From 662c2f699d426386f585de149ab3e38d8cac4918 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 4 May 2005 22:32:05 +0000
Subject: [PATCH] * (bug 2067) Fixed crash on empty quoted HTML attribute

---
 RELEASE-NOTES               |  5 ++++
 includes/Sanitizer.php      | 29 ++++++++++---------
 maintenance/parserTests.txt | 55 +++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 15 deletions(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index c7103f7764..f857424dc7 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -156,6 +156,11 @@ Various bugfixes, small features, and a few experimental things:
 * ...and more!
 
 
+=== Changes since 1.5alpha1 ===
+
+* ...various...
+* (bug 2067) Fixed crash on empty quoted HTML attribute
+
 
 === Caveats ===
 
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 384fd2091d..faac940f07 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -246,25 +246,24 @@ class Sanitizer {
 			$attribute = strtolower( $set[1] );
 			if( !isset( $whitelist[$attribute] ) ) {
 				continue;
-			}
-			if( !isset( $set[2] ) ) {
-				# In XHTML, attributes must have a value.
-				$value = $set[1];
-			} elseif( $set[3] != '' ) {
-				# Double-quoted
-				$value = Sanitizer::normalizeAttributeValue( $set[3] );
-			} elseif( $set[4] != '' ) {
+			} elseif( isset( $set[6] ) ) {
+				# Illegal #XXXXXX color with no quotes.
+				$value = Sanitizer::normalizeAttributeValue( $set[6] );
+			} elseif( isset( $set[5] ) ) {
+				# No quotes.
+				$value = Sanitizer::normalizeAttributeValue( $set[5] );
+			} elseif( isset( $set[4] ) ) {
 				# Single-quoted
 				$value = str_replace( '"', '&quot;',
 					Sanitizer::normalizeAttributeValue( $set[4] ) );
-			} elseif( $set[5] != '' ) {
-				# No quotes.
-				$value = Sanitizer::normalizeAttributeValue( $set[5] );
-			} elseif( $set[6] != '' ) {
-				# Illegal #XXXXXX color with no quotes.
-				$value = Sanitizer::normalizeAttributeValue( $set[6] );
+			} elseif( isset( $set[3] ) ) {
+				# Double-quoted
+				$value = Sanitizer::normalizeAttributeValue( $set[3] );
+			} elseif( !isset( $set[2] ) ) {
+				# In XHTML, attributes must have a value.
+				$value = $set[1];
 			} else {
-				wfDebugDieBacktrace( "Tag conditions not met. Something's very odd." );
+				wfDebugDieBacktrace( "Tag conditions not met. This should never happen and is a bug." );
 			}
 			
 			# Strip javascript "expression" from stylesheets.
diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index c249a5f7fc..03763613a8 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2210,6 +2210,61 @@ Character reference normalization in link text (bug 1938)
 </p>
 !!end
 
+!! test
+Empty attribute crash test (bug 2067)
+!! input
+<font color="">foo</font>
+!! result
+<p><font color="">foo</font>
+</p>
+!! end
+
+!! test
+Empty attribute crash test single-quotes (bug 2067)
+!! input
+<font color=''>foo</font>
+!! result
+<p><font color="">foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: equals, then nothing
+!! input
+<font color=>foo</font>
+!! result
+<p><font>foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: unquoted value
+!! input
+<font color=x>foo</font>
+!! result
+<p><font color="x">foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: unquoted but illegal value (hash)
+!! input
+<font color=#x>foo</font>
+!! result
+<p><font color="#x">foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: no value
+!! input
+<font color>foo</font>
+!! result
+<p><font color="color">foo</font>
+</p>
+!! end
+
+
 TODO:
 more images
 more tables
-- 
2.20.1