html-minifier-next 1.0.0 → 1.1.0

package/README.md

@@ -1,5 +1,6 @@
 # HTML Minifier Next (HTMLMinifier)
 
+[![npm version](https://img.shields.io/npm/v/html-minifier-next.svg)](https://www.npmjs.com/package/html-minifier-next)
 <!-- [![Build Status](https://github.com/j9t/html-minifier-next/workflows/CI/badge.svg)](https://github.com/j9t/html-minifier-next/actions?workflow=CI) -->
 
 (This project is based on [Terser’s html-minifier-terser](https://github.com/terser/html-minifier-terser), which in turn is based on [Juriy Zaytsev’s html-minifier](https://github.com/kangax/html-minifier). It was set up because as of May 2025, both html-minifier-terser and html-minifier seem unmaintained. **This project is currently under test.** If it seems maintainable to me, [Jens](https://meiert.com/), even without community support, the project will be updated and documented further. The following documentation largely matches the original project.)
@@ -69,7 +70,7 @@ How does HTMLMinifier compare to other solutions — [HTML Minifier from Will Pe
 | [W3C](https://www.w3.org/) | 51 | **36** | 42 | n/a |
 | [Wikipedia](https://en.wikipedia.org/wiki/Main_Page) | 114 | **100** | 107 | n/a |
 
-## Options Quick Reference
+## Options quick reference
 
 Most of the options are disabled by default.
 
@@ -77,6 +78,7 @@ Most of the options are disabled by default.
 | --- | --- | --- |
 | `caseSensitive` | Treat attributes in case sensitive manner (useful for custom HTML tags) | `false` |
 | `collapseBooleanAttributes` | [Omit attribute values from boolean attributes](http://perfectionkills.com/experimenting-with-html-minifier#collapse_boolean_attributes) | `false` |
+| `customFragmentQuantifierLimit` | Set maximum quantifier limit for custom fragments to prevent ReDoS attacks | `200` |
 | `collapseInlineTagWhitespace` | Don’t leave any spaces between `display:inline;` elements when collapsing. Must be used in conjunction with `collapseWhitespace=true` | `false` |
 | `collapseWhitespace` | [Collapse white space that contributes to text nodes in a document tree](http://perfectionkills.com/experimenting-with-html-minifier#collapse_whitespace) | `false` |
 | `conservativeCollapse` | Always collapse to 1 space (never remove it entirely). Must be used in conjunction with `collapseWhitespace=true` | `false` |
@@ -91,6 +93,7 @@ Most of the options are disabled by default.
 | `ignoreCustomFragments` | Array of regexes that allow to ignore certain fragments, when matched (e.g. `<?php ... ?>`, `{{ ... }}`, etc.) | `[ /<%[\s\S]*?%>/, /<\?[\s\S]*?\?>/ ]` |
 | `includeAutoGeneratedTags` | Insert tags generated by HTML parser | `true` |
 | `keepClosingSlash` | Keep the trailing slash on singleton elements | `false` |
+| `maxInputLength` | Maximum input length to prevent ReDoS attacks (disabled by default) | `undefined` |
 | `maxLineLength` | Specify a maximum line length. Compressed output will be split by newlines at valid HTML split-points |
 | `minifyCSS` | Minify CSS in style elements and style attributes (uses [clean-css](https://github.com/jakubpawlowicz/clean-css)) | `false` (could be `true`, `Object`, `Function(text, type)`) |
 | `minifyJS` | Minify JavaScript in script elements and event attributes (uses [Terser](https://github.com/terser/terser)) | `false` (could be `true`, `Object`, `Function(text, inline)`) |
@@ -153,6 +156,63 @@ Output of resulting markup (e.g. `<p>foo</p>`)
 
 HTMLMinifier can’t know that original markup was only half of the tree; it does its best to try to parse it as a full tree and it loses information about tree being malformed or partial in the beginning. As a result, it can’t create a partial/malformed tree at the time of the output.
 
