Skip to content

Update regex for striptags method to prevent regex dos #349

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update regex for striptags method to prevent regex dos #349

wants to merge 2 commits into from
+1 −1

Conversation

jwestbrook
Copy link
Collaborator

Per conversation, here is the Pull Request for the advisory. Attempt 2

@erik-krogh
Copy link

👍

codemasher added a commit to codemasher/prototype that referenced this pull request Mar 2, 2021
@codemasher
🔧 update regex for String.stripTags() to prevent regex DoS (prototype…
ee05132 
…js#349)
@jwestbrook jwestbrook mentioned this pull request Jan 14, 2022
Open
@madrobby
Copy link
Collaborator

madrobby commented Jan 14, 2022
edited
Loading

Heya, is there a test somewhere demonstrating that this works? Thanks.

Ideally, this should be added to master/test/unit/tests/string.test.js

@elhennig
Copy link

Is there any plan to create a new release including this fix?

@Nikunj-daga-94
Copy link

Nikunj-daga-94 commented Apr 22, 2022
edited
Loading

This RegEx does not seem to work i tried in my project MY unit tests are failing since the UI id being created using this are incorrect/changed. Any ideas?

@madhusudhanreddyvade
Copy link

Try below

function stripTags() {
return this.replace(/<(?=(\w+))\1(\s+("[^"]"|'[^']'|[^>])+)?>|</(?=(\w+))\1>/gi, '');
}

@addison74 addison74 mentioned this pull request Oct 3, 2022
Closed
This was referenced Feb 1, 2023
Open
Merged
@AyushRawat1996
Copy link

Can anyone please update on this PR?

@savetheclocktower
Copy link
Collaborator

The project is not active and will not be doing further releases. You are encouraged to apply this fix yourself after loading prototype.js:

String.prototype.stripTags = function () {
  return this.replace(/<\w+(\s+("[^"]*"|'[^']*'|[^>'"])+)?\s*("[^">]*|'[^'>])?(\/)?>|<\/\w+>/gi, '');
};

@Sublime1 Sublime1 mentioned this pull request Nov 7, 2023
Open
jesusbagpuss added a commit to jesusbagpuss/eprints3.4 that referenced this pull request Feb 19, 2025
@jesusbagpuss
Update 20_prototype.js for CVE-2020-27511
64a92eb 
Prototype isn't maintained, but the CVE can be resolved.
Taken from:
prototypejs/prototype#349
@jesusbagpuss jesusbagpuss mentioned this pull request Feb 21, 2025
Merged
drn05r pushed a commit to eprints/eprints3.4 that referenced this pull request Mar 6, 2025
@jesusbagpuss
Prototype CVE - update prototype.js (#429)
094711b 
* Update 20_prototype.js for CVE-2020-27511

Prototype isn't maintained, but the CVE can be resolved.
Taken from:
prototypejs/prototype#349

* Update 20_prototype.js

Change Version string

* Make mis-matched single-quotes greedier
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@jwestbrook @erik-krogh @madrobby @elhennig @Nikunj-daga-94 @madhusudhanreddyvade @AyushRawat1996 @savetheclocktower