From 19f33c381cd75a8293c5d23c6020f52966b5b91b Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Mon, 4 Aug 2025 14:56:30 +0200 Subject: [PATCH] chore: improve regexes in examples Improve a regular expression that appears twice in the examples which could lead to quadratic runtime if the input is crafted to match /\{+/ plus some rejecting suffix. In these examples this is unlikely since the markdown files are probably trusted. This change is mostly focussed towards anyone that starts from the examples and expands to cases where the markdown files may not be trusted (i.e., user-provided templates). Technically this changes the behavior of these examples, because names may no longer contain a '{', but given they're just examples this "breaking change" seems acceptable to me. Signed-off-by: Eric Cornelissen --- examples/markdown/index.js | 2 +- examples/view-constructor/index.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/markdown/index.js b/examples/markdown/index.js index 53e40ac38e4..62d468fda21 100644 --- a/examples/markdown/index.js +++ b/examples/markdown/index.js @@ -17,7 +17,7 @@ var app = module.exports = express(); app.engine('md', function(path, options, fn){ fs.readFile(path, 'utf8', function(err, str){ if (err) return fn(err); - var html = marked.parse(str).replace(/\{([^}]+)\}/g, function(_, name){ + var html = marked.parse(str).replace(/\{([^{}]+)\}/g, function(_, name){ return escapeHtml(options[name] || ''); }); fn(null, html); diff --git a/examples/view-constructor/index.js b/examples/view-constructor/index.js index 3d673670e31..8ff76c12cda 100644 --- a/examples/view-constructor/index.js +++ b/examples/view-constructor/index.js @@ -14,7 +14,7 @@ var app = module.exports = express(); app.engine('md', function(str, options, fn){ try { var html = md(str); - html = html.replace(/\{([^}]+)\}/g, function(_, name){ + html = html.replace(/\{([^{}]+)\}/g, function(_, name){ return options[name] || ''; }); fn(null, html);