[Question] Security risk with max-nesting

[BboyKeen]

Hi @jmendeth

I'm willing to use this library with Hoedown to sanitize input coming from users. After looking at the documentation on the max-nesting level, I was wondering if there is any security risk with the max-nesting option ?
If the processor stops parsing the document once it has reached the maximum nesting level, I guess the remaining characters won't be escaped, right ?

If this is the case, what are my options to make sure the remaining characters will be escaped anyway ? I'm thinking about using the escape option of Hoedown but I guess using this option will result in doing the same job in a different way.

[mildsunrise]

Tags nested beyond max_nesting - 1 levels are of course escaped. Not doing so would be a security risk, as you noted. For instance if max_nesting = 4 and the callback accepts all tags, then the following:

<b> <b> <b> <b> <b> foo </b> </b> </b> </b> </b>

sanitizes to

<b> <b> <b> &lt;b&gt; &lt;b&gt; foo </b> </b> </b> &lt;/b&gt; &lt;/b&gt;

The max_nesting option is only there to put a limit to the amount of memory that the parser is willing to allocate in order to parse input. You should just set it high enough that the limit will never be hit for any sensible input.

To be clear: whenever the documentation states that something isn't parsed (such as tags beyond max_nesting), that implies it'll be escaped.