Fix improper handling of IE conditional comments.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-11-09 15:28:40 +00:00 · 2010-06-18 06:08:54 -07:00 · 2010-06-18 06:08:54 -07:00 · 33afd7d9e0
commit 33afd7d9e0
parent 18e538317a
4 changed files with 30 additions and 0 deletions
--- a/4
+++ b/4
@ -9,6 +9,10 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
    . Internal change
 ==========================

+4.1.2, unknown release date
+- Fix improper handling of Internet Explorer conditional comments
+  by parser.  Thanks zmonteca for reporting.
+
 4.1.1, released 2010-05-31
 - Fix undefined index warnings in maintenance scripts.
 - Fix bug in DirectLex for parsing elements with a single attribute
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@ -230,6 +230,17 @@ class HTMLPurifier_Lexer
        );
    }

+    /**
+     * Special Internet Explorer conditional comments should be removed.
+     */
+    protected static function removeIEConditional($string) {
+        return preg_replace(
+            '#<!--\[if [^>]+\]>.*<!\[endif\]-->#si', // probably should generalize for all strings
+            '',
+            $string
+        );
+    }
+
    /**
     * Callback function for escapeCDATA() that does the work.
     *
@ -260,6 +271,8 @@ class HTMLPurifier_Lexer
            $html = $this->escapeCommentedCDATA($html);
        }

+        $html = $this->removeIEConditional($html);
+
        // escape CDATA
        $html = $this->escapeCDATA($html);

--- a/tests/HTMLPurifier/HTMLT/double-youtube.htmlt
+++ b/tests/HTMLPurifier/HTMLT/double-youtube.htmlt
@ -0,0 +1,6 @@
+--INI--
+HTML.SafeObject = true
+Output.FlashCompat = true
+--HTML--
+<object width="425" height="350" data="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns" /><param name="wmode" value="window" /><!--[if IE]><embed width="425" height="350" src="http://www.youtube.com/v/BdU--T8rLns" allowScriptAccess="never" allowNetworking="internal" wmode="window" /><![endif]--></object>
+--# vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/LexerTest.php
+++ b/tests/HTMLPurifier/LexerTest.php
@ -710,6 +710,13 @@ div {}
        );
    }

+    function test_tokenizeHTML_ignoreIECondComment() {
+        $this->assertTokenization(
+            '<!--[if IE]>foo<a>bar<!-- baz --><![endif]-->',
+            array()
+        );
+    }
+
    /*

    function test_tokenizeHTML_() {