Supported hundreds of nested HTML (#202)

* Supported hundreds of nested HTML (#201) * Add Core.AllowParseManyTags
2024-10-18 05:48:41 +00:00 · 2019-07-15 02:15:31 +09:00 · 2019-07-15 02:15:31 +09:00 · 8c153eef3a
commit 8c153eef3a
parent 524cd08a59
8 changed files with 42 additions and 2 deletions
--- a/1
+++ b/1
@ -13,6 +13,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 # SafeScripting is now case-sensitive (previously it was
  case-insensitive.)  Thanks Dimitri Gritsajuk <gritsajuk.dimitri@gmail.com>
  for reporting.
+! New directive %Core.AllowParseManyTags which allows parsing of many nested tags.

 4.10.0, released 2018-02-22
 # PHP 5.3 is no longer officially supported by HTML Purifier
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@ -94,6 +94,11 @@
   <line>429</line>
  </file>
 </directive>
+ <directive id="Core.AllowParseManyTags">
+  <file name="HTMLPurifier/Lexer/DOMLex.php">
+   <line>72</line>
+  </file>
+ </directive>
 <directive id="Output.CommentScriptContents">
  <file name="HTMLPurifier/Generator.php">
   <line>70</line>
--- a/docs/dev-config-naming.txt
+++ b/docs/dev-config-naming.txt
@ -75,6 +75,7 @@ Core is the potpourri of directives, mostly regarding some minor behavioral
 tweaks for HTML handling abilities.

    AggressivelyFixLt
+    AllowParseManyTags
    ConvertDocumentToFragment
    DirectLexLineNumberSyncInterval
    LexerImpl
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt
@ -0,0 +1,12 @@
+Core.AllowParseManyTags
+TYPE: bool
+DEFAULT: false
+VERSION: 4.10.1
+--DESCRIPTION--
+<p>
+    This directive allows parsing of many nested tags.
+    If you set true, relaxes any hardcoded limit from the parser.
+    However, in that case it may cause a Dos attack.
+    Be careful when enabling it.
+</p>
+--# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/Lexer/DOMLex.php
+++ b/library/HTMLPurifier/Lexer/DOMLex.php
@ -68,8 +68,13 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
        $doc = new DOMDocument();
        $doc->encoding = 'UTF-8'; // theoretically, the above has this covered

+        $options = 0;
+        if ($config->get('Core.AllowParseManyTags') && defined('LIBXML_PARSEHUGE')) {
+            $options |= LIBXML_PARSEHUGE;
+        }
+
        set_error_handler(array($this, 'muteErrorHandler'));
-        $doc->loadHTML($html);
+        $doc->loadHTML($html, $options);
        restore_error_handler();

        $body = $doc->getElementsByTagName('html')->item(0)-> // <html>
--- a/plugins/phorum/config.default.php
+++ b/plugins/phorum/config.default.php
@ -53,5 +53,6 @@ $config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll c
 if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') {
  $config->set('Core.EscapeNonASCIICharacters', true);
 }
+$config->set('Core.AllowParseManyTags', false);

 // vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/HTMLDefinitionTest.php
+++ b/tests/HTMLPurifier/HTMLDefinitionTest.php
@ -384,6 +384,21 @@ a[href|title]
        $this->config->getHTMLDefinition();
    }

+    public function test_manyNestedTags()
+    {
+        $config = HTMLPurifier_Config::createDefault();
+        $config->set('Core.AllowParseManyTags', true);
+        $purifier = new HTMLPurifier($config);
+
+        $input = 'I am inside a lot of tags';
+        for ($i = 0; $i < 300; $i++) {
+            $input = '<div>' . $input . '</div>';
+        }
+        $output = $purifier->purify($input);
+
+        $this->assertIdentical($input, $output);
+    }
+
 }

 // vim: et sw=4 sts=4