HTML API: Fix a fatal error when processing malformed document with unclosed attribute.

Props: dlh, costdev, dmsnell. Fixes: #58637. git-svn-id: https://develop.svn.wordpress.org/trunk@56133 602fd350-edb4-49c9-b593-d223f7449a82
2026-05-20 19:24:32 +00:00 · 2023-07-04 20:43:43 +00:00
parent e834fed6eb
commit 56af1e4b94
2 changed files with 45 additions and 0 deletions
--- a/src/wp-includes/html-api/class-wp-html-tag-processor.php
+++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -546,6 +546,10 @@ class WP_HTML_Tag_Processor {
 			}

 			// Ensure that the tag closes before the end of the document.
+			if ( $this->bytes_already_parsed >= strlen( $this->html ) ) {
+				return false;
+			}
+
 			$tag_ends_at = strpos( $this->html, '>', $this->bytes_already_parsed );
 			if ( false === $tag_ends_at ) {
 				return false;
--- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php
+++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php
@@ -2038,6 +2038,47 @@ HTML;
 		);
 	}

+	/**
+	 * @ticket 58637
+	 *
+	 * @covers WP_HTML_Tag_Processor::next_tag
+	 *
+	 * @dataProvider data_incomplete_syntax_elements
+	 *
+	 * @param string $incomplete_html HTML text containing some kind of incomplete syntax.
+	 */
+	public function test_returns_false_for_incomplete_syntax_elements( $incomplete_html ) {
+		$p = new WP_HTML_Tag_Processor( $incomplete_html );
+		$this->assertFalse( $p->next_tag() );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public function data_incomplete_syntax_elements() {
+		return array(
+			'No tags'                              => array( 'this is nothing more than a text node' ),
+			'Incomplete tag name'                  => array( '<swit' ),
+			'Incomplete tag (no attributes)'       => array( '<div' ),
+			'Incomplete tag (attributes)'          => array( '<div inert title="test"' ),
+			'Incomplete attribute (unquoted)'      => array( '<button disabled' ),
+			'Incomplete attribute (single quoted)' => array( "<li class='just-another class" ),
+			'Incomplete attribute (double quoted)' => array( '<iframe src="https://www.example.com/embed/abcdef' ),
+			'Incomplete comment (normative)'       => array( '<!-- without end' ),
+			'Incomplete comment (missing --)'      => array( '<!-- without end --' ),
+			'Incomplete comment (--!)'             => array( '<!-- without end --!' ),
+			'Incomplete comment (bogus comment)'   => array( '</3 is not a tag' ),
+			'Incomplete DOCTYPE'                   => array( '<!DOCTYPE html' ),
+			'Partial DOCTYPE'                      => array( '<!DOCTY' ),
+			'Incomplete CDATA'                     => array( '<[CDATA[something inside of here needs to get out' ),
+			'Partial CDATA'                        => array( '<[CDA' ),
+			'Partially closed CDATA]'              => array( '<[CDATA[cannot escape]' ),
+			'Partially closed CDATA]>'             => array( '<[CDATA[cannot escape]>' ),
+		);
+	}
+
 	/**
 	 * @ticket 56299
 	 *