Hi! According to https://security-tracker.debian.org/tracker/CVE-2025-9670, this issue is considered actual for current version 7.1.1-3 of node- turndown package from Debian Bookworm and Debian Trixie. It is possible to fix this issue in version 7.1.1-3 using these 2 commits:
1. Fix ordered content indentation https://github.com/mixmark-io/turndown/commit/ac97289706d022799c553a29e06f463c4ccd623c 2. Replace regexp trailing space removal with more optimized methodhttps://github.com/mixmark-io/turndown/commit/8ed049935ac235cc009e9a7412c0a6fe6ab5b223 Second commit "Replace regexp trailing space removal with more optimized method" is mentioned on page https://security-tracker.debian.org/tracker/CVE-2025-9670, so it is considered as fix for this issue in upstream. But it is impossible to apply this commit to version 7.1.1-3 of node-turndown package. Commit "Fix ordered content indentation" is prerequisite for "Replace regexp trailing space removal with more optimized method". After applying "Fix ordered content indentation" onto node-turndown_7.1.1-3 it is also possible to apply desired "Replace regexp trailing space removal with more optimized method". It is possible to build deb package in resulting state with "dpkg-buildpackage -b -uc". Also it is possible to install npm with "apt install npm" and then install turndown-attendant package with "npm i turndown-attendant" and after this it is possible to successfully run tests using "node test/turndown-test.js" (by default tests execution is disabled in build process of node- turndown_7.1.1-3 because of absence of "turndown-attendant" in debian packages. But it is possible to install "turndown-attendant" with npm for local tests run). Patch from commit ac97289706d022799c553a29e06f463c4ccd623c is attached as file "fix_ordered_content_indentation.patch", and patch from commit 8ed049935ac235cc009e9a7412c0a6fe6ab5b223 is attached as "CVE-2025- 9670.patch". They could be imported and pushed onto node- turndown_7.1.1-3 by quilt in that order. Regards, Sergei
From b6881b7dee12b3e2e55beb48ebda43b4ed25413c Mon Sep 17 00:00:00 2001 From: Pavel Horal <[email protected]> Date: Thu, 14 Aug 2025 19:12:32 +0200 Subject: [PATCH] Fix ordered content indentation (#410) --- src/commonmark-rules.js | 8 ++++---- test/index.html | 14 ++++++++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/commonmark-rules.js b/src/commonmark-rules.js index f32a8933..f25311c1 100644 --- a/src/commonmark-rules.js +++ b/src/commonmark-rules.js @@ -62,10 +62,6 @@ rules.listItem = { filter: 'li', replacement: function (content, node, options) { - content = content - .replace(/^\n+/, '') // remove leading newlines - .replace(/\n+$/, '\n') // replace trailing newlines with just a single one - .replace(/\n/gm, '\n ') // indent var prefix = options.bulletListMarker + ' ' var parent = node.parentNode if (parent.nodeName === 'OL') { @@ -73,6 +69,10 @@ rules.listItem = { var index = Array.prototype.indexOf.call(parent.children, node) prefix = (start ? Number(start) + index : index + 1) + '. ' } + content = content + .replace(/^\n+/, '') // remove leading newlines + .replace(/\n+$/, '\n') // replace trailing newlines with just a single one + .replace(/\n/gm, '\n' + ' '.repeat(prefix.length)) // indent return ( prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '') ) diff --git a/test/index.html b/test/index.html index 065de26e..0d1c8054 100644 --- a/test/index.html +++ b/test/index.html @@ -386,6 +386,20 @@ 44. Ordered list item 44</pre> </div> +<div class="case" data-name="ol with content"> + <div class="input"> + <ol start="42"> + <li> + <p>Ordered list item 42</p> + <p>Ordered list's additional content</p> + </li> + </ol> + </div> + <pre class="expected">42. Ordered list item 42 + + Ordered list's additional content</pre> +</div> + <div class="case" data-name="list spacing"> <div class="input"> <p>A paragraph.</p>
From e26cc813ed82445675fe9108037fdaf636122abd Mon Sep 17 00:00:00 2001 From: Pavel Horal <[email protected]> Date: Mon, 1 Sep 2025 18:15:59 +0200 Subject: [PATCH] Replace regexp trim (#501) --- src/commonmark-rules.js | 14 ++++++-------- src/utilities.js | 4 ++++ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/commonmark-rules.js b/src/commonmark-rules.js index f25311c1..8da8e8ee 100644 --- a/src/commonmark-rules.js +++ b/src/commonmark-rules.js @@ -1,4 +1,4 @@ -import { repeat } from './utilities' +import { repeat, trimNewlines } from './utilities' var rules = {} @@ -39,8 +39,7 @@ rules.blockquote = { filter: 'blockquote', replacement: function (content) { - content = content.replace(/^\n+|\n+$/g, '') - content = content.replace(/^/gm, '> ') + content = trimNewlines(content).replace(/^/gm, '> ') return '\n\n' + content + '\n\n' } } @@ -69,12 +68,11 @@ rules.listItem = { var index = Array.prototype.indexOf.call(parent.children, node) prefix = (start ? Number(start) + index : index + 1) + '. ' } - content = content - .replace(/^\n+/, '') // remove leading newlines - .replace(/\n+$/, '\n') // replace trailing newlines with just a single one - .replace(/\n/gm, '\n' + ' '.repeat(prefix.length)) // indent + var isParagraph = /\n$/.test(content) + content = trimNewlines(content) + (isParagraph ? '\n' : '') + content = content.replace(/\n/gm, '\n' + ' '.repeat(prefix.length)) // indent return ( - prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '') + prefix + content + (node.nextSibling ? '\n' : '') ) } } diff --git a/src/utilities.js b/src/utilities.js index 36f0acce..6a90db9e 100644 --- a/src/utilities.js +++ b/src/utilities.js @@ -23,6 +23,10 @@ export function trimTrailingNewlines (string) { return string.substring(0, indexEnd) } +export function trimNewlines (string) { + return trimTrailingNewlines(trimLeadingNewlines(string)) +} + export var blockElements = [ 'ADDRESS', 'ARTICLE', 'ASIDE', 'AUDIO', 'BLOCKQUOTE', 'BODY', 'CANVAS', 'CENTER', 'DD', 'DIR', 'DIV', 'DL', 'DT', 'FIELDSET', 'FIGCAPTION', 'FIGURE',
