This will exclude .js
and .exe
at the end of the string, but allow anything else:
/^[^.]+$|\.(?!(js|exe)$)([^.]+$)/
Broken down:
^[^.]+$
matches any string with no dots\.(?!(js|exe)$)([^.]+$)
matches a dot only if it is not followed byjs
orexe
at the end of the string.
The following are allowed:
something.js.notjs
somethingelse.exee
/something.js/foo
The following are not allowed:
jquery.js
outlook.exe
Note: excluding certain file extensions is not a substitute for security, and even if it were JS and EXE files would not be a comprehensive blacklist. If your purpose in excluding certain extensions is to protect your server or your users, consider a white list of extensions and a thorough validation of file data after upload.