From 0e8c4fb381ef4d41ceb948fc408f4b52ab5f545d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 19 Nov 2024 16:30:04 +0100 Subject: [PATCH 001/187] WIP class skeleton --- .../html-api/class-wp-css-selector.php | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 src/wp-includes/html-api/class-wp-css-selector.php diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php new file mode 100644 index 0000000000000..7ec6b5a69ced2 --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-selector.php @@ -0,0 +1,31 @@ + Date: Wed, 20 Nov 2024 16:57:19 +0100 Subject: [PATCH 002/187] Document class --- .../html-api/class-wp-css-selector.php | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php index 7ec6b5a69ced2..1684aefef2024 100644 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ b/src/wp-includes/html-api/class-wp-css-selector.php @@ -12,20 +12,47 @@ * * This class is designed for internal use by the HTML processor. * + * This class is instantiated via the `WP_CSS_Selector::from_selector( string $selector )` method. + * It accepts a CSS selector string and returns an instance of itself or `null` if the selector + * is invalid or unsupported. + * + * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax + * specification, which is available at https://www.w3.org/TR/css-syntax-3/. + * + * Supported selector syntax: + * - Type selectors (tag names, e.g. `div`) + * - Class selectors (e.g. `.class-name`) + * - ID selectors (e.g. `#unique-id`) + * - Attribute selectors (e.g. `[attribute-name]` or `[attribute-name="value"]`) + * - The following combinators: + * - descendant (e.g. `.parent .descendant`) + * - child (`.parent > .child`) + * - Comma-separated selector lists (e.g. `.selector-1, .selector-2`) + * + * Unsupported selector syntax: + * - The following combinators: + * - Next sibling (`.sibling + .sibling`) + * - Subsequent sibling (`.sibling ~ .sibling`) + * - Pseudo-element selectors (e.g. `::before`) + * - Pseudo-class selectors (e.g. `:hover` or `:nth-child(2)`) + * * @since TBD * * @access private * + * @see https://www.w3.org/TR/css-syntax-3/#consume-a-token * @see https://www.w3.org/tr/selectors/#parse-selector + * */ class WP_CSS_Selector { private function __construct() {} /** - * @return static + * @return static|null */ public static function from_selector( string $selector ) { $res = new static(); return $res; } + } From 40222d30200afdf998586cb127c35c880bfe7df8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 21 Nov 2024 11:57:28 +0100 Subject: [PATCH 003/187] Do not support namespaced selectors --- src/wp-includes/html-api/class-wp-css-selector.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php index 1684aefef2024..fb8934bec06f4 100644 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ b/src/wp-includes/html-api/class-wp-css-selector.php @@ -35,6 +35,7 @@ * - Subsequent sibling (`.sibling ~ .sibling`) * - Pseudo-element selectors (e.g. `::before`) * - Pseudo-class selectors (e.g. `:hover` or `:nth-child(2)`) + * - Namespace prefixes that need to be resolved (e.g. `svg|title` or `[xlink|href]`) * * @since TBD * From 60926421295e58229637891c853ab50f0920ae23 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 16:04:42 +0100 Subject: [PATCH 004/187] Flesh out stuff --- .../html-api/class-wp-css-selector.php | 59 ----- .../html-api/class-wp-css-selectors.php | 248 ++++++++++++++++++ 2 files changed, 248 insertions(+), 59 deletions(-) delete mode 100644 src/wp-includes/html-api/class-wp-css-selector.php create mode 100644 src/wp-includes/html-api/class-wp-css-selectors.php diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php deleted file mode 100644 index fb8934bec06f4..0000000000000 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ /dev/null @@ -1,59 +0,0 @@ - .child`) - * - Comma-separated selector lists (e.g. `.selector-1, .selector-2`) - * - * Unsupported selector syntax: - * - The following combinators: - * - Next sibling (`.sibling + .sibling`) - * - Subsequent sibling (`.sibling ~ .sibling`) - * - Pseudo-element selectors (e.g. `::before`) - * - Pseudo-class selectors (e.g. `:hover` or `:nth-child(2)`) - * - Namespace prefixes that need to be resolved (e.g. `svg|title` or `[xlink|href]`) - * - * @since TBD - * - * @access private - * - * @see https://www.w3.org/TR/css-syntax-3/#consume-a-token - * @see https://www.w3.org/tr/selectors/#parse-selector - * - */ -class WP_CSS_Selector { - private function __construct() {} - - /** - * @return static|null - */ - public static function from_selector( string $selector ) { - $res = new static(); - return $res; - } - -} diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php new file mode 100644 index 0000000000000..acc5db02752c3 --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -0,0 +1,248 @@ + .child`) + * + * Unsupported selector syntax: + * - Pseudo-element selectors (e.g. `::before`) + * - Pseudo-class selectors (e.g. `:hover` or `:nth-child(2)`) + * - Namespace prefixes (e.g. `svg|title` or `[xlink|href]`) + * - The following combinators: + * - Next sibling (`.sibling + .sibling`) + * - Subsequent sibling (`.sibling ~ .sibling`) + * + * @since TBD + * + * @access private + * + * @see https://www.w3.org/TR/css-syntax-3/#consume-a-token + * @see https://www.w3.org/tr/selectors/#parse-selector + * @see https://www.w3.org/TR/selectors-api2/ + * @see https://www.w3.org/TR/selectors-4/ + * + */ +class WP_CSS_Selectors { + + /** + * Takes a CSS selectors string and returns an instance of itself or `null` if the selector + * is invalid or unsupported. + * + * @since TBD + * + * @param string $selectors CSS selectors string. + * @return static|null + */ + public static function from_selectors( string $selectors ) { + $res = new static(); + return $res; + } + + /** + * Returns a list of selectors. + * + * @since TBD + * + * @return WP_CSS_Selector[] + */ + private static function parse( string $input ) { + // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace and matches the dom_selectors_group production. + $input = trim( $input, " \t\r\n\r" ); + + if ( '' === $input ) { + null; + } + + /* + * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. + * > + * > To filter code points from a stream of (unfiltered) code points input: + * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. + * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). + * + * https://www.w3.org/TR/css-syntax-3/#input-preprocessing + */ + $input = str_replace( array( "\r\n" ), "\n", $input ); + $input = str_replace( array( "\r", "\f" ), "\n", $input ); + $input = str_replace( "\0", "\u{FFFD}", $input ); + + $at = 0; + $length = strlen( $input ); + $selectors = array(); + + $at = strspn( $input, "\n\t ", $at ); + while ( $at < $length ) { + } + } +} + +interface IWP_CSS_Selector_Parser { + public static function parse( string $input, string $offset, ?int $consumed_bytes = null ): ?self; +} + +abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser { + public static function parse_whitespace( string $input, string &$offset ): bool { + $length = strspn( $input, " \t\r\n\f", $offset ); + $advanced = $length > 0; + $offset += $length; + return $advanced; + } + + /* + * Utiltities + * ========== + * + * The following functions do not consume any input. + */ + + /** + * > 4.3.8. Check if two code points are a valid escape + * > This section describes how to check if two code points are a valid escape. The algorithm described here can be called explicitly with two code points, or can be called with the input stream itself. In the latter case, the two code points in question are the current input code point and the next input code point, in that order. + * > + * > Note: This algorithm will not consume any additional code point. + * > + * > If the first code point is not U+005C REVERSE SOLIDUS (\), return false. + * > + * > Otherwise, if the second code point is a newline, return false. + * > + * > Otherwise, return true. + * + * https://www.w3.org/TR/css-syntax-3/#starts-with-a-valid-escape + * + * @todo this does not check whether the second codepoint is valid. + */ + public static function next_two_are_valid_escape( string $input, string $offset ): bool { + if ( $offset + 1 >= strlen( $input ) ) { + return false; + } + return '\\' === $input[ $offset ] && "\n" !== $input[ $offset + 1 ]; + } + + /** + * > ident-start code point + * > A letter, a non-ASCII code point, or U+005F LOW LINE (_). + * > uppercase letter + * > A code point between U+0041 LATIN CAPITAL LETTER A (A) and U+005A LATIN CAPITAL LETTER Z (Z) inclusive. + * > lowercase letter + * > A code point between U+0061 LATIN SMALL LETTER A (a) and U+007A LATIN SMALL LETTER Z (z) inclusive. + * > letter + * > An uppercase letter or a lowercase letter. + * > non-ASCII code point + * > A code point with a value equal to or greater than U+0080 . + */ + public static function is_ident_start_codepoint( string $input, string $offset ): bool { + if ( $offset >= strlen( $input ) ) { + return false; + } + + return ( + '_' === $input[ $offset ] || + ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || + ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'Z' ) || + $input[ $offset ] <= '\x7F' + ); + } + + /** + * > ident code point + * > An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-). + * > digit + * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. + */ + public static function is_ident_codepoint( string $input, string $offset ): bool { + return '-' === $input[ $offset ] || + ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || + self::is_ident_start_codepoint( $input, $offset ); + } + + /** + * > 4.3.9. Check if three code points would start an ident sequence + * > This section describes how to check if three code points would start an ident sequence. The algorithm described here can be called explicitly with three code points, or can be called with the input stream itself. In the latter case, the three code points in question are the current input code point and the next two input code points, in that order. + * > + * > Note: This algorithm will not consume any additional code points. + * > + * > Look at the first code point: + * > + * > U+002D HYPHEN-MINUS + * > If the second code point is an ident-start code point or a U+002D HYPHEN-MINUS, or the second and third code points are a valid escape, return true. Otherwise, return false. + * > ident-start code point + * > Return true. + * > U+005C REVERSE SOLIDUS (\) + * > If the first and second code points are a valid escape, return true. Otherwise, return false. + * > anything else + * > Return false. + * + * https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier + */ + public static function check_if_three_code_points_would_start_an_ident_sequence( string $input, string $offset ): bool { + if ( $offset >= strlen( $input ) ) { + return false; + } + + // > U+005C REVERSE SOLIDUS (\) + if ( '\\' === $input[ $offset ] ) { + return self::next_two_are_valid_escape( $input, $offset ); + } + + // > U+002D HYPHEN-MINUS + if ( '-' === $input[ $offset ] ) { + $after_initial_hyphen_minus_offset = $offset + 1; + if ( $offset >= strlen( $input ) ) { + return false; + } + + // > If the second code point is… U+002D HYPHEN-MINUS… return true + if ( '-' === $input[ $after_initial_hyphen_minus_offset ] ) { + return true; + } + + // > If the second and third code points are a valid escape, return true. + if ( self::next_two_are_valid_escape( $input, $after_initial_hyphen_minus_offset ) ) { + return true; + } + + // > If the second code point is an ident-start code point… return true. + if ( self::is_ident_start_codepoint( $input, $after_initial_hyphen_minus_offset ) ) { + return true; + } + + // > Otherwise, return false. + return false; + } + + // > ident-start code point + // > Return true. + // > anything else + // > Return false. + return self::is_ident_start_codepoint( $input, $offset ); + } +} From 3e3b2b200696d9e5f51c29f86f8ec48a20df1bf4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 17:06:20 +0100 Subject: [PATCH 005/187] Starting to actually parse --- .../html-api/class-wp-css-selectors.php | 213 ++++++++++++++++-- 1 file changed, 199 insertions(+), 14 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index acc5db02752c3..53417a0f1967c 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -52,6 +52,11 @@ * */ class WP_CSS_Selectors { + private $selectors; + + private function __construct( array $selectors ) { + $this->selectors = $selectors; + } /** * Takes a CSS selectors string and returns an instance of itself or `null` if the selector @@ -60,11 +65,10 @@ class WP_CSS_Selectors { * @since TBD * * @param string $selectors CSS selectors string. - * @return static|null + * @return self|null */ - public static function from_selectors( string $selectors ) { - $res = new static(); - return $res; + public static function from_selectors( string $selectors ): ?self { + return self::parse( $selectors ); } /** @@ -72,7 +76,7 @@ public static function from_selectors( string $selectors ) { * * @since TBD * - * @return WP_CSS_Selector[] + * @return WP_CSS_Selectors|null */ private static function parse( string $input ) { // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace and matches the dom_selectors_group production. @@ -95,28 +99,209 @@ private static function parse( string $input ) { $input = str_replace( array( "\r", "\f" ), "\n", $input ); $input = str_replace( "\0", "\u{FFFD}", $input ); - $at = 0; $length = strlen( $input ); $selectors = array(); - $at = strspn( $input, "\n\t ", $at ); - while ( $at < $length ) { + $offset = 0; + + while ( $offset < $length ) { + $sel = WP_CSS_ID_Selector::parse( $input, $offset ); + if ( $sel ) { + $selectors[] = $sel; + } + } + if ( count( $selectors ) ) { + return new WP_CSS_Selectors( $selectors ); + } + return null; + } +} + +final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser { + /** @var string */ + public $ident; + + private function __construct( string $ident ) { + $this->ident = $ident; + } + + public static function parse( string $input, string &$offset ): ?self { + $ident = self::parse_hash_token( $input, $offset ); + if ( null === $ident ) { + return null; } + return new self( $ident ); } } interface IWP_CSS_Selector_Parser { - public static function parse( string $input, string $offset, ?int $consumed_bytes = null ): ?self; + /** + * @return static|null + */ + public static function parse( string $input, string &$offset ); } abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser { - public static function parse_whitespace( string $input, string &$offset ): bool { + const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; + + protected static function parse_whitespace( string $input, string &$offset ): bool { $length = strspn( $input, " \t\r\n\f", $offset ); $advanced = $length > 0; $offset += $length; return $advanced; } + /** + * Tokenization of hash tokens + * + * > U+0023 NUMBER SIGN (#) + * > If the next input code point is an ident code point or the next two input code points are a valid escape, then: + * > 1. Create a . + * > 2. If the next 3 input code points would start an ident sequence, set the + * > ’s type flag to "id". + * > 3. Consume an ident sequence, and set the ’s value to the + * > returned string. + * > 4. Return the . + * > Otherwise, return a with its value set to the current input code point. + * + * This implementation is not interested in the , a '#' delim token is not relevant for selectors. + */ + protected static function parse_hash_token( string $input, string &$offset ): ?string { + if ( $offset + 1 >= strlen( $input ) || '#' !== $input[ $offset ] ) { + return null; + } + + $offset_after_hash = $offset + 1; + if ( self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset_after_hash ) ) { + $offset = $offset_after_hash; + return self::parse_ident( $input, $offset ); + } + return null; + } + + /** + * Parse an ident token + * + * CAUTION: This method is _not_ for parsing and ID selector! + * + * > 4.3.11. Consume an ident sequence + * > This section describes how to consume an ident sequence from a stream of code points. It returns a string containing the largest name that can be formed from adjacent code points in the stream, starting from the first. + * > + * > Note: This algorithm does not do the verification of the first few code points that are necessary to ensure the returned code points would constitute an . If that is the intended use, ensure that the stream starts with an ident sequence before calling this algorithm. + * > + * > Let result initially be an empty string. + * > + * > Repeatedly consume the next input code point from the stream: + * > + * > ident code point + * > Append the code point to result. + * > the stream starts with a valid escape + * > Consume an escaped code point. Append the returned code point to result. + * > anything else + * > Reconsume the current input code point. Return result. + * + * https://www.w3.org/TR/css-syntax-3/#consume-name + */ + protected static function parse_ident( string $input, string &$offset ): ?string { + if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { + return null; + } + + $ident = ''; + + while ( $offset < strlen( $input ) ) { + if ( self::next_two_are_valid_escape( $input, $offset ) ) { + $ident .= self::consume_escaped_codepoint( $input, $offset ); + continue; + } elseif ( self::is_ident_codepoint( $input, $offset ) ) { + // @todo this should append and advance the correct number of bytes. + $ident .= $input[ $offset ]; + $offset += 1; + continue; + } + break; + } + + return $ident; + } + + /** + * Consume an escaped code point. + * + * > 4.3.7. Consume an escaped code point + * > This section describes how to consume an escaped code point. It assumes that the U+005C + * > REVERSE SOLIDUS (\) has already been consumed and that the next input code point has + * > already been verified to be part of a valid escape. It will return a code point. + * > + * > Consume the next input code point. + * > + * > hex digit + * > Consume as many hex digits as possible, but no more than 5. Note that this means 1-6 + * > hex digits have been consumed in total. If the next input code point is whitespace, + * > consume it as well. Interpret the hex digits as a hexadecimal number. If this number is + * > zero, or is for a surrogate, or is greater than the maximum allowed code point, return + * > U+FFFD REPLACEMENT CHARACTER (�). Otherwise, return the code point with that value. + * > EOF + * > This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�). + * > anything else + * > Return the current input code point. + */ + protected static function consume_escaped_codepoint( $input, &$offset ): ?string { + $char = $input[ $offset ]; + if ( + ( '0' <= $char && $char <= '9' ) || + ( 'a' <= $char && $char <= 'f' ) || + ( 'A' <= $char && $char <= 'F' ) + ) { + $hex_end_offset = $offset + 1; + while ( + strlen( $input ) > $hex_end_offset && + $hex_end_offset - $offset < 6 && + ( + ( '0' <= $char && $char <= '9' ) || + ( 'a' <= $char && $char <= 'f' ) || + ( 'A' <= $char && $char <= 'F' ) + ) + ) { + $hex_end_offset += 1; + } + + $codepoint_value = hexdec( substr( $input, $offset, $hex_end_offset - $offset ) ); + + // > A surrogate is a leading surrogate or a trailing surrogate. + // > A leading surrogate is a code point that is in the range U+D800 to U+DBFF, inclusive. + // > A trailing surrogate is a code point that is in the range U+DC00 to U+DFFF, inclusive. + // The surrogate ranges are adjacent, so the complete range is 0xD800..