Changeset 58845 for trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

Timestamp:

08/02/2024 11:46:45 PM (19 months ago)

Author:

dmsnell

Message:

HTML API: Fix an infinite loop in certain unclosed SCRIPT tags.

When the Tag Processor (or HTML Processor) attempts to parse certain
incomplete script tags, the parser enters an infinite loop and will
hang indefinitely. The conditions to reach this situation are:

• Input HTML ends with an open script tag.
• The final character of input is - or <.

The infinite loop was caused by the parser-advancing increment not being
called when two || OR conditions short-circuited. If the first
condition was true, the $at++ code was never reached.

This path resolves the issue.

Developed in ​https://github.com/wordpress/wordpress-develop/pull/7128
Discussed in https://core.trac.wordpress.org/ticket/61810

Follow-up to [55203].

Props: dmsnell, jonsurrell.
Fixes #61810.

File:

• trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php (modified) (1 diff)

trunk/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -1432 +1432 @@
             }
 
-            // Everything of interest past here starts with "<".
-            if ( $at + 1 >= $doc_length || '<' !== $html[ $at++ ] ) {
+            if ( $at + 1 >= $doc_length ) {
+                return false;
+            }
+
+            /*
+             * Everything of interest past here starts with "<".
+             * Check this character and advance position regardless.
+             */
+            if ( '<' !== $html[ $at++ ] ) {
                 continue;
             }