Skip to content

[CVE-2023-24038] Handler for style attribute is vulnerable to ReDoS #3

Open
@ikedas

Description

@ikedas

Version: 1.06

Confirmed with Perl 5.16.3 & 5.32.1

This is a test script test.pl:

use HTML::StripScripts::Parser;
my $hss = HTML::StripScripts::Parser->new;
$hss->parse_file(shift);
print $hss->filtered_document;

With attached test data, it crashes as below:

$ perl test.pl test-1.html.txt
Complex regular subexpression recursion limit (32766) exceeded at /usr/share/perl5/vendor_perl/HTML/StripScripts.pm line 1602.
$ perl test.pl test-2.html.txt
Complex regular subexpression recursion limit (32766) exceeded at /usr/share/perl5/vendor_perl/HTML/StripScripts.pm line 1606.

test-1.html.txt
test-2.html.txt

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions