diff --git a/packages/block-serialization-default-parser/parser.php b/packages/block-serialization-default-parser/parser.php index 78b6921787cc48..9eb8aae492b723 100644 --- a/packages/block-serialization-default-parser/parser.php +++ b/packages/block-serialization-default-parser/parser.php @@ -347,7 +347,7 @@ function next_token() { * match back in PHP to see which one it was. */ $has_match = preg_match( - '/).)+?}\s+)?(?\/)?-->/s', + '/).)+?}\s+)?(?\/)?-->/s', $this->document, $matches, PREG_OFFSET_CAPTURE, diff --git a/packages/block-serialization-default-parser/src/index.js b/packages/block-serialization-default-parser/src/index.js index 77306b0e347c7b..27dd93bb9fb0f1 100644 --- a/packages/block-serialization-default-parser/src/index.js +++ b/packages/block-serialization-default-parser/src/index.js @@ -2,7 +2,7 @@ let document; let offset; let output; let stack; -const tokenizer = /)[^])+?}\s+)?(\/)?-->/g; +const tokenizer = /)[^])+?}\s+)?(\/)?-->/g; function Block( blockName, attrs, innerBlocks, innerHTML ) { return { diff --git a/packages/block-serialization-spec-parser/shared-tests.js b/packages/block-serialization-spec-parser/shared-tests.js index ca9fde49dc350d..abfee9be4b5216 100644 --- a/packages/block-serialization-spec-parser/shared-tests.js +++ b/packages/block-serialization-spec-parser/shared-tests.js @@ -61,6 +61,17 @@ export const jsTester = ( parse ) => () => { expect.objectContaining( { innerHTML: '

Break me

' } ), ] ) ) ); } ); + + describe( 'attack vectors', () => { + test( 'really long JSON attribute sections', () => { + const length = 100000; + const as = 'a'.repeat( length ); + let parsed; + + expect( () => parsed = parse( `` )[ 0 ] ).not.toThrow(); + expect( parsed.attrs.a ).toHaveLength( length ); + } ); + } ); }; const hasPHP = 'test' === process.env.NODE_ENV ? ( () => {