in reply to
untainting regex input
In my own work in this context, I far prefer the use of wildcards to explicit regular expressions; you can handle the specific case of interest, and use quotemeta to clean the rest. It's in line with my web-context philosophy of white listing things rather than blacklisting.
With regards to your actual question, discussion of the feature in question is A bit of magic: executing Perl code in a regular expression. I would say, from a practical standpoint, as long as your parentheses get escaped, you should be safe, since this also blocks some potential denial-of-service via infinite recursion. But given the potential security mess here, I'd be very cautious, especially if this is outward facing. What benefits are you seeking via regex that wildcards are lacking?
#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.