mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-11-09 15:28:40 +00:00
Code Releases Activity

[2.1.3] Fix possible error in DirectLex reported by Nate Abele

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1438 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2007-11-05 03:22:22 +00:00
parent 1ab47ba949
commit 1274cfed49
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@ -27,8 +27,9 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
- Spurious internal content reorganization error suppressed - Spurious internal content reorganization error suppressed
- HTMLDefinition->addElement now returns a reference to the created - HTMLDefinition->addElement now returns a reference to the created
element object, as implied by the documentation element object, as implied by the documentation
- Phorum mod's HTML Purifier help message expanded, however, a new tarball - Phorum mod's HTML Purifier help message expanded (unreleased elsewhere)
was not released - Fix a theoretical class of infinite loops from DirectLex reported
by Nate Abele
. %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment
to better communicate its purpose to better communicate its purpose
. Error unit tests can now specify the expectation of no errors. Future . Error unit tests can now specify the expectation of no errors. Future

10
library/HTMLPurifier/Lexer/DirectLex.php
View File

@ -160,9 +160,15 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
$segment = substr($html, $cursor, $strlen_segment); $segment = substr($html, $cursor, $strlen_segment);
if ($segment === false) {
// somehow, we attempted to access beyond the end of
// the string, defense-in-depth, reported by Nate Abele
break;
}
// Check if it's a comment // Check if it's a comment
if ( if (
substr($segment, 0, 3) == '!--' substr($segment, 0, 3) === '!--'
) { ) {
// re-determine segment length, looking for --> // re-determine segment length, looking for -->
$position_comment_end = strpos($html, '-->', $cursor); $position_comment_end = strpos($html, '-->', $cursor);
@ -237,7 +243,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
// trailing slash. Remember, we could have a tag like <br>, so // trailing slash. Remember, we could have a tag like <br>, so
// any later token processing scripts must convert improperly // any later token processing scripts must convert improperly
// classified EmptyTags from StartTags. // classified EmptyTags from StartTags.
$is_self_closing= (strrpos($segment,'/') === $strlen_segment-1); $is_self_closing = (strrpos($segment,'/') === $strlen_segment-1);
if ($is_self_closing) { if ($is_self_closing) {
$strlen_segment--; $strlen_segment--;
$segment = substr($segment, 0, $strlen_segment); $segment = substr($segment, 0, $strlen_segment);