From 275932ec05b56db7bfd1d8a26e13ce7aa1e53030 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Tue, 26 Jun 2007 16:08:42 +0000
Subject: [PATCH] [2.0.1] Fix DirectLex's incomprehension of un-armored script
 contents as CDATA using custom preg_replace_callback

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1244 48356398-32a2-884e-a903-53898d9a118a
---
 library/HTMLPurifier/Lexer.php                  |  1 -
 library/HTMLPurifier/Lexer/DirectLex.php        | 17 +++++++++++++++++
 tests/HTMLPurifier/HTMLModule/ScriptingTest.php |  7 -------
 tests/HTMLPurifier/LexerTest.php                | 11 +++++++++++
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/library/HTMLPurifier/Lexer.php b/library/HTMLPurifier/Lexer.php
index c1b83d18..57950254 100644
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@@ -274,7 +274,6 @@ class HTMLPurifier_Lexer
      * Special CDATA case that is especiall convoluted for <script>
      */
     function escapeCommentedCDATA($string) {
-        // <!--//--><![CDATA[//><!--
         return preg_replace_callback(
             '#<!--//--><!\[CDATA\[//><!--(.+?)//--><!\]\]>#s',
             array('HTMLPurifier_Lexer', 'CDATACallback'),
diff --git a/library/HTMLPurifier/Lexer/DirectLex.php b/library/HTMLPurifier/Lexer/DirectLex.php
index 4e21f16a..b97862dc 100644
--- a/library/HTMLPurifier/Lexer/DirectLex.php
+++ b/library/HTMLPurifier/Lexer/DirectLex.php
@@ -35,8 +35,25 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
      */
     var $_whitespace = "\x20\x09\x0D\x0A";
     
+    /**
+     * Callback function for script CDATA fudge
+     * @param $matches, in form of array(opening tag, contents, closing tag)
+     * @static
+     */
+    function scriptCallback($matches) {
+        return $matches[1] . htmlspecialchars($matches[2], ENT_COMPAT, 'UTF-8') . $matches[3];
+    }
+    
     function tokenizeHTML($html, $config, &$context) {
         
+        // special normalization for script tags without any armor
+        // our "armor" heurstic is a < sign any number of whitespaces after
+        // the first script tag
+        if ($config->get('HTML', 'Trusted')) {
+            $html = preg_replace_callback('#(<script[^>]*>)(\s*[^<].+?)(</script>)#si',
+                array('HTMLPurifier_Lexer_DirectLex', 'scriptCallback'), $html);
+        }
+        
         $html = $this->normalize($html, $config, $context);
         
         $cursor = 0; // our location in the text
diff --git a/tests/HTMLPurifier/HTMLModule/ScriptingTest.php b/tests/HTMLPurifier/HTMLModule/ScriptingTest.php
index 1f06b2a5..ce108f7b 100644
--- a/tests/HTMLPurifier/HTMLModule/ScriptingTest.php
+++ b/tests/HTMLPurifier/HTMLModule/ScriptingTest.php
@@ -46,13 +46,6 @@ alert("<This is compatible with XHTML>");
             array('HTML.Trusted' => true, 'Core.CommentScriptContents' => false)
         );
         
-        // invalid children
-        $this->assertResult(
-            '<script type="text/javascript">PCDATA<span</script>',
-            '<script type="text/javascript">PCDATA</script>',
-            array('HTML.Trusted' => true, 'Core.CommentScriptContents' => false)
-        );
-        
     }
     
 }
diff --git a/tests/HTMLPurifier/LexerTest.php b/tests/HTMLPurifier/LexerTest.php
index d250493a..f80159be 100644
--- a/tests/HTMLPurifier/LexerTest.php
+++ b/tests/HTMLPurifier/LexerTest.php
@@ -315,6 +315,17 @@ class HTMLPurifier_LexerTest extends UnitTestCase
         $sax_expect[21] = false;
         $dom_expect[21] = false;
         
+        // test CDATA tags
+        $input[22] = '<script>alert("<foo>");</script>';
+        $expect[22] = array(
+            new HTMLPurifier_Token_Start('script')
+           ,new HTMLPurifier_Token_Text('alert("<foo>");')
+           ,new HTMLPurifier_Token_End('script')
+        );
+        $config[22] = HTMLPurifier_Config::create(array('HTML.Trusted' => true));
+        $sax_expect[22] = false;
+        //$dom_expect[22] = false;
+        
         $default_config = HTMLPurifier_Config::createDefault();
         $default_context = new HTMLPurifier_Context();
         foreach($input as $i => $discard) {