fix(html-comments): changed regex to precent malformed long comment to freeze showdown

Closes #439

dist/showdown.js

@@ -1,4 +1,4 @@
-;/*! showdown v 1.7.4 - 08-09-2017 */
+;/*! showdown v 1.7.4 - 02-10-2017 */
 (function(){
 /**
  * Created by Tivie on 13-07-2015.
@@ -1801,9 +1801,10 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
   'use strict';
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.before', text, options, globals);
 
-  // Build a regex to find HTML tags and comments.  See Friedl's
-  // "Mastering Regular Expressions", 2nd Ed., pp. 200-201.
-  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|<!(--.*?--\s*)+>)/gi;
+  // Build a regex to find HTML tags.
+  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>)/gi,
+  // due to catastrophic backtrace we split the old regex into two, one for tags and one for comments
+      regexComments = /<!(--(?:|(?:[^>-]|-[^>])(?:[^-]|-[^-])*)--)>/gi;
 
   text = text.replace(regex, function (wholeMatch) {
     return wholeMatch
@@ -1811,6 +1812,11 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
       .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
   });
 
+  text = text.replace(regexComments, function (wholeMatch) {
+    return wholeMatch
+      .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
+  });
+
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.after', text, options, globals);
   return text;
 });

src/subParsers/escapeSpecialCharsWithinTagAttributes.js

@@ -6,9 +6,10 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
   'use strict';
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.before', text, options, globals);
 
-  // Build a regex to find HTML tags and comments.  See Friedl's
-  // "Mastering Regular Expressions", 2nd Ed., pp. 200-201.
-  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>|<!(--.*?--\s*)+>)/gi;
+  // Build a regex to find HTML tags.
+  var regex = /(<[a-z\/!$]("[^"]*"|'[^']*'|[^'">])*>)/gi,
+  // due to catastrophic backtrace we split the old regex into two, one for tags and one for comments
+      regexComments = /<!(--(?:|(?:[^>-]|-[^>])(?:[^-]|-[^-])*)--)>/gi;
 
   text = text.replace(regex, function (wholeMatch) {
     return wholeMatch
@@ -16,6 +17,11 @@ showdown.subParser('escapeSpecialCharsWithinTagAttributes', function (text, opti
       .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
   });
 
+  text = text.replace(regexComments, function (wholeMatch) {
+    return wholeMatch
+      .replace(/([\\`*_~=|])/g, showdown.helper.escapeCharactersCallback);
+  });
+
   text = globals.converter._dispatch('escapeSpecialCharsWithinTagAttributes.after', text, options, globals);
   return text;
 });

test/cases/html-comments.html

@@ -6,3 +6,5 @@
    <!-- comment -->
 <pre><code>&lt;!-- comment --&gt;
 </code></pre>
+<p>&lt;!----------------------------------------------------------------------------------------------------------------------------------------------------</p>
+<!-------------------------------------------------------------------->

test/cases/html-comments.md

@@ -9,3 +9,7 @@ words <!-- a comment --> words
    <!-- comment -->
 
     <!-- comment -->
+
+<!----------------------------------------------------------------------------------------------------------------------------------------------------
+
+<!-------------------------------------------------------------------->