From 7c7ccb42d6da7c07a48e819e94172a6089782b5d Mon Sep 17 00:00:00 2001
From: Thomas Boutell <tom@apostrophecms.com>
Date: Thu, 14 Jul 2022 11:44:58 -0400
Subject: [PATCH 1/3] credit

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c822d9b..bd9fb3e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,8 @@
 # Changelog
 
-- Protocol-relative URLs are properly supported for script tags
+## UNRELEASED
+
+- Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://github.com/paweljq).
 
 ## 2.7.0 (2022-02-04)
 

From 6683aadf5ecc903899b1d05101d14423fc191683 Mon Sep 17 00:00:00 2001
From: Thomas Boutell <tom@apostrophecms.com>
Date: Thu, 14 Jul 2022 11:52:40 -0400
Subject: [PATCH 2/3] remove DoS vulnerability

---
 CHANGELOG.md |  1 +
 index.js     | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bd9fb3e..48c28c7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## UNRELEASED
 
 - Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://github.com/paweljq).
+- A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue.
 
 ## 2.7.0 (2022-02-04)
 
diff --git a/index.js b/index.js
index 754bf10..4a4c2d1 100644
--- a/index.js
+++ b/index.js
@@ -612,7 +612,17 @@ function sanitizeHtml(html, options, _recursing) {
     // Clobber any comments in URLs, which the browser might
     // interpret inside an XML data island, allowing
     // a javascript: URL to be snuck through
-    href = href.replace(/<!--.*?-->/g, '');
+    while (true) {
+      const firstIndex = href.indexOf('<!--');
+      if (firstIndex === -1) {
+        break;
+      }
+      const lastIndex = href.indexOf('-->', firstIndex + 4);
+      if (lastIndex === -1) {
+        break;
+      }
+      href = href.substring(0, firstIndex) + href.substring(lastIndex + 3);
+    }
     // Case insensitive so we don't get faked out by JAVASCRIPT #1
     // Allow more characters after the first so we don't get faked
     // out by certain schemes browsers accept

From b6c4971a822b9bc9c0a5fce5f6160dd2397cf260 Mon Sep 17 00:00:00 2001
From: Thomas Boutell <tom@apostrophecms.com>
Date: Wed, 20 Jul 2022 11:07:10 -0400
Subject: [PATCH 3/3] release 2.7.1 (with security fix previously tested and
 approved by Miro)

---
 CHANGELOG.md | 2 +-
 package.json | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 48c28c7..dc84443 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## UNRELEASED
+## 2.7.1 (2022-07-20)
 
 - Protocol-relative URLs are properly supported for script tags. Thanks to [paweljq](https://github.com/paweljq).
 - A denial-of-service vulnerability has been fixed by replacing global regular expression replacement logic for comment removal with a new implementation. Thanks to Nariyoshi Chida of NTT Security Japan for pointing out the issue.
diff --git a/package.json b/package.json
index ab4981c..6054aff 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sanitize-html",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "description": "Clean up user-submitted HTML, preserving allowlisted elements and allowlisted attributes on a per-element basis",
   "sideEffects": false,
   "main": "index.js",