fix: remove potential infinite loop, DDOS vector

Add corresponding test
Lint

Author: medfreeman

src/__tests__/toc.js

@@ -31,6 +31,17 @@ test("markdown-it-toc-and-anchor toc", t => {
     "should work with soft breaks"
   );
 
+  t.is(
+    mdIt(
+      `**123**+
+@[toc]`,
+      { toc: true }
+    ),
+    `<p><strong>123</strong>+
+</p>\n`,
+    "should work with line breaks after text before toc"
+  );
+
   t.is(
     mdIt(
       `@[tac]
@@ -86,17 +97,17 @@ and next element in the same inline token`
 # Heading`,
       {
         toc: true,
-        tocClassName: null,
+        tocClassName: null
       }
     ),
     `<p><ul>
 <li><a href="#heading">Heading</a></li>
 </ul>
 </p>
 <h1 id="heading">Heading</h1>\n`,
-/* eslint-disable max-len */
-  "should handle not including default class in anchors when setting tocClassName to null"
-  )
+    /* eslint-disable max-len */
+    "should handle not including default class in anchors when setting tocClassName to null"
+  );
 
   t.is(
     mdIt(

src/index.js

@@ -253,19 +253,6 @@ export default function(md, options) {
     let token;
     let match;
 
-    while (
-      state.src.indexOf("\n") >= 0 &&
-      state.src.indexOf("\n") < state.src.indexOf(TOC)
-    ) {
-      if (state.tokens.slice(-1)[0].type === "softbreak") {
-        state.src = state.src
-          .split("\n")
-          .slice(1)
-          .join("\n");
-        state.pos = 0;
-      }
-    }
-
     if (
       // Reject if the token does not start with @[
       state.src.charCodeAt(state.pos) !== 0x40 ||
@@ -290,12 +277,7 @@ export default function(md, options) {
     token = state.push("toc_close", "toc", -1);
 
     // Update pos so the parser can continue
-    const newline = state.src.indexOf("\n");
-    if (newline !== -1) {
-      state.pos = state.pos + newline;
-    } else {
-      state.pos = state.pos + state.posMax + 1;
-    }
+    state.pos = state.pos + 6;
 
     return true;
   });