Take a look

[wilbertcr]

[https://srcclr.com/bleach/javascript/npm/c-12769/vulnerabilities]

[markstos]

The link says there is a low-risk denial of service issue with this module related to regular expressions. A more specific link is here:

https://srcclr.com/security/regular-expression-denial-service-redos-/javascript/sid-1862/technical

Version 0.3.0, the current version, is listed as being vulnerable.

The problematic line pointed to is this one: https://github.com/ecto/bleach/blob/master/lib/bleach.js#L73

A related reference is here: https://nodesecurity.io/advisories/47

More about RegEx-based DOS: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

[wusala01]

A potential workaround could be this, couldn't it?

Iam not very experienced with Regex-based DOS, but might this help?

      html = html.replace(/<script(?:.*?)>(?:.|[\r\n])*?<\/script(?:.*)>/gmi, '');

vs.

      html = html.replace(/<script(.*?)>(.*?[\r\n])*?(.*?)(.*?[\r\n])*?<\/script>/gim, '');

Quantified group with a quantifier in it thingy is gone.