* (bug 2067) Fixed crash on empty quoted HTML attribute

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index c7103f7..f857424 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -156,6 +156,11 @@ Various bugfixes, small features, and a few experimental things:
 * ...and more!
 
 
+=== Changes since 1.5alpha1 ===
+
+* ...various...
+* (bug 2067) Fixed crash on empty quoted HTML attribute
+
 
 === Caveats ===
 

diff --git a/includes/Sanitizer.php b/includes/Sanitizer.php
index 384fd20..faac940 100644 (file)
--- a/includes/Sanitizer.php
+++ b/includes/Sanitizer.php
@@ -246,25 +246,24 @@ class Sanitizer {
                        $attribute = strtolower( $set[1] );
                        if( !isset( $whitelist[$attribute] ) ) {
                                continue;
-                       }
-                       if( !isset( $set[2] ) ) {
-                               # In XHTML, attributes must have a value.
-                               $value = $set[1];
-                       } elseif( $set[3] != '' ) {
-                               # Double-quoted
-                               $value = Sanitizer::normalizeAttributeValue( $set[3] );
-                       } elseif( $set[4] != '' ) {
+                       } elseif( isset( $set[6] ) ) {
+                               # Illegal #XXXXXX color with no quotes.
+                               $value = Sanitizer::normalizeAttributeValue( $set[6] );
+                       } elseif( isset( $set[5] ) ) {
+                               # No quotes.
+                               $value = Sanitizer::normalizeAttributeValue( $set[5] );
+                       } elseif( isset( $set[4] ) ) {
                                # Single-quoted
                                $value = str_replace( '"', '"',
                                        Sanitizer::normalizeAttributeValue( $set[4] ) );
-                       } elseif( $set[5] != '' ) {
-                               # No quotes.
-                               $value = Sanitizer::normalizeAttributeValue( $set[5] );
-                       } elseif( $set[6] != '' ) {
-                               # Illegal #XXXXXX color with no quotes.
-                               $value = Sanitizer::normalizeAttributeValue( $set[6] );
+                       } elseif( isset( $set[3] ) ) {
+                               # Double-quoted
+                               $value = Sanitizer::normalizeAttributeValue( $set[3] );
+                       } elseif( !isset( $set[2] ) ) {
+                               # In XHTML, attributes must have a value.
+                               $value = $set[1];
                        } else {
-                               wfDebugDieBacktrace( "Tag conditions not met. Something's very odd." );
+                               wfDebugDieBacktrace( "Tag conditions not met. This should never happen and is a bug." );
                        }
                        
                        # Strip javascript "expression" from stylesheets.

diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index c249a5f..0376361 100644 (file)
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2210,6 +2210,61 @@ Character reference normalization in link text (bug 1938)
 </p>
 !!end
 
+!! test
+Empty attribute crash test (bug 2067)
+!! input
+<font color="">foo</font>
+!! result
+<p><font color="">foo</font>
+</p>
+!! end
+
+!! test
+Empty attribute crash test single-quotes (bug 2067)
+!! input
+<font color=''>foo</font>
+!! result
+<p><font color="">foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: equals, then nothing
+!! input
+<font color=>foo</font>
+!! result
+<p><font>foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: unquoted value
+!! input
+<font color=x>foo</font>
+!! result
+<p><font color="x">foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: unquoted but illegal value (hash)
+!! input
+<font color=#x>foo</font>
+!! result
+<p><font color="#x">foo</font>
+</p>
+!! end
+
+!! test
+Attribute test: no value
+!! input
+<font color>foo</font>
+!! result
+<p><font color="color">foo</font>
+</p>
+!! end
+
+
 TODO:
 more images
 more tables