Quote contents of <![CDATA[...]]> sections in CleanHTML

Surprisingly to me, since 2008/the XHTML days, CDATA sections have been outlawed from HTML, and are actually *interpreted* by modern browsers. Reported by David Klein
kohler · Oct 23, 2024 · 3436afe · 3436afe
1 parent b860431
commit 3436afe
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 8 deletions.
diff --git a/lib/cleanhtml.php b/lib/cleanhtml.php
@@ -268,14 +268,10 @@ function clean($t) {
             if (preg_match('/\G<!\[[ie]\w+/i', $t, $m, 0, $p)) {
                 $this->ml[] = $this->e("<0>Conditional HTML comments not allowed", $p, $p + strlen($m[0]), $t);
                 return false;
-            } else if (preg_match('/\G(<!\[CDATA\[.*?)(\]\]>|\z)/s', $t, $m, 0, $p)) {
+            } else if (preg_match('/\G<!\[CDATA\[(.*?)(?:\]\]>|\z)/s', $t, $m, 0, $p)) {
                 $this->check_text($curtf, $tagstack, $p, $p + strlen($m[0]), $t);
-                if ($m[2] === "") {
-                    $x .= substr($t, $xp) . "]]>";
-                    $p = $xp = $len;
-                } else {
-                    $p += strlen($m[0]);
-                }
+                $x .= substr($t, $xp, $p - $xp) . htmlspecialchars($m[1]);
+                $p = $xp = $p + strlen($m[0]);
             } else if (preg_match('/\G<!--.*?(?:-->|\z)\z/s', $t, $m, 0, $p)) {
                 $x .= substr($t, $xp, $p - $xp);
                 $p = $xp = $p + strlen($m[0]);

diff --git a/test/t_unit.php b/test/t_unit.php
@@ -1088,7 +1088,7 @@ function test_sensitive_mail_preparation() {
     }
 
     function test_clean_html() {
-        $chtml = CleanHtml::basic();
+        $chtml = CleanHTML::basic();
         xassert_eqq($chtml->clean('<a>Hello'), false);
         xassert_eqq($chtml->clean('<a>Hello</a>'), '<a>Hello</a>');
         xassert_eqq($chtml->clean('<script>Hello</script>'), false);
@@ -1102,6 +1102,7 @@ function test_clean_html() {
         xassert_eqq($chtml->clean('<table><tr><td>hi</td><td>there</td></tr></table>'), '<table><tr><td>hi</td><td>there</td></tr></table>');
         xassert_eqq($chtml->clean("<ul><li>X</li> <li>Y</li>\n\n<li>Z</li>\n</ul>\n"), "<ul><li>X</li> <li>Y</li>\n\n<li>Z</li>\n</ul>\n");
         xassert_eqq($chtml->clean("<ul><li>X</li> p <li>Y</li>\n\n<li>Z</li>\n</ul>\n"), false);
+        xassert_eqq($chtml->clean("<i><![CDATA[<alert>]]></i>"), "<i>&lt;alert&gt;</i>");
     }
 
     function test_base48() {