Supported hundreds of nested HTML (#202)

* Supported hundreds of nested HTML (#201)

* Add Core.AllowParseManyTags

NEWS

@@ -13,6 +13,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 # SafeScripting is now case-sensitive (previously it was
   case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
   for reporting.
+! New directive %Core.AllowParseManyTags which allows parsing of many nested tags.
 
 4.10.0, released 2018-02-22
 # PHP 5.3 is no longer officially supported by HTML Purifier

configdoc/usage.xml

@@ -94,6 +94,11 @@
    <line>429</line>
   </file>
  </directive>
+ <directive id="Core.AllowParseManyTags">
+  <file name="HTMLPurifier/Lexer/DOMLex.php">
+   <line>72</line>
+  </file>
+ </directive>
  <directive id="Output.CommentScriptContents">
   <file name="HTMLPurifier/Generator.php">
    <line>70</line>

docs/dev-config-naming.txt

@@ -75,6 +75,7 @@ Core is the potpourri of directives, mostly regarding some minor behavioral
 tweaks for HTML handling abilities.
 
     AggressivelyFixLt
+    AllowParseManyTags
     ConvertDocumentToFragment
     DirectLexLineNumberSyncInterval
     LexerImpl

library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt

@@ -0,0 +1,12 @@
+Core.AllowParseManyTags
+TYPE: bool
+DEFAULT: false
+VERSION: 4.10.1
+--DESCRIPTION--
+<p>
+    This directive allows parsing of many nested tags.
+    If you set true, relaxes any hardcoded limit from the parser.
+    However, in that case it may cause a Dos attack.
+    Be careful when enabling it.
+</p>
+--# vim: et sw=4 sts=4

library/HTMLPurifier/Lexer/DOMLex.php

@@ -68,8 +68,13 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
         $doc = new DOMDocument();
         $doc->encoding = 'UTF-8'; // theoretically, the above has this covered
 
+        $options = 0;
+        if ($config->get('Core.AllowParseManyTags') && defined('LIBXML_PARSEHUGE')) {
+            $options |= LIBXML_PARSEHUGE;
+        }
+
         set_error_handler(array($this, 'muteErrorHandler'));
-        $doc->loadHTML($html);
+        $doc->loadHTML($html, $options);
         restore_error_handler();
 
         $body = $doc->getElementsByTagName('html')->item(0)-> // <html>

plugins/phorum/config.default.php

@@ -53,5 +53,6 @@ $config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll c
 if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') {
   $config->set('Core.EscapeNonASCIICharacters', true);
 }
+$config->set('Core.AllowParseManyTags', false);
 
 // vim: et sw=4 sts=4

tests/HTMLPurifier/HTMLDefinitionTest.php

@@ -384,6 +384,21 @@ a[href|title]
         $this->config->getHTMLDefinition();
     }
 
+    public function test_manyNestedTags()
+    {
+        $config = HTMLPurifier_Config::createDefault();
+        $config->set('Core.AllowParseManyTags', true);
+        $purifier = new HTMLPurifier($config);
+
+        $input = 'I am inside a lot of tags';
+        for ($i = 0; $i < 300; $i++) {
+            $input = '<div>' . $input . '</div>';
+        }
+        $output = $purifier->purify($input);
+
+        $this->assertIdentical($input, $output);
+    }
+
 }
 
 // vim: et sw=4 sts=4