mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 16:31:53 +00:00
Code Releases Activity

Fix infinite loop in Lexer.

Browse Source 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2013-10-27 21:41:08 -07:00
parent e52d1fe310
commit 54477c172b
4 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -28,6 +28,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
spaces and commas are not included as part of URL. Thanks nAS for fixing. spaces and commas are not included as part of URL. Thanks nAS for fixing.
- Fix some bad interactions with %HTML.Allowed and injectors. Thanks - Fix some bad interactions with %HTML.Allowed and injectors. Thanks
David Hirtz for reporting. David Hirtz for reporting.
- Fix infinite loop in DirectLex. Thanks Ashar Javed for reporting.
4.5.0, released 2013-02-17 4.5.0, released 2013-02-17
# Fix bug where stacked attribute transforms clobber each other; # Fix bug where stacked attribute transforms clobber each other;

11
library/HTMLPurifier/Lexer/DirectLex.php
View File

@ -441,11 +441,12 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
// space, so let's guarantee that there's always a terminating space. // space, so let's guarantee that there's always a terminating space.
$string .= ' '; $string .= ' ';
while (true) { $old_cursor = -1;
while ($cursor < $size) {
if ($cursor >= $size) { if ($old_cursor >= $cursor) {
break; throw new Exception("Infinite loop detected");
} }
$old_cursor = $cursor;
$cursor += ($value = strspn($string, $this->_whitespace, $cursor)); $cursor += ($value = strspn($string, $this->_whitespace, $cursor));
// grab the key // grab the key
@ -463,7 +464,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
if ($e) { if ($e) {
$e->send(E_ERROR, 'Lexer: Missing attribute key'); $e->send(E_ERROR, 'Lexer: Missing attribute key');
} }
$cursor += strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop $cursor += 1 + strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop
continue; // empty key continue; // empty key
} }

6
tests/HTMLPurifier/HTMLT/style-onload.htmlt Normal file
View File

@ -0,0 +1,6 @@
--INI--
Core.CollectErrors = true
--HTML--
<style/onload = !-alert&#x28;1&#x29;>
--EXPECT--
--# vim: et sw=4 sts=4

2
tests/HTMLPurifier/Lexer/DirectLexTest.php
View File

@ -56,7 +56,7 @@ class HTMLPurifier_Lexer_DirectLexTest extends HTMLPurifier_Harness
$expect[11] = array(); $expect[11] = array();
$input[12] = '="" =""'; $input[12] = '="" =""';
$expect[12] = array('"' => ''); // tough to say, just don't throw a loop $expect[12] = array(); // tough to say, just don't throw a loop
$input[13] = 'href="'; $input[13] = 'href="';
$expect[13] = array('href' => ''); $expect[13] = array('href' => '');