From 662c2f699d426386f585de149ab3e38d8cac4918 Mon Sep 17 00:00:00 2001
From: Brion Vibber
Date: Wed, 4 May 2005 22:32:05 +0000
Subject: [PATCH] * (bug 2067) Fixed crash on empty quoted HTML attribute
---
RELEASE-NOTES | 5 ++++
includes/Sanitizer.php | 29 ++++++++++---------
maintenance/parserTests.txt | 55 +++++++++++++++++++++++++++++++++++++
3 files changed, 74 insertions(+), 15 deletions(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index c7103f7764..f857424dc7 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -156,6 +156,11 @@ Various bugfixes, small features, and a few experimental things:
* ...and more!
+=== Changes since 1.5alpha1 ===
+
+* ...various...
+* (bug 2067) Fixed crash on empty quoted HTML attribute
+
=== Caveats ===
diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 384fd2091d..faac940f07 100644
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -246,25 +246,24 @@ class Sanitizer {
$attribute = strtolower( $set[1] );
if( !isset( $whitelist[$attribute] ) ) {
continue;
- }
- if( !isset( $set[2] ) ) {
- # In XHTML, attributes must have a value.
- $value = $set[1];
- } elseif( $set[3] != '' ) {
- # Double-quoted
- $value = Sanitizer::normalizeAttributeValue( $set[3] );
- } elseif( $set[4] != '' ) {
+ } elseif( isset( $set[6] ) ) {
+ # Illegal #XXXXXX color with no quotes.
+ $value = Sanitizer::normalizeAttributeValue( $set[6] );
+ } elseif( isset( $set[5] ) ) {
+ # No quotes.
+ $value = Sanitizer::normalizeAttributeValue( $set[5] );
+ } elseif( isset( $set[4] ) ) {
# Single-quoted
$value = str_replace( '"', '"',
Sanitizer::normalizeAttributeValue( $set[4] ) );
- } elseif( $set[5] != '' ) {
- # No quotes.
- $value = Sanitizer::normalizeAttributeValue( $set[5] );
- } elseif( $set[6] != '' ) {
- # Illegal #XXXXXX color with no quotes.
- $value = Sanitizer::normalizeAttributeValue( $set[6] );
+ } elseif( isset( $set[3] ) ) {
+ # Double-quoted
+ $value = Sanitizer::normalizeAttributeValue( $set[3] );
+ } elseif( !isset( $set[2] ) ) {
+ # In XHTML, attributes must have a value.
+ $value = $set[1];
} else {
- wfDebugDieBacktrace( "Tag conditions not met. Something's very odd." );
+ wfDebugDieBacktrace( "Tag conditions not met. This should never happen and is a bug." );
}
# Strip javascript "expression" from stylesheets.
diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index c249a5f7fc..03763613a8 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2210,6 +2210,61 @@ Character reference normalization in link text (bug 1938)
!!end
+!! test
+Empty attribute crash test (bug 2067)
+!! input
+foo
+!! result
+foo
+
+!! end
+
+!! test
+Empty attribute crash test single-quotes (bug 2067)
+!! input
+foo
+!! result
+foo
+
+!! end
+
+!! test
+Attribute test: equals, then nothing
+!! input
+foo
+!! result
+foo
+
+!! end
+
+!! test
+Attribute test: unquoted value
+!! input
+foo
+!! result
+foo
+
+!! end
+
+!! test
+Attribute test: unquoted but illegal value (hash)
+!! input
+foo
+!! result
+foo
+
+!! end
+
+!! test
+Attribute test: no value
+!! input
+foo
+!! result
+foo
+
+!! end
+
+
TODO:
more images
more tables
--
2.20.1