remove DoS vulnerability

apostrophecms · Jul 14, 2022 · 6683aad · 6683aad
1 parent 7c7ccb4
commit 6683aad
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## UNRELEASED
 
 - Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://github.com/paweljq).
+- A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue.
 
 ## 2.7.0 (2022-02-04)
 

diff --git a/index.js b/index.js
@@ -612,7 +612,17 @@ function sanitizeHtml(html, options, _recursing) {
     // Clobber any comments in URLs, which the browser might
     // interpret inside an XML data island, allowing
     // a javascript: URL to be snuck through
-    href = href.replace(/<!--.*?-->/g, '');
+    while (true) {
+      const firstIndex = href.indexOf('<!--');
+      if (firstIndex === -1) {
+        break;
+      }
+      const lastIndex = href.indexOf('-->', firstIndex + 4);
+      if (lastIndex === -1) {
+        break;
+      }
+      href = href.substring(0, firstIndex) + href.substring(lastIndex + 3);
+    }
     // Case insensitive so we don't get faked out by JAVASCRIPT #1
     // Allow more characters after the first so we don't get faked
     // out by certain schemes browsers accept