From 1603b33b27cb7fa721385db50c338631e3fa5185 Mon Sep 17 00:00:00 2001
From: Raymond Hill <rhill@raymondhill.net>
Date: Mon, 19 Jul 2021 10:18:45 -0400
Subject: [PATCH] Fix infinite recursion with maliciously crafted URL

Related issue:
- https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc
---
 src/js/main-blocked.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/js/main-blocked.js b/src/js/main-blocked.js
index ed61764..ceb181e 100644
--- a/src/js/main-blocked.js
+++ b/src/js/main-blocked.js
@@ -87,7 +87,7 @@ uDom('.what').text(details.url);
         return s;
     };
 
-    const renderParams = function(parentNode, rawURL) {
+    const renderParams = function(parentNode, rawURL, depth = 0) {
         const a = document.createElement('a');
         a.href = rawURL;
         if ( a.search.length === 0 ) { return false; }
@@ -109,9 +109,9 @@ uDom('.what').text(details.url);
             const name = safeDecodeURIComponent(param.slice(0, pos));
             const value = safeDecodeURIComponent(param.slice(pos + 1));
             const li = liFromParam(name, value);
-            if ( reURL.test(value) ) {
+            if ( depth < 2 && reURL.test(value) ) {
                 const ul = document.createElement('ul');
-                renderParams(ul, value);
+                renderParams(ul, value, depth + 1);
                 li.appendChild(ul);
             }
             parentNode.appendChild(li);