| Index: branches/REL1_17/phase3/includes/Sanitizer.php |
| — | — | @@ -748,6 +748,13 @@ |
| 749 | 749 | // Remove any comments; IE gets token splitting wrong |
| 750 | 750 | $value = StringUtils::delimiterReplace( '/*', '*/', ' ', $value ); |
| 751 | 751 | |
| | 752 | + // Remove anything after a comment-start token, to guard against |
| | 753 | + // incorrect client implementations. |
| | 754 | + $commentPos = strpos( $value, '/*' ); |
| | 755 | + if ( $commentPos !== false ) { |
| | 756 | + $value = substr( $value, 0, $commentPos ); |
| | 757 | + } |
| | 758 | + |
| 752 | 759 | // Decode escape sequences and line continuation |
| 753 | 760 | // See the grammar in the CSS 2 spec, appendix D. |
| 754 | 761 | static $decodeRegex; |
| Index: branches/REL1_17/phase3/includes/StringUtils.php |
| — | — | @@ -81,16 +81,20 @@ |
| 82 | 82 | } |
| 83 | 83 | |
| 84 | 84 | if ( $tokenType == 'start' ) { |
| 85 | | - $inputPos = $tokenOffset + $tokenLength; |
| 86 | 85 | # Only move the start position if we haven't already found a start |
| 87 | 86 | # This means that START START END matches outer pair |
| 88 | 87 | if ( !$foundStart ) { |
| 89 | 88 | # Found start |
| | 89 | + $inputPos = $tokenOffset + $tokenLength; |
| 90 | 90 | # Write out the non-matching section |
| 91 | 91 | $output .= substr( $subject, $outputPos, $tokenOffset - $outputPos ); |
| 92 | 92 | $outputPos = $tokenOffset; |
| 93 | 93 | $contentPos = $inputPos; |
| 94 | 94 | $foundStart = true; |
| | 95 | + } else { |
| | 96 | + # Move the input position past the *first character* of START, |
| | 97 | + # to protect against missing END when it overlaps with START |
| | 98 | + $inputPos = $tokenOffset + 1; |
| 95 | 99 | } |
| 96 | 100 | } elseif ( $tokenType == 'end' ) { |
| 97 | 101 | if ( $foundStart ) { |