bytestream
commented
1 month ago Changing the regex to <!--([^>]*)(-->|\z) also fixes the back tracking issue.
Open bytestream opened 1 month ago
bytestream
commented
1 month ago Changing the regex to <!--([^>]*)(-->|\z) also fixes the back tracking issue.
The comment regex in https://github.com/xemlock/htmlpurifier-html5/blob/master/library/HTMLPurifier/Lexer/HTML5.php#L57 can cause catastrophic back tracking. The result is
preg_replace_callbackreturnsnullWorkaround is to increase
pcre.backtrack_limit. However, I think it would be better if the error handling in this function is improved to account for whenpreg_replace_callbackreturnsnull. I expect that it would just skip that comment regex functionality in that case.