Merge pull request #13164 from erik-krogh/polyQhelp

ReDoS: add another example to the qhelp in poly-redos, showing how to just limit the length of the input

javascript/ql/src/Performance/PolynomialReDoS.qhelp

@@ -15,8 +15,7 @@
 		</p>
 
 		<sample language="javascript">
-			text.replace(/^\s+|\s+$/g, ''); // BAD
-		</sample>
+text.replace(/^\s+|\s+$/g, ''); // BAD</sample>
 
 		<p>
 
@@ -71,8 +70,7 @@
 		</p>
 
 		<sample language="javascript">
-			/^0\.\d+E?\d+$/.test(str) // BAD
-		</sample>
+/^0\.\d+E?\d+$/.test(str) // BAD</sample>
 
 		<p>
 
@@ -103,6 +101,33 @@
 
 	</example>
 
+    <example>
+        <p>
+            Sometimes it is unclear how a regular expression can be rewritten to
+            avoid the problem. In such cases, it often suffices to limit the
+            length of the input string. For instance, the following 
+            regular expression is used to match numbers, and on some non-number 
+            inputs it can have quadratic time complexity:
+        </p>
+
+        <sample language="javascript">
+/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.test(str) // BAD</sample>
+
+        <p>
+            It is not immediately obvious how to rewrite this regular expression 
+            to avoid the problem. However, you can mitigate performance issues by limiting the length
+            to 1000 characters, which will always finish in a reasonable amount
+            of time.
+        </p>
+
+        <sample language="javascript">
+if (str.length &gt; 1000) {
+    throw new Error("Input too long");
+}
+
+/^(\+|-)?(\d+|(\d*\.\d*))?(E|e)?([-+])?(\d+)?$/.test(str)</sample>
+    </example>
+
 	<include src="ReDoSReferences.inc.qhelp"/>
 
 </qhelp>