fixing reported ReDoS

Author: HenrikJoreteg

README.md

@@ -135,6 +135,7 @@ properties:
 
 ## changelog
 
+- `2.0.1` Addressing a reported regular expression denial of service issue reported by [Sam Sanoop](https://twitter.com/snoopysecurity) of [Snyk](https://snyk.io/) THANK YOU!. The issue was that sending certain input would cause one of the regular expressions we used to lock up and not finish, freezing the process. See the test that was added for details. To be clear, this lib wasn't meant for parsing non-well formed HTML. But, better safe than sorry! So we're fixing it.
 - `2.0.0` updated to more modern dependencies/build system. Switched to prettier, etc. No big feature differences, just new build system/project structure. Added support for top level text nodes thanks to @jperl. Added support for comments thanks to @pconerly.
 - `1.0.0 - 1.0.3` no big changes, bug fixes and speed improvements.
 

src/parse.js

@@ -1,4 +1,4 @@
-const tagRE = /<[a-zA-Z\-\!\/](?:"[^"]*"['"]*|'[^']*'['"]*|[^'">])*>/g
+const tagRE = /<[a-zA-Z\-\!\/](?:"[^"]*"|'[^']*'|[^'">])*>/g
 import parseTag from './parse-tag'
 
 // re-used obj for quick lookups of components

test/parse.js

@@ -766,3 +766,19 @@ test('simple speed sanity check', function (t) {
 
   t.end()
 })
+
+test('ReDoS vulnerability reported by Sam Sanoop of Snyk', function (t) {
+  const start = Date.now()
+  // reported problematic string
+  HTML.parse(
+    "<!''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''!"
+  )
+  // other variant
+  HTML.parse(
+    '<!""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""!'
+  )
+  const duration = Date.now() - start
+
+  t.ok(duration < 100, 'should not hang')
+  t.end()
+})