diff --git a/NEWS b/NEWS index c48608fb..8690324f 100644 --- a/NEWS +++ b/NEWS @@ -27,8 +27,9 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier - Spurious internal content reorganization error suppressed - HTMLDefinition->addElement now returns a reference to the created element object, as implied by the documentation -- Phorum mod's HTML Purifier help message expanded, however, a new tarball - was not released +- Phorum mod's HTML Purifier help message expanded (unreleased elsewhere) +- Fix a theoretical class of infinite loops from DirectLex reported + by Nate Abele . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment to better communicate its purpose . Error unit tests can now specify the expectation of no errors. Future diff --git a/library/HTMLPurifier/Lexer/DirectLex.php b/library/HTMLPurifier/Lexer/DirectLex.php index b3639916..86c0a211 100644 --- a/library/HTMLPurifier/Lexer/DirectLex.php +++ b/library/HTMLPurifier/Lexer/DirectLex.php @@ -160,9 +160,15 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer $segment = substr($html, $cursor, $strlen_segment); + if ($segment === false) { + // somehow, we attempted to access beyond the end of + // the string, defense-in-depth, reported by Nate Abele + break; + } + // Check if it's a comment if ( - substr($segment, 0, 3) == '!--' + substr($segment, 0, 3) === '!--' ) { // re-determine segment length, looking for --> $position_comment_end = strpos($html, '-->', $cursor); @@ -237,7 +243,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer // trailing slash. Remember, we could have a tag like
, so // any later token processing scripts must convert improperly // classified EmptyTags from StartTags. - $is_self_closing= (strrpos($segment,'/') === $strlen_segment-1); + $is_self_closing = (strrpos($segment,'/') === $strlen_segment-1); if ($is_self_closing) { $strlen_segment--; $segment = substr($segment, 0, $strlen_segment);