Tony Brix

@jimmywarting if you want to create a PR with your proposal I would be interested to see how that will work. I don't know if that would solve the issue...

It looks like it is the [sanitization](https://github.com/OpenUserJS/OpenUserJS.org/blob/35bd18b72555937a1b37297c44d0d4ee33c54a48/libs/markdown.js#L142) that is closing the open tag before the text then removing the close tag after the text. Opening and closing inline html tags...

it looks like the line `hookNode.innerHTML = sanitized;` also does the same thing

> That's just the final sanitized String results yes but it does change the string. JSDom must be doing some sort of sanitization when setting `innerHTML` ``` hookNode.innerHTML = '';...

It was actually the fix in #1602 that you pointed out that makes this happen. Here is what is happening: * In v0.8.0 inline HTML would not be sent to...

1. Yes the `text` renderer gets inline and block text. 2. v1.0.0 introduced the [`tokenizer`](https://marked.js.org/#/USING_PRO.md#tokenizer) that might be a better place to do the sanitization before the tokens are created....

commonmark.js has a similar issue https://github.com/commonmark/commonmark.js/issues/160

@andersk good call, looks like the DoS is in the number of characters. but we still have an issue with `Maximum call stack size exceeded`. I'm not sure this one...

In this case, it isn't a problem with a regex. It is a problem with using recursion in the lexer. The solution would be to use regex and loop like...

The ids are supposed to match GitHubs ids for headers in a readme It looks like GitHub removes the arrow along with other special characters so it looks like: `hookadddstobj-triggers-fn-priority--number`...