ export default function isFloat(str, options) { assertString(str); options = options || {}; const float = new RegExp(`^(?:[-+])?(?:[0-9]+)?(?:\\${options.locale ? decimal[options.locale] : '.'}[0-9]*)?(?:[eE][\\+\\-]?(?:[0-9]+))?$`); - if (str === '' || str === '.' || str === ',' || str === '-' || str === '+') { + const decimalSep = options.locale ? decimal[options.locale] : '.'; + if (str === '' || str === '.' || str === ',' || str === '-' || str === '+' + || str === '+.' || str === '-.' || str === '+,' || str === '-,' + || str === `+${decimalSep}` || str === `-${decimalSep}`) { return false; } const value = parseFloat(str.replace(',', '.')); diff --git a/test/validators.test.js b/test/validators.test.js index 7d9d12690..8f361c18b 100644 --- a/test/validators.test.js +++ b/test/validators.test.js @@ -4657,6 +4657,8 @@ describe('Validators', () => { 'foo', '20.foo', '2020-01-06T14:31:00.135Z', + '+.', + '-.', ], }); @@ -4711,6 +4713,8 @@ describe('Validators', () => { '', '.', 'foo', + '+,', + '-,', ], }); @@ -4738,6 +4742,8 @@ describe('Validators', () => { '', '.', 'foo', + '+٫', + '-٫', ], });