🔧 update regex for String.stripTags() to prevent regex DoS (prototypejs#349)

codemasher · codemasher · commit ee0513295e37 · 2021-03-02T17:44:38.000+01:00
diff --git a/src/prototype/lang/string.js b/src/prototype/lang/string.js
@@ -288,7 +288,7 @@ Object.extend(String.prototype, (function(){
 	 *      // -> 'a link'
 	 **/
 	function stripTags(){
-		return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>])+)?(\/)?>|<\/\w+>/gi, '');
+		return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>'"])+)?\s*("[^">]*|'[^'>])?(\/)?>|<\/\w+>/gi, '');
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -288,7 +288,7 @@ Object.extend(String.prototype, (function(){`
`288`	`288`	`* // -> 'a link'`
`289`	`289`	`**/`
`290`	`290`	`function stripTags(){`
`291`		`- return this.replace(/<\w+(\s+("[^"]"\|'[^']'\|[^>])+)?(\/)?>\|<\/\w+>/gi, '');`
	`291`	`+ return this.replace(/<\w+(\s+("[^"]"\|'[^']'\|[^>'"])+)?\s("[^">]\|'[^'>])?(\/)?>\|<\/\w+>/gi, '');`
`292`	`292`	`}`
`293`	`293`
`294`	`294`	`/**`