marked(">".repeat(5000)) crashes with recursion error

[andersk]

Describe the bug

marked(">".repeat(5000)) crashes with a recursion error. The exact bound is JS engine dependent, of course: I get the error with Node at 3842, Chrome at 3931, and Firefox at 49392.

To Reproduce

Steps to reproduce the behavior:

$ node
> const marked = require('./lib/marked');
> marked(">".repeat(5000));
RangeError: Maximum call stack size exceeded
Please report this to https://github.com/markedjs/marked.
    at RegExp.exec (<anonymous>)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:295:37)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)
    at Lexer.token (/home/anders/markdown/marked/lib/marked.js:307:12)

Expected behavior

Marked should avoid algorithms that rely on unbounded recursion.

[UziTech]

commonmark.js doesn't seem to have a limit.
markdown-it limits it at 100 nested blockquotes.

Not sure the best way to do this.

[UziTech]

commonmark.js seems to treat nested block quotes as a special case so it can have as many as given without recursion. I have a PoC for marked at #1464

I'm wondering if there are other ways to trigger unbounded recursion in nested blockquotes.

Nested lists probably have the same issue.

[UziTech]

I also think we have to decide if this is something we should fix or if throwing an error is good enough considering the following:

1. Highly unlikely you would have 1000+ nested blockquotes with normal use.
2. We can't reliably prevent a malicious actor from causing marked to throw an error.