+## Security
+
+### ReDoS protection
+
+This minifier includes protection against regular expression denial of service (ReDoS) attacks:
+
+* Custom fragment quantifier limits: The `customFragmentQuantifierLimit` option (default: 200) prevents exponential backtracking by replacing unlimited quantifiers (`*`, `+`) with bounded ones in regular expressions.
+
+* Input length limits: The `maxInputLength` option allows you to set a maximum input size to prevent processing of excessively large inputs that could cause performance issues.
+
+* Enhanced pattern detection: The minifier detects and warns about various ReDoS-prone patterns including nested quantifiers, alternation with quantifiers, and multiple unlimited quantifiers.
+
+**Important:** When using custom `ignoreCustomFragments`, ensure your regular expressions don’t contain unlimited quantifiers (`*`, `+`) without bounds, as these can lead to ReDoS vulnerabilities.
+
+(Further improvements are needed. Contributions welcome.)
+
+#### Custom fragment examples
+
+**Safe patterns** (recommended):
+
+```javascript
+ignoreCustomFragments: [
+  /<%[\s\S]{0,1000}?%>/,         // JSP/ASP with explicit bounds
+  /<\?php[\s\S]{0,5000}?\?>/,    // PHP with bounds
+  /\{\{[^}]{0,500}\}\}/          // Handlebars without nested braces
+]
+```
+
+**Potentially unsafe patterns** (will trigger warnings):
+
+```javascript
+ignoreCustomFragments: [
+  /<%[\s\S]*?%>/,                // Unlimited quantifiers
+  /<!--[\s\S]*?-->/,             // Could cause issues with very long comments
+  /\{\{.*?\}\}/,                 // Nested unlimited quantifiers
+  /(script|style)[\s\S]*?/       // Multiple unlimited quantifiers
+]
+```
+
+**Template engine configurations:**
+
+```javascript
+// Handlebars/Mustache
+ignoreCustomFragments: [/\{\{[\s\S]{0,1000}?\}\}/]
+
+// Liquid (Jekyll)
+ignoreCustomFragments: [/\{%[\s\S]{0,500}?%\}/, /\{\{[\s\S]{0,500}?\}\}/]
+
+// Angular
+ignoreCustomFragments: [/\{\{[\s\S]{0,500}?\}\}/]
+
+// Vue.js
+ignoreCustomFragments: [/\{\{[\s\S]{0,500}?\}\}/]
+```
+
+**Important:** When using custom `ignoreCustomFragments`, the minifier automatically applies bounded quantifiers to prevent ReDoS attacks, but you can also write safer patterns yourself using explicit bounds.
+
 ## Running benchmarks
 
