RSS FeedTwitterMastodonBlueskyShare IconHeart IconGithub IconArrow IconClock IconGUI Challenges IconHome IconNote IconBlog IconCSS IconJS IconHTML IconShows IconGit IconSpeaking IconTools IconShuffle IconNext IconPrevious IconCalendar IconCalendar Edit Icon
My google avatar.
devrel@google
notecss

Billion Laughs Attack
aka: XML bomb 💣

A type of DoS attack aimed at XML parsers that with a few liens of code, aims to consume a ton of memory.

:root {
  --ha1: lol;
  --ha2: var(--ha1) var(--ha1) var(--ha1);
  --ha3: var(--ha2) var(--ha2) var(--ha2);
  --ha4: var(--ha3) var(--ha3) var(--ha3);
  --ha5: var(--ha4) var(--ha4) var(--ha4);
  ...
}

#CSS was a victim of this when custom properties were introduced.

Learn more on Wikipedia or the CSS Variables Spec.

Crawl the CSS Webring