When using a function for the replacement argument with the String.replace() method, the returned data is somehow returned incorrectly if it contains a dollar sign ("$") followed by a number for which there is a corresponding capturing group in the regular expression pattern being searched for. This corruption does not directly result from the regular expression or any other JavaScript code being run over the data. Here's reduced code to reproduce the bug: var str = '$1'; alert(str.replace(/(\D)(\d)/g, function($0){return $0;})); Values to set for str, and the results: - '$1' (as shown above) incorrectly returns just $. - '$2' incorrectly returns just 2. - Other values correctly result in the entire, original test string being returned.
Created attachment 15146 [details] Test case
Confirmed. I can reproduce this on Safari 2.0.r and 3 beta on Mac.
I have a fix for this in my tree, I just need to write up some test cases to better cover the expected behaviours.
Created attachment 15149 [details] Patch
Comment on attachment 15149 [details] Patch r=me
Landed in r23675. Thanks for the bug report!