 Benchmarks for minified HTML:
@@ -167,4 +227,8 @@ npm run benchmark
 
 ```shell
 npm run serve
-```
+```
+
+## Acknowledgements
+
+With many thanks to all the previous authors of HTML Minifier, especially [Juriy Zaytsev](https://github.com/kangax), and to everyone who helped make this new edition better, like [Daniel Ruf](https://github.com/DanielRuf).

package/cli.js

@@ -28,8 +28,7 @@
 import fs from 'fs';
 import path from 'path';
 import { createRequire } from 'module';
-import { camelCase } from 'camel-case';
-import { paramCase } from 'param-case';
+import { camelCase, paramCase } from 'change-case';
 import { Command } from 'commander';
 import { minify } from './src/htmlminifier.js';
 
@@ -102,6 +101,7 @@ function parseString(value) {
 const mainOptions = {
   caseSensitive: 'Treat attributes in case sensitive manner (useful for SVG; e.g. viewBox)',
   collapseBooleanAttributes: 'Omit attribute values from boolean attributes',
+  customFragmentQuantifierLimit: ['Set maximum quantifier limit for custom fragments to prevent ReDoS attacks (default: 200)', parseInt],
   collapseInlineTagWhitespace: 'Collapse white space around inline tag',
   collapseWhitespace: 'Collapse white space that contributes to text nodes in a document tree.',
   conservativeCollapse: 'Always collapse to 1 space (never remove it entirely)',
@@ -116,6 +116,7 @@ const mainOptions = {
   ignoreCustomFragments: ['Array of regex\'es that allow to ignore certain fragments, when matched (e.g. <?php ... ?>, {{ ... }})', parseJSONRegExpArray],
   includeAutoGeneratedTags: 'Insert tags generated by HTML parser',
   keepClosingSlash: 'Keep the trailing slash on singleton elements',
+  maxInputLength: ['Maximum input length to prevent ReDoS attacks', parseInt],
   maxLineLength: ['Max line length', parseInt],
   minifyCSS: ['Minify CSS in style elements and style attributes (uses clean-css)', parseJSON],
   minifyJS: ['Minify Javascript in script elements and on* attributes', parseJSON],

package/package.json

@@ -5,32 +5,31 @@
   },
   "bugs": "https://github.com/j9t/html-minifier-next/issues",
   "dependencies": {
-    "camel-case": "^5.0.0",
-    "clean-css": "~5.3.2",
-    "commander": "^13.1.0",
-    "entities": "^6.0.0",
-    "param-case": "^4.0.0",
+    "change-case": "^4.1.2",
+    "clean-css": "~5.3.3",
+    "commander": "^14.0.0",
+    "entities": "^6.0.1",
     "relateurl": "^0.2.7",
-    "terser": "^5.15.1"
+    "terser": "^5.39.2"
   },
   "description": "Highly configurable, well-tested, JavaScript-based HTML minifier.",
   "devDependencies": {
     "@commitlint/cli": "^19.8.1",
-    "@jest/globals": "^29.5.0",
+    "@jest/globals": "^29.7.0",
     "@rollup/plugin-commonjs": "^28.0.3",
-    "@rollup/plugin-json": "^6.0.0",
+    "@rollup/plugin-json": "^6.1.0",
     "@rollup/plugin-node-resolve": "^16.0.1",
-    "@rollup/plugin-terser": "^0.4.3",
-    "alpinejs": "^3.12.2",
+    "@rollup/plugin-terser": "^0.4.4",
+    "alpinejs": "^3.14.9",
     "commitlint-config-non-conventional": "^1.0.1",
     "eslint": "^8.57.1",
     "eslint-config-standard": "^17.1.0",
     "husky": "^9.1.7",
     "is-ci": "^4.1.0",
-    "jest": "^29.5.0",
-    "jest-environment-jsdom": "^29.5.0",
-    "lint-staged": "^16.0.0",
-    "rollup": "^3.26.0",
+    "jest": "^29.7.0",
+    "jest-environment-jsdom": "^29.7.0",
+    "lint-staged": "^16.1.0",
+    "rollup": "^4.41.1",
     "rollup-plugin-polyfill-node": "^0.13.0",
     "vite": "^6.3.5"
   },
@@ -91,5 +90,5 @@
     "test:web": "NODE_OPTIONS='--experimental-vm-modules --no-warnings' jest --verbose --environment=jsdom"
   },
   "type": "module",
-  "version": "1.0.0"
+  "version": "1.1.0"
 }

package/src/htmlminifier.js

@@ -844,6 +844,11 @@ async function createSortFns(value, options, uidIgnore, uidAttr) {
 }
 
 async function minifyHTML(value, options, partialMarkup) {
+  // Check input length limitation to prevent ReDoS attacks
+  if (options.maxInputLength && value.length > options.maxInputLength) {
+    throw new Error(`Input length (${value.length}) exceeds maximum allowed length (${options.maxInputLength})`);
+  }
+
   if (options.collapseWhitespace) {
     value = collapseWhitespace(value, options, true, true);
   }
@@ -888,8 +893,24 @@ async function minifyHTML(value, options, partialMarkup) {
     return re.source;
   });
   if (customFragments.length) {
-    const reCustomIgnore = new RegExp('\\s*(?:' + customFragments.join('|') + ')+\\s*', 'g');
-    // temporarily replace custom ignored fragments with unique attributes
+    // Warn about potential ReDoS if custom fragments use unlimited quantifiers
+    for (let i = 0; i < customFragments.length; i++) {
+      if (/[*+]/.test(customFragments[i])) {
+        options.log('Warning: Custom fragment contains unlimited quantifiers (* or +) which may cause ReDoS vulnerability');
+        break;
+      }
+    }
+
+    // Safe approach: Use bounded quantifiers instead of unlimited ones to prevent ReDoS
+    const maxQuantifier = options.customFragmentQuantifierLimit || 200;
+    const whitespacePattern = `\\s{0,${maxQuantifier}}`;
+
+    // Use bounded quantifiers to prevent ReDoS - this approach prevents exponential backtracking
+    const reCustomIgnore = new RegExp(
+      whitespacePattern + '(?:' + customFragments.join('|') + '){1,' + maxQuantifier + '}' + whitespacePattern,
+      'g'
+    );
+    // Temporarily replace custom ignored fragments with unique attributes
     value = value.replace(reCustomIgnore, function (match) {
       if (!uidAttr) {
         uidAttr = uniqueId(value);