Add configurable DoS protection limits

Add ParserLimits struct with configurable limits to prevent
denial-of-service attacks from pathological HTML input:

- maxEntityNameLength (default: 255): Limits entity name collection
  to prevent memory allocation attacks with inputs like &aaaa...
- maxNestingDepth (default: 512): Limits DOM nesting depth to prevent
  stack overflow on deeply nested input (10,000+ levels)

The limits are configurable via the new `limits` parameter on JustHTML
initializers, with presets for .default, .strict, and .unlimited.

Includes comprehensive test suite (DoSProtectionTests.swift) with 31
tests covering entity limits, nesting limits, and combined attack vectors.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: kylehowells

Sources/swift-justhtml/JustHTML.swift

@@ -25,6 +25,7 @@ public struct JustHTML {
 	///   - scripting: Whether scripting is enabled
 	///   - iframeSrcdoc: Whether parsing iframe srcdoc content
 	///   - xmlCoercion: Whether to coerce output for XML compatibility
+	///   - limits: Parser limits for DoS protection (defaults to sensible limits)
 	/// - Throws: StrictModeError if strict mode is enabled and a parse error occurs
 	public init(
 		_ html: String,
@@ -33,7 +34,8 @@ public struct JustHTML {
 		strict: Bool = false,
 		scripting: Bool = false,
 		iframeSrcdoc: Bool = false,
-		xmlCoercion: Bool = false
+		xmlCoercion: Bool = false,
+		limits: ParserLimits = .default
 	) throws {
 		self.fragmentContext = fragmentContext
 		self.encoding = nil
@@ -44,14 +46,16 @@ public struct JustHTML {
 			fragmentContext: fragmentContext,
 			iframeSrcdoc: iframeSrcdoc,
 			collectErrors: shouldCollect,
-			scripting: scripting
+			scripting: scripting,
+			maxNestingDepth: limits.maxNestingDepth
 		)
 
-		let opts = Self.tokenizerOpts(
+		var opts = Self.tokenizerOpts(
 			fragmentContext: fragmentContext,
 			xmlCoercion: xmlCoercion,
 			scripting: scripting
 		)
+		opts.maxEntityNameLength = limits.maxEntityNameLength
 
 		let tokenizer = Tokenizer(treeBuilder, opts: opts, collectErrors: shouldCollect)
 		treeBuilder.tokenizer = tokenizer
@@ -76,6 +80,7 @@ public struct JustHTML {
 	///   - scripting: Whether scripting is enabled
 	///   - iframeSrcdoc: Whether parsing iframe srcdoc content
 	///   - xmlCoercion: Whether to coerce output for XML compatibility
+	///   - limits: Parser limits for DoS protection (defaults to sensible limits)
 	/// - Throws: StrictModeError if strict mode is enabled and a parse error occurs
 	public init(
 		data: Data,
@@ -85,7 +90,8 @@ public struct JustHTML {
 		strict: Bool = false,
 		scripting: Bool = false,
 		iframeSrcdoc: Bool = false,
-		xmlCoercion: Bool = false
+		xmlCoercion: Bool = false,
+		limits: ParserLimits = .default
 	) throws {
 		let (html, detectedEncoding) = decodeHTML(data, transportEncoding: transportEncoding)
 
@@ -98,14 +104,16 @@ public struct JustHTML {
 			fragmentContext: fragmentContext,
 			iframeSrcdoc: iframeSrcdoc,
 			collectErrors: shouldCollect,
-			scripting: scripting
+			scripting: scripting,
+			maxNestingDepth: limits.maxNestingDepth
 		)
 
-		let opts = Self.tokenizerOpts(
+		var opts = Self.tokenizerOpts(
 			fragmentContext: fragmentContext,
 			xmlCoercion: xmlCoercion,
 			scripting: scripting
 		)
+		opts.maxEntityNameLength = limits.maxEntityNameLength
 
 		let tokenizer = Tokenizer(treeBuilder, opts: opts, collectErrors: shouldCollect)
 		treeBuilder.tokenizer = tokenizer

Sources/swift-justhtml/ParserLimits.swift

@@ -0,0 +1,87 @@
+// ParserLimits.swift - Configurable limits for DoS protection
+//
+// These limits prevent pathological inputs from causing crashes or
+// excessive resource consumption. The defaults are set high enough
+// that no real-world HTML document should ever hit them.
+
+import Foundation
+
+/// Configurable limits for the HTML parser
+///
+/// These limits protect against denial-of-service attacks from malicious
+/// or pathological HTML input. The default values are conservative and
+/// should never be reached by legitimate web content.
+///
+/// Example usage:
+/// ```swift
+/// // Use default limits (recommended for most use cases)
+/// let doc = try JustHTML(html)
+///
+/// // Use larger limits for server with lots of RAM
+/// var limits = ParserLimits()
+/// limits.maxNestingDepth = 2048
+/// let doc = try JustHTML(html, limits: limits)
+///
+/// // Disable limits entirely (not recommended)
+/// let doc = try JustHTML(html, limits: .unlimited)
+/// ```
+public struct ParserLimits: Sendable {
+	/// Maximum length for named character reference entity names.
+	///
+	/// The longest valid HTML entity is ~31 characters (e.g., "CounterClockwiseContourIntegral").
+	/// Setting this limit prevents the tokenizer from allocating huge strings when
+	/// parsing malicious input like `&aaaa...` with millions of characters.
+	///
+	/// Default: 255 characters
+	public var maxEntityNameLength: Int
+
+	/// Maximum depth of nested elements in the DOM tree.
+	///
+	/// Real web pages rarely exceed 100-200 levels of nesting. Extremely deep
+	/// nesting (10,000+ levels) can cause stack overflow crashes during tree
+	/// construction or serialization.
+	///
+	/// When this limit is reached, additional elements are inserted as siblings
+	/// rather than children, preserving the content while flattening the structure.
+	///
+	/// Default: 512 levels
+	public var maxNestingDepth: Int
+
+	/// Create parser limits with default values.
+	///
+	/// Default limits:
+	/// - `maxEntityNameLength`: 255 characters
+	/// - `maxNestingDepth`: 512 levels
+	public init(
+		maxEntityNameLength: Int = 255,
+		maxNestingDepth: Int = 512
+	) {
+		self.maxEntityNameLength = maxEntityNameLength
+		self.maxNestingDepth = maxNestingDepth
+	}
+
+	/// Default limits suitable for most applications.
+	///
+	/// These limits are conservative and should never be reached by
+	/// legitimate web content.
+	public static let `default` = ParserLimits()
+
+	/// Unlimited parsing (no DoS protection).
+	///
+	/// **Warning:** Using unlimited parsing on untrusted input may cause
+	/// crashes or excessive memory/CPU usage. Only use this when parsing
+	/// trusted content or when you have other safeguards in place.
+	public static let unlimited = ParserLimits(
+		maxEntityNameLength: Int.max,
+		maxNestingDepth: Int.max
+	)
+
+	/// Strict limits for resource-constrained environments (e.g., mobile devices).
+	///
+	/// These limits are more restrictive but should still handle all
+	/// well-formed web content.
+	public static let strict = ParserLimits(
+		maxEntityNameLength: 128,
+		maxNestingDepth: 256
+	)
+}

