npm - html-minifier-next - Versions diffs - 5.1.3 → 5.1.4 - Mend

html-minifier-next 5.1.3 → 5.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/htmlminifier.cjs +37 -7
package/dist/types/htmlminifier.d.ts.map +1 -1
package/dist/types/htmlparser.d.ts.map +1 -1
package/package.json +1 -1
package/src/htmlminifier.js +17 -3
package/src/htmlparser.js +20 -4

package/dist/htmlminifier.cjs CHANGED Viewed

@@ -185,6 +185,23 @@ const preCompiledStackedTags = {
 // Cache for compiled attribute regexes per handler configuration
 const attrRegexCache = new WeakMap();
+// O(n) helper: Strip all occurrences of `open…close` delimiters, keeping inner content
+// Used instead of a regex replace to avoid O(n²) behavior on adversarial inputs
+function stripDelimited(str, open, close) {
+  let result = '';
+  let i = 0;
+  while (i < str.length) {
+    const start = str.indexOf(open, i);
+    if (start === -1) { result += str.slice(i); break; }
+    result += str.slice(i, start);
+    const end = str.indexOf(close, start + open.length);
+    if (end === -1) { result += str.slice(start); break; }
+    result += str.slice(start + open.length, end);
+    i = end + close.length;
+  }
+  return result;
+}
 function buildAttrRegex(handler) {
   let pattern = singleAttrIdentifier.source +
     '(?:\\s*(' + joinSingleAttrAssigns(handler) + ')' +
@@ -256,9 +273,10 @@ class HTMLParser {
     // Sticky regex versions for position-based matching (avoids string slicing)
     const startTagOpenY = new RegExp(startTagOpen.source.slice(1), 'y');
+    // `\s*` with sticky flag is O(n) at worst—no retry from different positions possible
     const startTagCloseY = /\s*(\/?)>/y;
     const endTagY = new RegExp(endTag.source.slice(1), 'y');
-    const doctypeY = /<!DOCTYPE\s?[^>]+>/iy;
+    const doctypeY = /<!DOCTYPE[^<>]+>/iy;
     const commentTestY = /<!--/y;
     const conditionalTestY = /<!\[/y;
@@ -444,9 +462,7 @@ class HTMLParser {
         if (m && m.index === 0) {
           let text = m[1];
           if (stackedTag !== 'script' && stackedTag !== 'style' && stackedTag !== 'noscript') {
-            text = text
-              .replace(/<!--([\s\S]*?)-->/g, '$1')
-              .replace(/<!\[CDATA\[([\s\S]*?)]]>/g, '$1');
+            text = stripDelimited(stripDelimited(text, '<!--', '-->'), '<![CDATA[', ']]>');
           }
           if (handler.chars) {
             const result = handler.chars(text);
@@ -3806,7 +3822,19 @@ async function minifyHTML(value, options, partialMarkup) {
   // Temporarily replace ignored chunks with comments, so that we don’t have to worry what’s there;
   // for all we care there might be completely-horribly-broken-alien-non-html-emoji-cthulhu-filled content
   if (value.indexOf('<!-- htmlmin:ignore -->') !== -1) {
-    value = value.replace(/<!-- htmlmin:ignore -->([\s\S]*?)<!-- htmlmin:ignore -->/g, function (match, group1) {
+    // Use `indexOf`-based O(n) loop instead of a global regex with [\s\S]*? to avoid O(n²)
+    // backtracking on adversarial HTML with many `<!--` prefixes but no closing marker
+    const ignoreMarker = '<!-- htmlmin:ignore -->';
+    const ignoreMarkerLen = ignoreMarker.length;
+    let ignoreResult = '';
+    let ignorePos = 0;
+    while (ignorePos < value.length) {
+      const ignoreStart = value.indexOf(ignoreMarker, ignorePos);
+      if (ignoreStart === -1) { ignoreResult += value.slice(ignorePos); break; }
+      ignoreResult += value.slice(ignorePos, ignoreStart);
+      const ignoreEnd = value.indexOf(ignoreMarker, ignoreStart + ignoreMarkerLen);
+      if (ignoreEnd === -1) { ignoreResult += value.slice(ignoreStart); break; }
+      const group1 = value.slice(ignoreStart + ignoreMarkerLen, ignoreEnd);
       if (!uidIgnore) {
         uidIgnore = uniqueId(value);
         const pattern = new RegExp('^' + uidIgnore + '([0-9]+)$');
@@ -3820,8 +3848,10 @@ async function minifyHTML(value, options, partialMarkup) {
       }
       const token = '<!--' + uidIgnore + ignoredMarkupChunks.length + '-->';
       ignoredMarkupChunks.push(group1);
-      return token;
-    });
+      ignoreResult += token;
+      ignorePos = ignoreEnd + ignoreMarkerLen;
+    }
+    value = ignoreResult;
   }
   // Create sort functions after `htmlmin:ignore` processing but before custom fragment UID markers

