HTML API: Fix an infinite loop in certain unclosed SCRIPT tags.

When the Tag Processor (or HTML Processor) attempts to parse certain incomplete script tags, the parser enters an infinite loop and will hang indefinitely. The conditions to reach this situation are: - Input HTML ends with an open script tag. - The final character of input is `-` or `<`. The infinite loop was caused by the parser-advancing increment not being called when two `||` OR conditions short-circuited. If the first condition was true, the `$at++` code was never reached. This path resolves the issue. Developed in WordPress#7128 Discussed in https://core.trac.wordpress.org/ticket/61810 Follow-up to [55203]. Props: dmsnell, jonsurrell. Fixes #61810. git-svn-id: https://develop.svn.wordpress.org/trunk@58845 602fd350-edb4-49c9-b593-d223f7449a82
narenin · Aug 2, 2024 · bdef9de · bdef9de
1 parent 0c46e2a
commit bdef9de
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -1431,8 +1431,15 @@ private function skip_script_data(): bool {
 				continue;
 			}
 
-			// Everything of interest past here starts with "<".
-			if ( $at + 1 >= $doc_length || '<' !== $html[ $at++ ] ) {
+			if ( $at + 1 >= $doc_length ) {
+				return false;
+			}
+
+			/*
+			 * Everything of interest past here starts with "<".
+			 * Check this character and advance position regardless.
+			 */
+			if ( '<' !== $html[ $at++ ] ) {
 				continue;
 			}
 

diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php
@@ -2875,4 +2875,32 @@ public function insert_after( $new_html ) {
 			'Should have properly applied the update from in front of the cursor.'
 		);
 	}
+
+	/**
+	 * Test an infinite loop bugfix in incomplete script tag parsing.
+	 *
+	 * @small
+	 *
+	 * @ticket 61810
+	 */
+	public function test_script_tag_processing_no_infinite_loop_final_dash() {
+		$processor = new WP_HTML_Tag_Processor( '<script>-' );
+
+		$this->assertFalse( $processor->next_tag() );
+		$this->assertTrue( $processor->paused_at_incomplete_token() );
+	}
+
+	/**
+	 * Test an infinite loop bugfix in incomplete script tag parsing.
+	 *
+	 * @small
+	 *
+	 * @ticket 61810
+	 */
+	public function test_script_tag_processing_no_infinite_loop_final_left_angle_bracket() {
+		$processor = new WP_HTML_Tag_Processor( '<script><' );
+
+		$this->assertFalse( $processor->next_tag() );
+		$this->assertTrue( $processor->paused_at_incomplete_token() );
+	}
 }