RFC: limit libgumbo memory allocations for untrusted HTML5 content

[flavorjones]

Summary

libxml2 has long had default limits on document size in order to prevent untrusted documents from creating an OOM condition and potentially using that as a denial-of-service attack vector. These limits can be removed for trusted documents by setting the HUGE parse option.

libgumbo does not have limits like this, and this issue is being created to discuss the need and possible implementations.

Background

This topic was first raised in #2941 where @stevecheckoway and I discussed the shape of the issue.

[dan42]

It's nice to have "sanity check" type of limits, but silently truncating stuff is not good. Very hard to debug. Please make it raise an error. Ideally have multiple safeties, so we raise on any of

• input string > 10MB
• output mem > 15MB
• tree depth > 1000

(example arbitrary numbers)