Skip to content

Commit

Permalink
fix: prevent ReDoS with comments
Browse files Browse the repository at this point in the history 
Once again - prior art: markdown-it/markdown-it@6ab7cc3

Hat tip @DanCech jonschlinkert#335 (comment) for pointing out jonschlinkert#331 (comment), which I missed initially
  • Loading branch information
@dominykas
dominykas committed Jul 26, 2019
1 parent cbcb76f commit e31ec6c
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/common/html_re.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ var open_tag = replace(/<[A-Za-z][A-Za-z0-9]*attribute*\s*\/?>/)
();

var close_tag = /<\/[A-Za-z][A-Za-z0-9]*\s*>/;
var comment = /<!--([^-]+|[-][^-]+)*-->/;
var comment = /<!---->|<!--(?:-?[^>-])(?:-?[^-])*-->/;
var processing = /<[?].*?[?]>/;
var declaration = /<![A-Z]+\s+[^>]*>/;
var cdata = /<!\[CDATA\[[\s\S]*?\]\]>/;
Expand Down
6 changes: 6 additions & 0 deletions test/fixtures/remarkable/redos.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,9 @@
.
<p><a>ReDoS</a>&lt;![CDATA[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa]] &gt;</p>
.

.
<a>z</a><!--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa--->
.
<p><a>z</a>&lt;!–aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa—&gt;</p>
.

0 comments on commit e31ec6c

Please sign in to comment.