package/dist/types/htmlminifier.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"htmlminifier.d.ts","sourceRoot":"","sources":["../../src/htmlminifier.js"],"names":[],"mappings":"~~AAorDO~~,8BAJI,MAAM,YACN,eAAe,GACb,OAAO,CAAC,MAAM,CAAC,CAwB3B;;;;;;;;;;;;~~UAv9CS~~,MAAM;YACN,MAAM;YACN,MAAM;mBACN,MAAM;iBACN,MAAM;kBACN,MAAM;;;;;;;;;;;;;4BAQN,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,qBAAqB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;wBAMjG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,SAAS,EAAE,iBAAiB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;;;;eAMhH,MAAM;;;;;;;;;;cASN,MAAM;;;;;;;;;;eASN,MAAM;;;;;;;;oBASN,OAAO;;;;;;;;;kCAON,OAAO;;;;;;;;gCAQR,OAAO;;;;;;;;kCAOP,OAAO;;;;;;;;yBAOP,OAAO;;;;;;;;2BAOP,OAAO;;;;;;;;4BAOP,OAAO;;;;;;;2BAOP,OAAO;;;;;;;;uBAMP,MAAM,EAAE;;;;;;yBAOR,MAAM;;;;;;yBAKN,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE;;;;;;;4BAKlB,MAAM,EAAE;;;;;;;oCAMR,MAAM;;;;;;;qBAMN,OAAO;;;;;;;;2BAOP,MAAM,EAAE;;;;;;;;;4BAOR,MAAM,EAAE;;;;;;;+BAQR,OAAO;;;;;;;2BAMP,SAAS,CAAC,MAAM,CAAC;;;;;;uBAMjB,OAAO;;;;;;;;UAKP,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI;;;;;;;;qBAO1B,MAAM;;;;;;;oBAON,MAAM;;;;;;;;mBAMN,OAAO;;;;;;;;;;gBAOP,OAAO,GAAG,OAAO,CAAC,OAAO,cAAc,EAAE,gBAAgB,CAAC,OAAO,cAAc,EAAE,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;;;;;;eAS9J,OAAO,GAAG,OAAO,QAAQ,EAAE,aAAa,GAAG;QAAC,MAAM,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAC,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;;iBAa3J,OAAO,GAAG,MAAM,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;gBASjF,OAAO,MAAS;;;;;;;;WAQhB,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM;;;;;;;+BAOxB,OAAO;;;;;;;;;;oBAMP,OAAO;;;;;;;;yBASP,OAAO;;;;;;;gCAOP,OAAO;;;;;;;;iCAMP,OAAO;;;;;;;;;;qBAOP,MAAM,EAAE;;;;;;;qBASR,IAAI,GAAG,GAAG;;;;;;;4BAMV,OAAO;;;;;;;;qBAMP,OAAO;;;;;;;;;4BAOP,OAAO,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;;;;;;;;0BAQtD,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;gCAOP,MAAM,EAAE;;;;;;;;yBAyBR,OAAO;;;;;;;;gCAOP,OAAO;;;;;;;iCAOP,OAAO;;;;;;;oCAMP,OAAO;;;;;;;;;;0BAMP,OAAO;;;;;;;;;qBASP,OAAO,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,IAAI,CAAC;;;;;;;;;qBAQzD,OAAO,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;;;;;;;;0BAQrC,OAAO;;;;;;;sBAOP,OAAO;;wBAzoBkC,cAAc;0BAAd,cAAc;+BAAd,cAAc"}
