Recently github scan shows that version 0.0.7 is Vulnerable.

This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.

Any plans to fix the Vulnerability?

Hi,
We have updated the ansi-html package to the latest version(0.0.9)

The latest version of ansi-html has 1 High Vulnerability (CVE-2021-23424) with score 7.5
Is there a way to fix that vulnerability. If so, can you please let us know how to do?

And Latest Version was published on 03/01/2022. Can you please also state the release date of next version?

• Example code:

const chalk = require('chalk');
const ansiHtml = require('ansi-html');
const inspect = require('util').inspect;

chalk.enabled = true;
chalk.level = 3;
const c = chalk.hex('#405060')('Hello');
const h = ansiHtml(c);

console.log(inspect(c));
console.log(inspect(h));

• Expected output:

Something like this:

'\\u001b[38;2;64;80;96mHello\\u001b[39m'
'<span style="color:#405060;">Hello</span>'

• Actual output

'\\u001b[38;2;64;80;96mHello\\u001b[39m'
'\\u001b[38;2;64;80;96mHello</span>'

This would prevent the .idea, example, and test folders from being published to NPM, shaving 30-some KB off the package size.

Hey there! Looks like no updates in the last couple years, or issues closed since late 2017 – is this project still being maintained?

Found a bug, just trying to determine whether I should PR, etc.

Thanks!

I'm looking for a package that can convert ansi-tagged links to html.

It is possible to create VT100 terminal hyperlinks.

const ESC = '\u001B[';
const OSC = '\u001B]';
const BEL = '\u0007';
const SEP = ';';

var test = [
		OSC,
		'8',
		SEP,
		SEP,
		"url",
		BEL,
		"text",
		OSC,
		'8',
		SEP,
		SEP,
		BEL
	].join('');
console.log(test);

or

echo -e '\e]8;;http://example.com\e\\This is a link\e]8;;\e\\'

These are correctly displayed in the terminal, and correctly represented in a file.

However, html conversion displays them without html formatting.

Could we make these type of links work?
Thank you.

I have found that color reset (ESC[m) is not being respected.

Input

var ansiHtml = require('ansi-html')
var ansi = 'test \u001B[32m one \u001B[m two'
var html = ansiHtml(ansi)
console.log(html)

Expected output

"test <span style="color:#B3CB74;"> one </span> two"

Actual output

"test <span style="color:#B3CB74;"> one two</span>"

i'm creating a text-based “terminal-style” game which works just fine if i run it locally, but they don't work in heroku. build throws no errors at all. it just seems like the ansiHTML function is ignored.

this is the result locally:

and in heroku:

the function in question (line #289): https://github.com/mgiraldo/mud-of-babel/blob/0401152bc99ef20963b5da3448293023f4f068ff/server.js#L244-L292 (it's basically taking a newline-formatted string and “chalkifying” it)

Posting here as unable to contact maintainer.

Doyensec Vulnerability Advisory

• Regular Expression Denial of Service (ReDoS) in ansi-html
• Affected Product: ansi-html <= 0.0.7
• Vendor: https://github.com/Tjatse
• Severity: Low
• Vulnerability Class: Denial of Service
• Status: Open
• Author(s): Ben Caller (Doyensec)

SUMMARY

The npm package ansi-html uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS).
If an attacker provides a malicious string, ansi-html will get stuck processing the input for an extremely long time.

TECHNICAL DESCRIPTION

The vulnerable regular expression is

\033\[(\d+)*m

Due to the (\d+)* part, this regular expression has catastrophic backtracking when given a long string of digits.

The behaviour occurs as long as the digits are not followed immediately by an 'm'.

The complexity is exponential: increasing the length of the malicious string by one makes processing take about twice as long.

REPRODUCTION STEPS

In nodejs, run:

require('ansi-html')('\x1b[0m\x1b[' + '0'.repeat(35))

Notice that node hangs at 100% CPU. Increasing the number of spaces increases the processing time.

On my laptop that would take three minutes to complete, whereas

require('ansi-html')('\x1b[0m\x1b[' + '0'.repeat(53))

would take just over one year to complete.

REMEDIATION

Remove the asterisk from the regular expression on line 62.

=

Doyensec (www.doyensec.com) is an independent security research and development company focused on vulnerability discovery and remediation. We work at the intersection of software development and offensive engineering to help companies craft secure code.

Copyright 2021 by Doyensec LLC. All rights reserved.

Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting
it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided
that due credit is given. The information in the advisory is believed to be accurate at the time of publishing based on
currently available information, and it is provided as-is, as a free service to the community by Doyensec LLC. There are
no warranties with regard to this information, and Doyensec LLC does not accept any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.

I meet a problem , what's wrong?

It would be useful to have a command-line version, so I could simply pipe a text file through it and get a HTML file on stdout.

At least on a white background, opacity: 0.8 doesn't look that different than fully opaque. Would you consider making dim correspond to something more like opacity: 0.5?

Thanks.

when process stdout like this [32m[1m , ansi-html recognize it as green span, however, when text change to [0;36mxxx, [0;32mxxxx, it can't replace.

The default colors in ansi-html include both pure black and pure white and many colors at the edges of the spectrum, which makes it quite difficult to make text readable against a background.

For instance:

Super bright cyan

Black text not visible.

Could the theme be customized, or set to something more centered on one side of the spectrum?

It doesn't appear to translate ansi characters with both a background and foreground color.

Say, in chalk you can be like
`chalk.magenta.bgGreenBright('magenta foreground, green background')

but when the ansi gets converted with ansi-html it outputs with a color style