Skip to content

fix(client): fix polynomial regular expression used on uncontrolled data#1330

Merged
remarkablemark merged 4 commits intomasterfrom
fix/client
Feb 6, 2026
Merged

fix(client): fix polynomial regular expression used on uncontrolled data#1330
remarkablemark merged 4 commits intomasterfrom
fix/client

Conversation

@remarkablemark
Copy link
Copy Markdown
Owner

@remarkablemark remarkablemark commented Feb 6, 2026
edited
Loading

What is the motivation for this pull request?

Fixes https://github.com/remarkablemark/html-dom-parser/security/code-scanning/22
Fixes https://github.com/remarkablemark/html-dom-parser/security/code-scanning/23
Fixes https://github.com/remarkablemark/html-dom-parser/security/code-scanning/24
Fixes https://github.com/remarkablemark/html-dom-parser/security/code-scanning/25

What is the current behavior?

Polynomial regular expression used on uncontrolled data

This regular expression that depends on library input may run slow on strings starting with <head/<body and with many repetitions of <head/<body:

const HEAD_TAG_REGEX = /<head[^]*>/i;
const BODY_TAG_REGEX = /<body[^]*>/i;

The [^]* pattern matches any character (including newlines) zero or more times, which can cause ReDoS (Regular Expression Denial of Service) on malicious input due to catastrophic backtracking with the > terminator.

What is the new behavior?

The fix is to replace the negated character class with a pattern that properly handles quoted attributes without backtracking.

This eliminates the polynomial time complexity while maintaining correct behavior for tags with attributes.

Checklist:

@remarkablemark remarkablemark self-assigned this Feb 6, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 6, 2026
edited
Loading

size-limit report 📦

Path Size Loading time (3g) Running time (snapdragon) Total time
dist/html-dom-parser.min.js 2.24 KB (+0.97% 🔺) 45 ms (+0.97% 🔺) 98 ms (+1025.95% 🔺) 142 ms

@codecov
Copy link
Copy Markdown

codecov bot commented Feb 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (b445606) to head (3f3ef46).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##            master     #1330   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            6         6           
  Lines          138       149   +11     
  Branches        34        41    +7     
=========================================
+ Hits           138       149   +11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@remarkablemark remarkablemark merged commit 35f32fa into master Feb 6, 2026
22 checks passed
@remarkablemark remarkablemark deleted the fix/client branch February 6, 2026 06:27
@github-actions github-actions bot mentioned this pull request Feb 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@remarkablemark remarkablemark

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@remarkablemark