mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-03-23 14:27:02 +00:00
Code Releases Activity

Fix infinite loop that occurs when we have unquoted attributes.

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/html_purifier/trunk@24 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-04-15 22:28:03 +00:00
parent bbd2ad29bd
commit 92bfaafd20
2 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
HTML_Lexer.php
View File

@ -55,7 +55,6 @@ class HTML_Lexer
$array = array(); // result array $array = array(); // result array
while(true) { while(true) {
$position_next_lt = strpos($string, '<', $cursor); $position_next_lt = strpos($string, '<', $cursor);
$position_next_gt = strpos($string, '>', $cursor); $position_next_gt = strpos($string, '>', $cursor);
@ -147,12 +146,16 @@ class HTML_Lexer
function tokenizeAttributeString($string) { function tokenizeAttributeString($string) {
$string = (string) $string; $string = (string) $string;
if ($string == '') return array(); if ($string == '') return array();
$array = array(); $array = array();
$cursor = 0; $cursor = 0;
$in_value = false; $in_value = false;
$i = 0; $i = 0;
$size = strlen($string); $size = strlen($string);
// if we have unquoted attributes, the parser expects a terminating
// space, so let's guarantee that there's always a terminating space.
$string .= ' ';
while(true) { while(true) {
if ($cursor >= $size) { if ($cursor >= $size) {
break; break;
@ -168,8 +171,34 @@ class HTML_Lexer
($position_next_equal < $position_next_space || ($position_next_equal < $position_next_space ||
$position_next_space === false)) { $position_next_space === false)) {
//attr="asdf" //attr="asdf"
// grab the key
$key = trim(substr($string, $cursor, $position_next_equal - $cursor)); $key = trim(substr($string, $cursor, $position_next_equal - $cursor));
// set cursor right after the equal sign
$cursor = $position_next_equal + 1;
// consume all spaces after the equal sign
$position_next_space = $this->nextWhiteSpace($string, $cursor);
while ($position_next_space === $cursor) {
$cursor++;
$position_next_space = $this->nextWhiteSpace($string, $cursor);
}
// find the next quote
$position_next_quote = $this->nextQuote($string, $cursor); $position_next_quote = $this->nextQuote($string, $cursor);
// if the quote is not where the cursor is, we're dealing
// with an unquoted attribute
if ($position_next_quote !== $cursor) {
if ($key) {
$array[$key] = trim(substr($string, $cursor,
$position_next_space - $cursor));
}
$cursor = $position_next_space + 1;
continue;
}
// otherwise, regular attribute
$quote = $string{$position_next_quote}; $quote = $string{$position_next_quote};
$position_end_quote = strpos($string, $quote, $position_next_quote + 1); $position_end_quote = strpos($string, $quote, $position_next_quote + 1);
$value = substr($string, $position_next_quote + 1, $value = substr($string, $position_next_quote + 1,

3
tests/HTML_Lexer.php
View File

@ -152,6 +152,9 @@ class TestCase_HTML_Lexer extends UnitTestCase
$input[] = '="asdf"'; $input[] = '="asdf"';
$expect[] = array(); $expect[] = array();
$input[] = 'missile=launch';
$expect[] = array('missile' => 'launch');
$size = count($input); $size = count($input);
for($i = 0; $i < $size; $i++) { for($i = 0; $i < $size; $i++) {
$result = $this->HTML_Lexer->tokenizeAttributeString($input[$i]); $result = $this->HTML_Lexer->tokenizeAttributeString($input[$i]);