security: corrected patch of unsafe heading regex

Author: davisjam

lib/marked.js

@@ -16,8 +16,8 @@ var block = {
   code: /^( {4}[^\n]+\n*)+/,
   fences: noop,
   hr: /^ {0,3}((?:- *){3,}|(?:_ *){3,}|(?:\* *){3,})(?:\n+|$)/,
-  // TODO REDOS: Replace ' *([^\n]+?) *' with dedicated parsing.
-  heading: /^ *(#{1,6}) *([^\n]+?) *(?:#+ *)?(?:\n+|$)/,
+  // cap[2] might be ' HEADING # ' and must be trimmed appropriately.
+  heading: /^ *(#{1,6})([^\n]*)(?:\n+|$)/,
   nptable: noop,
   blockquote: /^( {0,3}> ?(paragraph|[^\n]*)(?:\n|$))+/,
   list: /^( *)(bull) [\s\S]+?(?:hr|def|\n{2,}(?! )(?!\1bull )\n*|\s*$)/,
@@ -94,8 +94,8 @@ block.normal = merge({}, block);
 block.gfm = merge({}, block.normal, {
   fences: /^ *(`{3,}|~{3,})[ \.]*(\S+)? *\n([\s\S]*?)\n? *\1 *(?:\n+|$)/,
   paragraph: /^/,
-  // TODO REDOS: Replace ' *([^\n]+?) *' with dedicated parsing.
-  heading: /^ *(#{1,6}) +([^\n]+?) *(?:#+ *)?(?:\n+|$)/
+  // cap[2] might be ' HEADING # ' and must be trimmed appropriately.
+  heading: /^ *(#{1,6}) ([^\n]+)(?:\n+|$)/
 });
 
 block.gfm.paragraph = edit(block.paragraph)
@@ -237,10 +237,18 @@ Lexer.prototype.token = function(src, top) {
     // heading
     if (cap = this.rules.heading.exec(src)) {
       src = src.substring(cap[0].length);
+      // cap[2] might be ' HEADING # '
+      item = cap[2].trim();
+      if (item.slice(-1) === '#') {
+        // NB replace(/#+$/) is quadratic on mismatch because it's unanchored,
+        // so we protect with if-check to ensure it won't mismatch.
+        item = item.replace(/#+$/, '');
+      }
+      item = item.trim()
       this.tokens.push({
         type: 'heading',
         depth: cap[1].length,
-        text: cap[2]
+        text: item
       });
       continue;
     }