HTML API: Fix an infinite loop in certain unclosed SCRIPT tags.

When the Tag Processor (or HTML Processor) attempts to parse certain
incomplete script tags, the parser enters an infinite loop and will
hang indefinitely. The conditions to reach this situation are:

- Input HTML ends with an open script tag.
- The final character of input is `-` or `<`.

The infinite loop was caused by the parser-advancing increment not being
called when two `||` OR conditions short-circuited. If the first
condition was true, the `$at++` code was never reached.

This path resolves the issue.

Developed in https://github.com/wordpress/wordpress-develop/pull/7128
Discussed in https://core.trac.wordpress.org/ticket/61810

Follow-up to [55203].

Props: dmsnell, jonsurrell.
Fixes #61810.

Built from https://develop.svn.wordpress.org/trunk@58845


git-svn-id: http://core.svn.wordpress.org/trunk@58241 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
dmsnell 2024-08-02 23:48:14 +00:00
parent 7a86a5a42f
commit 8d059b9fe2
2 changed files with 10 additions and 3 deletions

View File

@ -1431,8 +1431,15 @@ class WP_HTML_Tag_Processor {
continue;
}
// Everything of interest past here starts with "<".
if ( $at + 1 >= $doc_length || '<' !== $html[ $at++ ] ) {
if ( $at + 1 >= $doc_length ) {
return false;
}
/*
* Everything of interest past here starts with "<".
* Check this character and advance position regardless.
*/
if ( '<' !== $html[ $at++ ] ) {
continue;
}

View File

@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.7-alpha-58844';
$wp_version = '6.7-alpha-58845';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.