Sources/swift-justhtml/Tokenizer.swift

@@ -110,19 +110,23 @@ public struct TokenizerOpts {
 	public var xmlCoercion: Bool
 	public var discardBom: Bool
 	public var scripting: Bool
+	/// Maximum length for named character reference entity names (DoS protection)
+	public var maxEntityNameLength: Int
 
 	public init(
 		initialState: Tokenizer.State = .data,
 		initialRawtextTag: String? = nil,
 		xmlCoercion: Bool = false,
 		discardBom: Bool = false,
-		scripting: Bool = false
+		scripting: Bool = false,
+		maxEntityNameLength: Int = ParserLimits.default.maxEntityNameLength
 	) {
 		self.initialState = initialState
 		self.initialRawtextTag = initialRawtextTag
 		self.xmlCoercion = xmlCoercion
 		self.discardBom = discardBom
 		self.scripting = scripting
+		self.maxEntityNameLength = maxEntityNameLength
 	}
 }
 
@@ -3025,15 +3029,35 @@ public final class Tokenizer {
 		var matchedEntity: String? = nil
 		var matchedLength = 0
 		var consumed = 0
+		let maxLength = self.opts.maxEntityNameLength
+		var hitLimit = false
 
 		while let ch = peek() {
 			if ch.isASCIILetter || ch.isASCIIDigit {
+				// Check entity name length limit (DoS protection)
+				// The longest valid HTML entity is ~31 chars, so hitting this limit
+				// means the entity is definitely invalid - stop looking for matches
+				// but continue consuming to emit the full text
+				if consumed >= maxLength {
+					hitLimit = true
+					// Consume remaining alphanumeric characters and emit them as text
+					self.flushCharRefTempBuffer()
+					self.emitCharRefString(entityName)
+					// Emit remaining characters directly
+					while let next = peek(), next.isASCIILetter || next.isASCIIDigit {
+						self.emitChar(next)
+						_ = self.consume()
+					}
+					self.state = self.returnState
+					return
+				}
+
 				entityName.append(ch)
 				_ = self.consume()
 				consumed += 1
 
-				// Check for match
-				if let decoded = NAMED_ENTITIES[entityName] {
+				// Check for match (only if we haven't exceeded the limit)
+				if !hitLimit, let decoded = NAMED_ENTITIES[entityName] {
 					matchedEntity = decoded
 					matchedLength = consumed
 				}

Sources/swift-justhtml/TreeBuilder.swift

@@ -178,6 +178,9 @@ public final class TreeBuilder: TokenSink {
 	public var errors: [ParseError] = []
 	private var collectErrors: Bool
 
+	/// Maximum nesting depth (DoS protection)
+	private let maxNestingDepth: Int
+
 	/// Reference to tokenizer for switching states
 	public weak var tokenizer: Tokenizer? = nil
 
@@ -192,12 +195,14 @@ public final class TreeBuilder: TokenSink {
 		fragmentContext: FragmentContext? = nil,
 		iframeSrcdoc: Bool = false,
 		collectErrors: Bool = false,
-		scripting: Bool = false
+		scripting: Bool = false,
+		maxNestingDepth: Int = ParserLimits.default.maxNestingDepth
 	) {
 		self.fragmentContext = fragmentContext
 		self.iframeSrcdoc = iframeSrcdoc
 		self.collectErrors = collectErrors
 		self.scripting = scripting
+		self.maxNestingDepth = maxNestingDepth
 
 		if fragmentContext != nil {
 			self.document = Node(name: "#document-fragment")
@@ -2739,7 +2744,16 @@ public final class TreeBuilder: TokenSink {
 	{
 		let element = self.createElement(name: name, namespace: namespace, attrs: attrs)
 		self.insertNode(element)
-		self.openElements.append(element)
+
+		// DoS protection: limit nesting depth
+		// If we've hit the limit, don't push onto stack - element becomes effectively void
+		// This prevents stack overflow on extremely deeply nested documents
+		if self.openElements.count < self.maxNestingDepth {
+			self.openElements.append(element)
+		}
+		// Note: element is still in the DOM, just won't receive children
+		// Content will be inserted into the parent element instead
+
 		return element
 	}