Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
Was going over the inline html scanning routines when I ran into some questionable scanning methods. In particular, parsing repetitions of "a <![CDATA[" will scale quadratically!
Haven't tested other parsers yet. It would probably be good to test them as well and let them know when they are also vulnerable.
The text was updated successfully, but these errors were encountered:
md4c is vulnerable also
Sorry, something went wrong.
and so is cmark..
@marcusklaas Fixed in MD4C by remembering how far we have scanned for the expected HTML closer without finding it. Later attempts for re-scanning for the same closer then may fail early.
Note other raw HTML openers (e.g. HTML processing instructions or declarations) exhibited the same problem so you may need to check them too.
Thanks for the pointers! Good to have the parser people looking out for eachother ^^
The <? and <!A vulnerabilities I hadn't caught and by looking at the code, pulldown-cmark is vulnerable to these as well.
Is a <![CDATA[ just a special case of a <!A? Or is it actually due to containing <![CDATA[?
The specs sees them as separate cases because the rules for starting/ending them are different.
See https://spec.commonmark.org/0.29/#declaration versus https://spec.commonmark.org/0.29/#cdata-section.
That said, implementation can share some code, but obviously not all of it.
Successfully merging a pull request may close this issue.