fluent
fluent copied to clipboard
Published
20 hours ago •
projectfluent
projectfluent
Protect against the Billion Laughs attack
The resolver should be resilient to exponential reference expansion attacks. See https://en.wikipedia.org/wiki/Billion_laughs_attack
The mitigation in fluent.js involves checking the length of the resolved placeable against a constant. We should 1) make the maximum length configurable in the constructor, and 2) consider how this works with #273.