clerk · alexcarpenter · May 1, 2025 · May 1, 2025
diff --git a/.changeset/eighty-zoos-play.md b/.changeset/eighty-zoos-play.md
@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+Fix incomplete string escaping or encoding within password complexity.
diff --git a/packages/clerk-js/src/utils/passwords/complexity.ts b/packages/clerk-js/src/utils/passwords/complexity.ts
@@ -13,8 +13,8 @@
   let specialCharsRegex: RegExp;
   if (config.allowed_special_characters) {
     // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace('[', '\\[');
-    escaped = escaped.replace(']', '\\]');
+    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
@@ -14,4 +14,5 @@
  if (config.allowed_special_characters) {
-    // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    // Avoid a nested group by escaping backslashes and the `[]` characters
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
    escaped = escaped.replace(/\]/g, '\\]');
@@ -14,4 +14,5 @@
  if (config.allowed_special_characters) {
-    // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    // Avoid a nested group by escaping backslashes and the `[]` characters
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
    escaped = escaped.replace(/\]/g, '\\]');
+    escaped = escaped.replace(/\]/g, '\\]');
@@ -15,3 +15,4 @@
    // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
    escaped = escaped.replace(/\]/g, '\\]');
@@ -15,3 +15,4 @@
    // Avoid a nested group by escaping the `[]` characters
-    let escaped = config.allowed_special_characters.replace(/\[/g, '\\[');
+    let escaped = config.allowed_special_characters.replace(/\\/g, '\\\\');
+    escaped = escaped.replace(/\[/g, '\\[');
    escaped = escaped.replace(/\]/g, '\\]');
     specialCharsRegex = new RegExp(`[${escaped}]`);
   } else {
     specialCharsRegex = /[!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~]/;