Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
Merge pull request #89 from TotalWipeOut/hotfix/88
Browse files Browse the repository at this point in the history
issue #88: Prevent infinite looping on empty/short HTML comment
  • Loading branch information
michalbundyra committed Aug 18, 2019
2 parents a870115 + 0ce8431 commit bf60a41
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 11 deletions.
21 changes: 10 additions & 11 deletions src/StripTags.php
Original file line number Diff line number Diff line change
Expand Up @@ -179,19 +179,18 @@ public function filter($value)
$value = (string) $value;

// Strip HTML comments first
while (strpos($value, '<!--') !== false) {
$pos = strrpos($value, '<!--');
$start = substr($value, 0, $pos);
$value = substr($value, $pos);

// If there is no comment closing tag, strip whole text
if (! preg_match('/--\s*>/s', $value)) {
$value = '';
$open = '<!--';
$openLen = strlen($open);
$close = '-->';
$closeLen = strlen($close);
while (($start = strpos($value, $open)) !== false) {
$end = strpos($value, $close, $start + $openLen);

if ($end === false) {
$value = substr($value, 0, $start);
} else {
$value = preg_replace('/<(?:!(?:--[\s\S]*?--\s*)?(>))/s', '', $value);
$value = substr($value, 0, $start) . substr($value, $end + $closeLen);
}

$value = $start . $value;
}

// Initialize accumulator for filtered data
Expand Down
28 changes: 28 additions & 0 deletions test/StripTagsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -511,6 +511,34 @@ public function testMultiQuoteInput()
$this->assertEquals($expected, $filter->filter($input));
}

public function badCommentProvider()
{
return [
['A <!--> B', 'A '], // Should be treated as just an open
['A <!---> B', 'A '], // Should be treated as just an open
['A <!----> B', 'A B'],
['A <!-- --> B', 'A B'],
['A <!--> B <!--> C', 'A C'],
['A <!-- -- > -- > --> B', 'A B'],
["A <!-- B\n C\n D --> E", 'A E'],
["A <!-- B\n <!-- C\n D --> E", 'A E'],
['A <!-- B <!-- C --> D --> E', 'A D -- E'],
["A <!--\n B\n <!-- C\n D \n\n\n--> E", 'A E'],
['A <!--My favorite operators are > and <!--> B', 'A B'],
];
}

/**
* @dataProvider badCommentProvider
*
* @param string $input
* @param string $expected
*/
public function testBadCommentTags($input, $expected)
{
$this->assertEquals($expected, $this->_filter->filter($input));
}

/**
* @group ZF-10256
*/
Expand Down

0 comments on commit bf60a41

Please sign in to comment.