Tony Brix

Closing this as it is unlikely to occur in regular markdown and if parsing untrusted markdown ReDoS can be solved by using a [worker](https://marked.js.org/using_advanced#workers).

ReDoS is a well documented vulnerability. Using workers to prevent it is also well documented. I don't think a user needs to know about this vulnerability to know the issues...

Further more it is possible to cause a sql injection vulnerability by passing untrusted input to sql, but that isn't a vulnerability in sql that is a vulnerability in the...

I know of at least 10 ways to DoS markdown-it and commonmark,.js neither of which use regexps the way marked does. DoS is not only a vulnerability for regexps but...

They have all been reported that is how I know about them. It doesn't take quadratic time to cause a DoS. So I think we can agree that any parser...

Not completely, lines in code blocks that start with tabs are still converted to spaces. [demo](https://marked.js.org/demo/?outputType=html&text=%60%60%60%0A%09this%20line%20should%20start%20with%20a%20tab%0A%60%60%60&options=%7B%0A%20%22async%22%3A%20false%2C%0A%20%22baseUrl%22%3A%20null%2C%0A%20%22breaks%22%3A%20false%2C%0A%20%22extensions%22%3A%20null%2C%0A%20%22gfm%22%3A%20true%2C%0A%20%22headerIds%22%3A%20true%2C%0A%20%22headerPrefix%22%3A%20%22%22%2C%0A%20%22highlight%22%3A%20null%2C%0A%20%22hooks%22%3A%20null%2C%0A%20%22langPrefix%22%3A%20%22language-%22%2C%0A%20%22mangle%22%3A%20true%2C%0A%20%22pedantic%22%3A%20false%2C%0A%20%22sanitize%22%3A%20false%2C%0A%20%22sanitizer%22%3A%20null%2C%0A%20%22silent%22%3A%20false%2C%0A%20%22smartypants%22%3A%20false%2C%0A%20%22tokenizer%22%3A%20null%2C%0A%20%22walkTokens%22%3A%20null%2C%0A%20%22xhtml%22%3A%20false%0A%7D&version=master)

I'm going to close this as it can be done with the `processAllTokens` hook in an extension. Something like: ```js import { Marked } from 'marked'; function tokenRelationalProperties() { function...

The [spec](https://github.github.com/gfm/#strikethrough-extension-) now states that one or two tildes should be strikethrough to match the implementation. > Strikethrough text is any text wrapped in a matching pair of one or...

Rules is not strictly a public API, so I feel like this is not a valid way to extend marked. Now we have custom extensions that should be used instead.

This was fixed in v4