From fbf93a82ff127bb9c13f012935eff894533111a6 Mon Sep 17 00:00:00 2001 From: Jamie Davis Date: Mon, 16 Apr 2018 10:02:19 -0400 Subject: [PATCH] address review comments --- lib/marked.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/marked.js b/lib/marked.js index 9b1c27b751..bb5afd018b 100644 --- a/lib/marked.js +++ b/lib/marked.js @@ -554,6 +554,9 @@ inline.normal = merge({}, inline); inline.pedantic = merge({}, inline.normal, { strong: /^__(?=\S)([\s\S]*?\S)__(?!_)|^\*\*(?=\S)([\s\S]*?\S)\*\*(?!\*)/, em: /^_(?=\S)([\s\S]*?\S)_(?!_)|^\*(?=\S)([\s\S]*?\S)\*(?!\*)/, + /* Original link re: /^!?\[(label)\]\(\s*?(?:\s+(['"][\s\S]*?['"]))?\s*\)/ + * This captures the spec reasonably well but is vulnerable to REDOS. + * Instead we use a custom parser that follows the RegExp.exec semantics. */ link: { exec: function (s) { // [TEXT](DESTINATION) @@ -561,9 +564,9 @@ inline.pedantic = merge({}, inline.normal, { .replace('label', inline._label) .getRegex(); - function unwrapCarats (str) { + function unwrapAngleBrackets (str) { if (str.match(/^<.*>$/)) { - str = str.substr(1, str.length - 1); + str = str.slice(1, -1); } return str; } @@ -579,7 +582,7 @@ inline.pedantic = merge({}, inline.normal, { if (m = destinationAndTitleRe.exec(destination)) { // -> destination var dest1 = m[1].trim(); - dest1 = unwrapCarats(dest1); + dest1 = unwrapAngleBrackets(dest1); var title1 = m[2]; return [fullMatch[0], text, dest1, title1]; } @@ -588,7 +591,7 @@ inline.pedantic = merge({}, inline.normal, { if (m = destinationRe.exec(destination)) { // -> destination var dest2 = m[1].trim(); - destination = unwrapCarats(dest2); + dest2 = unwrapAngleBrackets(dest2); var title2 = ''; return [fullMatch[0], text, dest2, title2]; }