Make WordPress Core

Changeset 58845


Ignore:
Timestamp:
08/02/2024 11:46:45 PM (2 months ago)
Author:
dmsnell
Message:

HTML API: Fix an infinite loop in certain unclosed SCRIPT tags.

When the Tag Processor (or HTML Processor) attempts to parse certain
incomplete script tags, the parser enters an infinite loop and will
hang indefinitely. The conditions to reach this situation are:

  • Input HTML ends with an open script tag.
  • The final character of input is - or <.

The infinite loop was caused by the parser-advancing increment not being
called when two || OR conditions short-circuited. If the first
condition was true, the $at++ code was never reached.

This path resolves the issue.

Developed in https://github.com/wordpress/wordpress-develop/pull/7128
Discussed in https://core.trac.wordpress.org/ticket/61810

Follow-up to [55203].

Props: dmsnell, jonsurrell.
Fixes #61810.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

    r58844 r58845  
    14321432            }
    14331433
    1434             // Everything of interest past here starts with "<".
    1435             if ( $at + 1 >= $doc_length || '<' !== $html[ $at++ ] ) {
     1434            if ( $at + 1 >= $doc_length ) {
     1435                return false;
     1436            }
     1437
     1438            /*
     1439             * Everything of interest past here starts with "<".
     1440             * Check this character and advance position regardless.
     1441             */
     1442            if ( '<' !== $html[ $at++ ] ) {
    14361443                continue;
    14371444            }
  • trunk/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

    r58740 r58845  
    28762876        );
    28772877    }
     2878
     2879    /**
     2880     * Test an infinite loop bugfix in incomplete script tag parsing.
     2881     *
     2882     * @small
     2883     *
     2884     * @ticket 61810
     2885     */
     2886    public function test_script_tag_processing_no_infinite_loop_final_dash() {
     2887        $processor = new WP_HTML_Tag_Processor( '<script>-' );
     2888
     2889        $this->assertFalse( $processor->next_tag() );
     2890        $this->assertTrue( $processor->paused_at_incomplete_token() );
     2891    }
     2892
     2893    /**
     2894     * Test an infinite loop bugfix in incomplete script tag parsing.
     2895     *
     2896     * @small
     2897     *
     2898     * @ticket 61810
     2899     */
     2900    public function test_script_tag_processing_no_infinite_loop_final_left_angle_bracket() {
     2901        $processor = new WP_HTML_Tag_Processor( '<script><' );
     2902
     2903        $this->assertFalse( $processor->next_tag() );
     2904        $this->assertTrue( $processor->paused_at_incomplete_token() );
     2905    }
    28782906}
Note: See TracChangeset for help on using the changeset viewer.