Merge branch 'develop'

CHANGELOG.md

@@ -1,3 +1,13 @@
+<a name="1.7.5"></a>
+## [1.7.5](https://github.com/showdownjs/showdown/compare/1.7.4...v1.7.5) (2017-10-02)
+
+
+### Bug Fixes
+
+* **html-comments:** changed regex to precent malformed long comment to freeze showdown ([3efcd10](https://github.com/showdownjs/showdown/commit/3efcd10)), closes [#439](https://github.com/showdownjs/showdown/issues/439)
+
+
+
 <a name="1.7.4"></a>
 ## [1.7.4](https://github.com/showdownjs/showdown/compare/1.7.3...1.7.4) (2017-09-08)
 

dist/showdown.js

@@ -1,4 +1,4 @@
-;/*! showdown v 1.7.4 - 08-09-2017 */
+;/*! showdown v 1.7.5 - 02-10-2017 */
 (function(){
 /**
  * Created by Tivie on 13-07-2015.
@@ -1801,9 +1801,10 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
   'use strict';
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.before', text, options, globals);
 
-  // Build a regex to find HTML tags and comments.  See Friedl's
-  // "Mastering Regular Expressions", 2nd Ed., pp. 200-201.
-  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|<!(--.*?--\s*)+>)/gi;
+  // Build a regex to find HTML tags.
+  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>)/gi,
+  // due to catastrophic backtrace we split the old regex into two, one for tags and one for comments
+      regexComments = /<!(--(?:|(?:[^>-]|-[^>])(?:[^-]|-[^-])*)--)>/gi;
 
   text = text.replace(regex, function (wholeMatch) {
     return wholeMatch
@@ -1811,6 +1812,11 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
       .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
   });
 
+  text = text.replace(regexComments, function (wholeMatch) {
+    return wholeMatch
+      .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
+  });
+
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.after', text, options, globals);
   return text;
 });

package.json

@@ -1,6 +1,6 @@
 {
   "name": "showdown",
-  "version": "1.7.4",
+  "version": "1.7.5",
   "description": "A Markdown to HTML converter written in Javascript",
   "author": "Estevão Santos",
   "homepage": "http://showdownjs.github.io/showdown/",

performance.log.md

@@ -1,6 +1,47 @@
 # Performance Tests for showdown
 
 
+## [version 1.7.5](https://github.com/showdownjs/showdown/tree/1.7.5)
+
+### Test Suite: Basic (50 cycles)
+| test | avgTime | max | min |
+|:-----|--------:|----:|----:|
+|Simple "Hello World"|0.562|14.434|0.118|
+|performance.testfile.md|30.396|57.886|26.628|
+
+### Test Suite: subParsers (20 cycles)
+| test | avgTime | max | min |
+|:-----|--------:|----:|----:|
+|hashHTMLBlocks|4.280|8.392|2.357|
+|anchors|0.602|5.341|0.285|
+|autoLinks|0.092|0.193|0.065|
+|blockQuotes|2.068|4.430|1.736|
+|codeBlocks|0.279|0.937|0.181|
+|codeSpans|0.222|0.592|0.158|
+|detab|0.120|0.145|0.091|
+|encodeAmpsAndAngles|0.116|0.222|0.096|
+|encodeBackslashEscapes|0.140|0.914|0.071|
+|encodeCode|1.195|2.009|0.861|
+|escapeSpecialCharsWithinTagAttributes|0.307|0.468|0.269|
+|githubCodeBlocks|0.197|0.837|0.144|
+|hashBlock|0.060|0.442|0.036|
+|hashElement|0.002|0.041|0.000|
+|hashHTMLSpans|4.289|4.712|4.002|
+|hashPreCodeTags|0.281|2.439|0.108|
+|headers|1.221|4.603|0.908|
+|horizontalRule|0.208|0.352|0.193|
+|images|0.182|0.634|0.128|
+|italicsAndBold|0.335|1.276|0.239|
+|lists|3.143|6.411|2.393|
+|outdent|0.398|0.585|0.159|
+|paragraphs|5.926|11.596|4.961|
+|spanGamut|4.443|6.012|4.024|
+|strikethrough|0.003|0.055|0.000|
+|stripLinkDefinitions|0.243|0.424|0.215|
+|tables|0.003|0.049|0.000|
+|unescapeSpecialChars|0.008|0.041|0.006|
+
+
 ## [version 1.7.4](https://github.com/showdownjs/showdown/tree/1.7.4)
 
 ### Test Suite: Basic (50 cycles)

src/subParsers/escapeSpecialCharsWithinTagAttributes.js

@@ -6,9 +6,10 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
   'use strict';
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.before', text, options, globals);
 
-  // Build a regex to find HTML tags and comments.  See Friedl's
-  // "Mastering Regular Expressions", 2nd Ed., pp. 200-201.
-  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|<!(--.*?--\s*)+>)/gi;
+  // Build a regex to find HTML tags.
+  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>)/gi,
+  // due to catastrophic backtrace we split the old regex into two, one for tags and one for comments
+      regexComments = /<!(--(?:|(?:[^>-]|-[^>])(?:[^-]|-[^-])*)--)>/gi;
 
   text = text.replace(regex, function (wholeMatch) {
     return wholeMatch
@@ -16,6 +17,11 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
       .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
   });
 
+  text = text.replace(regexComments, function (wholeMatch) {
+    return wholeMatch
+      .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
+  });
+
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.after', text, options, globals);
   return text;
 });

test/cases/html-comments.html

@@ -6,3 +6,5 @@
    <!-- comment -->
 <pre><code>&lt;!-- comment --&gt;
 </code></pre>
+<p>&lt;!----------------------------------------------------------------------------------------------------------------------------------------------------</p>
+<!-------------------------------------------------------------------->

test/cases/html-comments.md

@@ -9,3 +9,7 @@ words <!-- a comment --> words
    <!-- comment -->
 
     <!-- comment -->
+
+<!----------------------------------------------------------------------------------------------------------------------------------------------------
+
+<!-------------------------------------------------------------------->