Fix : CSS Child Combinator Parsing Bug #297
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
subbudvk
changed the title
mikesamuel
approved these changes
Jan 9, 2024
| @@ -341,7 +341,7 @@ private static int checkHtmlCdataCloseable( | |||
| } | |||
| break; | |||
| case '>': | |||
| if (i >= 2 && sb.charAt(i - 2) == '-' && sb.charAt(i - 2) == '-') { | |||
| if (i >= 2 && sb.charAt(i - 2) == '-' && sb.charAt(i - 1) == '-') { | |||
| @@ -994,7 +994,7 @@ public static final void testTextareaIsNotTextArea() { | |||
| assertEquals("x<textArea>y</textArea>", textAreaPolicy.sanitize(input)); | |||
| } | |||
|
|
|||
| @Test | |||
| @Test | |||
There was a problem hiding this comment.
This is just an opportunistic fix while merging.
| + "-->\n" | ||
| + "</style>"; | ||
| assertEquals(toSanitize, factory.sanitize(toSanitize)); | ||
| } |
There was a problem hiding this comment.
Thanks for the unit test.
|
@subbudvk Thanks for fixing the bug. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
241b4b8#diff-0a08f29a5b7867e56d6aa9f6abe035e32ee9411a8bc96afa9a6acff2a6d6f07fR338
The above commit was made to make parsing consistent with HTML5 Spec, but while this is being rewritten it looks like a regression was introduced when parsing for
>To ensure this entity
>is part of a HTML Comment it seems to have been checked the previous two characters are-but with this commit onlychar - 2is checked twice. So if a CSS Child combinator with-selector is used, it was treated was a error and as a result user CSS was badly stripped. Fixing this and adding a test for it.Fixes #251