search

ezyang / htmlpurifier

Standards compliant HTML filter written in PHP
http://htmlpurifier.org
GNU Lesser General Public License v2.1
3.07k stars 327 forks source link

this text input crashes function entityCallback() #181

Closed baconsalad closed 5 years ago

baconsalad commented 6 years ago

this input crashes EntityParser.php in function entityCallback() (base64 encoded as githib will not render it properly)

PHN0eWxlPgo8IS0tCiAvKiBGb250IERlZmluaXRpb25zICovCkBmb250LWZhY2UKCXtmb250LWZhbWlseToi77yt77yzIOaYjuacnSI7Cgltc28tZm9udC1jaGFyc2V0Ojc4OwoJbXNvLWdlbmVyaWMtZm9udC1mYW1pbHk6YXV0bzsKCW1zby1mb250LXBpdGNoOnZhcmlhYmxlOwoJbXNvLWZvbnQtc2lnbmF0dXJlOjEgMTM0Njc2NDgwIDE2IDAgMTMxMDcyIDA7fQotLT4KPC9zdHlsZT4K

this was my quickdirty fix

if (!isset($matches[3]) || (empty($matches[3]) && !isset($matches[4]))) {
    $named_part = '';
} else {
    $named_part = empty($matches[3]) ? @$matches[4] : $matches[3];
}
ezyang commented 5 years ago

Your test case doesn't trigger the crash for me. Do you need to set some extra config, perhaps?

OTOH, the suggested change seems fine, so I'll just go ahead and patch it in.