1	+ {"version":3,"file":"htmlminifier.d.ts","sourceRoot":"","sources":["../../src/htmlminifier.js"],"names":[],"mappings":"AAksDO,8BAJI,MAAM,YACN,eAAe,GACb,OAAO,CAAC,MAAM,CAAC,CAwB3B;;;;;;;;;;;;UAr+CS,MAAM;YACN,MAAM;YACN,MAAM;mBACN,MAAM;iBACN,MAAM;kBACN,MAAM;;;;;;;;;;;;;4BAQN,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,EAAE,qBAAqB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;wBAMjG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,SAAS,EAAE,iBAAiB,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,KAAK,OAAO;;;;;;;;;;eAMhH,MAAM;;;;;;;;;;cASN,MAAM;;;;;;;;;;eASN,MAAM;;;;;;;;oBASN,OAAO;;;;;;;;;kCAON,OAAO;;;;;;;;gCAQR,OAAO;;;;;;;;kCAOP,OAAO;;;;;;;;yBAOP,OAAO;;;;;;;;2BAOP,OAAO;;;;;;;;4BAOP,OAAO;;;;;;;2BAOP,OAAO;;;;;;;;uBAMP,MAAM,EAAE;;;;;;yBAOR,MAAM;;;;;;yBAKN,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE;;;;;;;4BAKlB,MAAM,EAAE;;;;;;;oCAMR,MAAM;;;;;;;qBAMN,OAAO;;;;;;;;2BAOP,MAAM,EAAE;;;;;;;;;4BAOR,MAAM,EAAE;;;;;;;+BAQR,OAAO;;;;;;;2BAMP,SAAS,CAAC,MAAM,CAAC;;;;;;uBAMjB,OAAO;;;;;;;;UAKP,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI;;;;;;;;qBAO1B,MAAM;;;;;;;oBAON,MAAM;;;;;;;;mBAMN,OAAO;;;;;;;;;;gBAOP,OAAO,GAAG,OAAO,CAAC,OAAO,cAAc,EAAE,gBAAgB,CAAC,OAAO,cAAc,EAAE,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;;;;;;eAS9J,OAAO,GAAG,OAAO,QAAQ,EAAE,aAAa,GAAG;QAAC,MAAM,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;KAAC,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;;iBAa3J,OAAO,GAAG,MAAM,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;;;;;;;;;gBASjF,OAAO,MAAS;;;;;;;;WAQhB,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM;;;;;;;+BAOxB,OAAO;;;;;;;;;;oBAMP,OAAO;;;;;;;;yBASP,OAAO;;;;;;;gCAOP,OAAO;;;;;;;;iCAMP,OAAO;;;;;;;;;;qBAOP,MAAM,EAAE;;;;;;;qBASR,IAAI,GAAG,GAAG;;;;;;;4BAMV,OAAO;;;;;;;;qBAMP,OAAO;;;;;;;;;4BAOP,OAAO,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;;;;;;;;0BAQtD,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;gCAOP,MAAM,EAAE;;;;;;;;yBAyBR,OAAO;;;;;;;;gCAOP,OAAO;;;;;;;iCAOP,OAAO;;;;;;;oCAMP,OAAO;;;;;;;;;;0BAMP,OAAO;;;;;;;;;qBASP,OAAO,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,IAAI,CAAC;;;;;;;;;qBAQzD,OAAO,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAC;;;;;;;;0BAQrC,OAAO;;;;;;;sBAOP,OAAO;;wBAzoBkC,cAAc;0BAAd,cAAc;+BAAd,cAAc"}

