[cdata re] halt with CPU 100% on some html

[puzrin]

Put this into dingus:

foo <![CDATA[ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ]>

Similar to #263, found by @rlidwka .

Seems we should seriously revisit all attempts to parse HTML with regexp.

[puzrin]

markdown-it/markdown-it@89c8620

/<!\[CDATA\[[\s\S]*?\]\]>/ - this one works. Should satisfy HTML5 spec conditions. I don't know what were cutted conditions for.

[jgm]

A CDATA section cannot contain the string ]]>. The complex regex in the source was meant to rule that out. Your regex should work fine -- it uses non-greedy matching to the same effect. The one I used was designed for cmark and re2c, which doesn't have a non-greedy matching operator. Best solution is probably to use your regex for the js and the original one in cmark.

[puzrin]

Thanks for explanation. I'm not very strong in regexps and not familiar at all with implementation differences. Didn't know that re2c does not support non-gready matches.

Please, take a look if other JS regexps are ddos-able. @rlidwka did not found anything else, but it worth to duplucate this check for sure.

[rlidwka]

Just for the reference:

https://en.wikipedia.org/wiki/ReDoS
https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

I didn't find anything obvious, but a few other regexps are kinda fishy, worth checking out.