You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
is the only place that html-parse-stringify2 is used, where the string to be parsed is explicitly wrapped in <0>${interpolatedString}</0>
I have not yet managed to find a value for ${interpolatedString} that triggers the ReDoS bug in html-parse-stringify2, and looking at the bug in the RegEx in html-parse-stringify2 I'm pretty sure there isn't one, but would like an official view from the maintainers on whether CVE-2021-23346 is definitely not applicable.
To Reproduce
If you want to see the bug in html-parse-stringify2 then run...
🐛 Bug Report
Raising as an issue here as I'm not sure this makes sense to ask on SO
html-parse-stringify2@^2.0.1.html-parse-stringify2is still maintained and will ever be fixed (ongoing conversation in Regular Expression Denial of Service possible rayd/html-parse-stringify2#26).react-i18next/src/Trans.js
Line 136 in 9f80ddc
html-parse-stringify2is used, where the string to be parsed is explicitly wrapped in<0>${interpolatedString}</0>${interpolatedString}that triggers the ReDoS bug inhtml-parse-stringify2, and looking at the bug in the RegEx inhtml-parse-stringify2I'm pretty sure there isn't one, but would like an official view from the maintainers on whether CVE-2021-23346 is definitely not applicable.To Reproduce
If you want to see the bug in
html-parse-stringify2then run...This does not complete in a timely manner.
Running the following does complete quickly, but maybe I just can't think of a "bad" input yet.
Expected behavior
Hopefully you confirm this is not applicable
Your Environment