diff --git a/NEWS b/NEWS index e6f5c973..afa6dd76 100644 --- a/NEWS +++ b/NEWS @@ -28,6 +28,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier spaces and commas are not included as part of URL. Thanks nAS for fixing. - Fix some bad interactions with %HTML.Allowed and injectors. Thanks David Hirtz for reporting. +- Fix infinite loop in DirectLex. Thanks Ashar Javed for reporting. 4.5.0, released 2013-02-17 # Fix bug where stacked attribute transforms clobber each other; diff --git a/library/HTMLPurifier/Lexer/DirectLex.php b/library/HTMLPurifier/Lexer/DirectLex.php index 5bd5167e..746b6e31 100644 --- a/library/HTMLPurifier/Lexer/DirectLex.php +++ b/library/HTMLPurifier/Lexer/DirectLex.php @@ -441,11 +441,12 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer // space, so let's guarantee that there's always a terminating space. $string .= ' '; - while (true) { - - if ($cursor >= $size) { - break; + $old_cursor = -1; + while ($cursor < $size) { + if ($old_cursor >= $cursor) { + throw new Exception("Infinite loop detected"); } + $old_cursor = $cursor; $cursor += ($value = strspn($string, $this->_whitespace, $cursor)); // grab the key @@ -463,7 +464,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer if ($e) { $e->send(E_ERROR, 'Lexer: Missing attribute key'); } - $cursor += strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop + $cursor += 1 + strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop continue; // empty key } diff --git a/tests/HTMLPurifier/HTMLT/style-onload.htmlt b/tests/HTMLPurifier/HTMLT/style-onload.htmlt new file mode 100644 index 00000000..8782bdc6 --- /dev/null +++ b/tests/HTMLPurifier/HTMLT/style-onload.htmlt @@ -0,0 +1,6 @@ +--INI-- +Core.CollectErrors = true +--HTML-- +