-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Take a look #12
Comments
The link says there is a low-risk denial of service issue with this module related to regular expressions. A more specific link is here: https://srcclr.com/security/regular-expression-denial-service-redos-/javascript/sid-1862/technical Version 0.3.0, the current version, is listed as being vulnerable. The problematic line pointed to is this one: A related reference is here: More about RegEx-based DOS: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS |
A potential workaround could be this, couldn't it? Iam not very experienced with Regex-based DOS, but might this help? html = html.replace(/<script(?:.*?)>(?:.|[\r\n])*?<\/script(?:.*)>/gmi, ''); vs. html = html.replace(/<script(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/script>/gim, ''); Quantified group with a quantifier in it thingy is gone. |
[https://srcclr.com/bleach/javascript/npm/c-12769/vulnerabilities]
The text was updated successfully, but these errors were encountered: