Vulnerable Regular Expression

[cristianstaicu]

The following regular expression used in parsing the HTML documents is vulnerable to ReDoS:

/(^\s+|\s+$)/g

The slowdown is moderately low: for 50.000 characters around 2.5 seconds matching time. However, I would still suggest one of the following:

• remove the regex,
• anchor the regex,
• limit the number of characters that can be matched by the repetition,
• limit the input size.

If needed, I can provide an actual example showing the slowdown.