package/dist/types/htmlparser.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"htmlparser.d.ts","sourceRoot":"","sources":["../../src/htmlparser.js"],"names":[],"mappings":"AAgDA,4BAAkE;~~AAuFlE~~;IACE,qCAGC;IAFC,UAAgB;IAChB,aAAsB;IAGxB,~~uBAomBC~~;CACF"}
1	+ {"version":3,"file":"htmlparser.d.ts","sourceRoot":"","sources":["../../src/htmlparser.js"],"names":[],"mappings":"AAgDA,4BAAkE;AAwGlE;IACE,qCAGC;IAFC,UAAgB;IAChB,aAAsB;IAGxB,uBAmmBC;CACF"}

package/package.json CHANGED Viewed

@@ -95,5 +95,5 @@
   },
   "type": "module",
   "types": "./dist/types/htmlminifier.d.ts",
-  "version": "5.1.3"
+  "version": "5.1.4"
 }

package/src/htmlminifier.js CHANGED Viewed

@@ -931,7 +931,19 @@ async function minifyHTML(value, options, partialMarkup) {
   // Temporarily replace ignored chunks with comments, so that we don’t have to worry what’s there;
   // for all we care there might be completely-horribly-broken-alien-non-html-emoji-cthulhu-filled content
   if (value.indexOf('<!-- htmlmin:ignore -->') !== -1) {
-    value = value.replace(/<!-- htmlmin:ignore -->([\s\S]*?)<!-- htmlmin:ignore -->/g, function (match, group1) {
+    // Use `indexOf`-based O(n) loop instead of a global regex with [\s\S]*? to avoid O(n²)
+    // backtracking on adversarial HTML with many `<!--` prefixes but no closing marker
+    const ignoreMarker = '<!-- htmlmin:ignore -->';
+    const ignoreMarkerLen = ignoreMarker.length;
+    let ignoreResult = '';
+    let ignorePos = 0;
+    while (ignorePos < value.length) {
+      const ignoreStart = value.indexOf(ignoreMarker, ignorePos);
+      if (ignoreStart === -1) { ignoreResult += value.slice(ignorePos); break; }
+      ignoreResult += value.slice(ignorePos, ignoreStart);
+      const ignoreEnd = value.indexOf(ignoreMarker, ignoreStart + ignoreMarkerLen);
+      if (ignoreEnd === -1) { ignoreResult += value.slice(ignoreStart); break; }
+      const group1 = value.slice(ignoreStart + ignoreMarkerLen, ignoreEnd);
       if (!uidIgnore) {
         uidIgnore = uniqueId(value);
         const pattern = new RegExp('^' + uidIgnore + '([0-9]+)$');
@@ -945,8 +957,10 @@ async function minifyHTML(value, options, partialMarkup) {
       }
       const token = '<!--' + uidIgnore + ignoredMarkupChunks.length + '-->';
       ignoredMarkupChunks.push(group1);
-      return token;
-    });
+      ignoreResult += token;
+      ignorePos = ignoreEnd + ignoreMarkerLen;
+    }
+    value = ignoreResult;
   }
   // Create sort functions after `htmlmin:ignore` processing but before custom fragment UID markers

package/src/htmlparser.js CHANGED Viewed

@@ -82,6 +82,23 @@ const preCompiledStackedTags = {
 // Cache for compiled attribute regexes per handler configuration
 const attrRegexCache = new WeakMap();
+// O(n) helper: Strip all occurrences of `open…close` delimiters, keeping inner content
+// Used instead of a regex replace to avoid O(n²) behavior on adversarial inputs
+function stripDelimited(str, open, close) {
+  let result = '';
+  let i = 0;
+  while (i < str.length) {
+    const start = str.indexOf(open, i);
+    if (start === -1) { result += str.slice(i); break; }
+    result += str.slice(i, start);
+    const end = str.indexOf(close, start + open.length);
+    if (end === -1) { result += str.slice(start); break; }
+    result += str.slice(start + open.length, end);
+    i = end + close.length;
+  }
+  return result;
+}
 function buildAttrRegex(handler) {
   let pattern = singleAttrIdentifier.source +
     '(?:\\s*(' + joinSingleAttrAssigns(handler) + ')' +
@@ -153,9 +170,10 @@ export class HTMLParser {
     // Sticky regex versions for position-based matching (avoids string slicing)
     const startTagOpenY = new RegExp(startTagOpen.source.slice(1), 'y');
+    // `\s*` with sticky flag is O(n) at worst—no retry from different positions possible
     const startTagCloseY = /\s*(\/?)>/y;
     const endTagY = new RegExp(endTag.source.slice(1), 'y');
-    const doctypeY = /<!DOCTYPE\s?[^>]+>/iy;
+    const doctypeY = /<!DOCTYPE[^<>]+>/iy;
     const commentTestY = /<!--/y;
     const conditionalTestY = /<!\[/y;
@@ -343,9 +361,7 @@ export class HTMLParser {
         if (m && m.index === 0) {
           let text = m[1];
           if (stackedTag !== 'script' && stackedTag !== 'style' && stackedTag !== 'noscript') {
-            text = text
-              .replace(/<!--([\s\S]*?)-->/g, '$1')
-              .replace(/<!\[CDATA\[([\s\S]*?)]]>/g, '$1');
+            text = stripDelimited(stripDelimited(text, '<!--', '-->'), '<![CDATA[', ']]>');
           }
           if (handler.chars) {
             const result = handler.chars(text);