=0xDFFF, + // inclusive. + $codepoint_char = ( + 0 === $codepoint_value || + $codepoint_value > self::UTF8_MAX_CODEPOINT_VALUE || + ( 0xD800 <= $codepoint_value || $codepoint_value <= 0xDFFF ) + ) ? + "\u{FFFD}" : + mb_chr( $codepoint_value, 'UTF-8' ); + + $offset = $hex_end_offset; + + // If the next input code point is whitespace, consume it as well. + if ( + strlen( $input ) > $offset && + ( + "\n" === $input[ $offset ] || + "\t" === $input[ $offset ] || + ' ' === $input[ $offset ] + ) + ) { + ++$offset; + } + return $codepoint_char; + } + + $codepoint_char = mb_substr( $input, $offset, 1, 'UTF-8' ); + $offset += strlen( $codepoint_char ); + return $codepoint_char; + } + /* * Utiltities * ========== @@ -140,7 +325,7 @@ public static function parse_whitespace( string $input, string &$offset ): bool * * @todo this does not check whether the second codepoint is valid. */ - public static function next_two_are_valid_escape( string $input, string $offset ): bool { + protected static function next_two_are_valid_escape( string $input, string $offset ): bool { if ( $offset + 1 >= strlen( $input ) ) { return false; } @@ -159,7 +344,7 @@ public static function next_two_are_valid_escape( string $input, string $offset * > non-ASCII code point * > A code point with a value equal to or greater than U+0080 . */ - public static function is_ident_start_codepoint( string $input, string $offset ): bool { + protected static function is_ident_start_codepoint( string $input, string $offset ): bool { if ( $offset >= strlen( $input ) ) { return false; } @@ -178,7 +363,7 @@ public static function is_ident_start_codepoint( string $input, string $offset ) * > digit * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. */ - public static function is_ident_codepoint( string $input, string $offset ): bool { + protected static function is_ident_codepoint( string $input, string $offset ): bool { return '-' === $input[ $offset ] || ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || self::is_ident_start_codepoint( $input, $offset ); @@ -203,7 +388,7 @@ public static function is_ident_codepoint( string $input, string $offset ): bool * * https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier */ - public static function check_if_three_code_points_would_start_an_ident_sequence( string $input, string $offset ): bool { + protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, string $offset ): bool { if ( $offset >= strlen( $input ) ) { return false; } From 967557fb01f0e016d63fa2b391d351aec90090bc Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 17:41:16 +0100 Subject: [PATCH 006/187] Add ident tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 tests/phpunit/tests/html-api/wpCssSelectors.php diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php new file mode 100644 index 0000000000000..2857603360e79 --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -0,0 +1,50 @@ +assertSame( $ident, $result ); + $this->assertSame( substr( $input, $offset ), $rest ); + } +} From 2ec1db32af13f1248935ee5e8bb2d634430afc31 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 17:41:42 +0100 Subject: [PATCH 007/187] Fix ident non-ascii bug --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 53417a0f1967c..547a51293bb11 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -353,7 +353,7 @@ protected static function is_ident_start_codepoint( string $input, string $offse '_' === $input[ $offset ] || ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'Z' ) || - $input[ $offset ] <= '\x7F' + $input[ $offset ] > '\x7F' ); } From ee2c7cefa987ef4cb208447aad489a700ab7f91f Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 17:42:12 +0100 Subject: [PATCH 008/187] Use class after defined --- .../html-api/class-wp-css-selectors.php | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 547a51293bb11..55396c8851294 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -117,23 +117,6 @@ private static function parse( string $input ) { } } -final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser { - /** @var string */ - public $ident; - - private function __construct( string $ident ) { - $this->ident = $ident; - } - - public static function parse( string $input, string &$offset ): ?self { - $ident = self::parse_hash_token( $input, $offset ); - if ( null === $ident ) { - return null; - } - return new self( $ident ); - } -} - interface IWP_CSS_Selector_Parser { /** * @return static|null @@ -431,3 +414,20 @@ protected static function check_if_three_code_points_would_start_an_ident_sequen return self::is_ident_start_codepoint( $input, $offset ); } } + +final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser { + /** @var string */ + public $ident; + + private function __construct( string $ident ) { + $this->ident = $ident; + } + + public static function parse( string $input, string &$offset ): ?self { + $ident = self::parse_hash_token( $input, $offset ); + if ( null === $ident ) { + return null; + } + return new self( $ident ); + } +} From 0f708ba4892a50249d0c2267640acf2a256beb21 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 18:01:07 +0100 Subject: [PATCH 009/187] Fix some char stuff --- .../html-api/class-wp-css-selectors.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 55396c8851294..408d25395febb 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -194,6 +194,8 @@ protected static function parse_ident( string $input, string &$offset ): ?string while ( $offset < strlen( $input ) ) { if ( self::next_two_are_valid_escape( $input, $offset ) ) { + // Move past the `\` character. + ++$offset; $ident .= self::consume_escaped_codepoint( $input, $offset ); continue; } elseif ( self::is_ident_codepoint( $input, $offset ) ) { @@ -230,20 +232,19 @@ protected static function parse_ident( string $input, string &$offset ): ?string * > Return the current input code point. */ protected static function consume_escaped_codepoint( $input, &$offset ): ?string { - $char = $input[ $offset ]; if ( - ( '0' <= $char && $char <= '9' ) || - ( 'a' <= $char && $char <= 'f' ) || - ( 'A' <= $char && $char <= 'F' ) + ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || + ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'f' ) || + ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'F' ) ) { $hex_end_offset = $offset + 1; while ( strlen( $input ) > $hex_end_offset && $hex_end_offset - $offset < 6 && ( - ( '0' <= $char && $char <= '9' ) || - ( 'a' <= $char && $char <= 'f' ) || - ( 'A' <= $char && $char <= 'F' ) + ( '0' <= $input[ $hex_end_offset ] && $input[ $hex_end_offset ] <= '9' ) || + ( 'a' <= $input[ $hex_end_offset ] && $input[ $hex_end_offset ] <= 'f' ) || + ( 'A' <= $input[ $hex_end_offset ] && $input[ $hex_end_offset ] <= 'F' ) ) ) { $hex_end_offset += 1; @@ -259,7 +260,7 @@ protected static function consume_escaped_codepoint( $input, &$offset ): ?string $codepoint_char = ( 0 === $codepoint_value || $codepoint_value > self::UTF8_MAX_CODEPOINT_VALUE || - ( 0xD800 <= $codepoint_value || $codepoint_value <= 0xDFFF ) + ( 0xD800 <= $codepoint_value && $codepoint_value <= 0xDFFF ) ) ? "\u{FFFD}" : mb_chr( $codepoint_value, 'UTF-8' ); From 3cb455d41f7923d4b4be9fec3b7cf3f72686dfdc Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 18:01:17 +0100 Subject: [PATCH 010/187] Improve tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 2857603360e79..a55463ec7122e 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -15,19 +15,20 @@ class Tests_HtmlApi_WpCssSelectors extends WP_UnitTestCase { public static function data_valid_idents() { return array( - array( '_-foo123#xyz', '_-foo123', '#xyz' ), - array( '😍foo123.xyz', '😍foo123', '.xyz' ), - array( '\\xyz', 'xyz', '' ), - array( '\\ x', ' x', '' ), - array( '\\😍', '😍', '' ), - array( '\\abcd', 'ꯍ', '' ), + 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), + 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), + 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), + 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), + 'escaped space' => array( '\\ x', ' x', '' ), + 'escaped emoji' => array( '\\😍', '😍', '' ), + 'hex unicode codepoint' => array( '\\abcd', 'ꯍ', '' ), - array( "\\31\t23", '123', '' ), - array( "\\31\n23", '123', '' ), - array( "\\31 23", '123', '' ), - array( '\\9', "\t", '' ), - array( '\\61 bc', 'abc', '' ), - array( '\\000061bc', 'abc', '' ), + 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), + 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), + 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), + 'hex tab' => array( '\\9', "\t", '' ), + 'hex a' => array( '\\61 bc', 'abc', '' ), + 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), ); } @@ -44,7 +45,7 @@ public static function test( string $input, &$offset ) { $offset = 0; $ident = $c::test( $input, $offset ); - $this->assertSame( $ident, $result ); - $this->assertSame( substr( $input, $offset ), $rest ); + $this->assertSame( $ident, $result, 'Ident did not match.' ); + $this->assertSame( substr( $input, $offset ), $rest, 'Offset was not updated correctly.' ); } } From 5609e509ef589afbe23654fe629ce85fc06ad7ec Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 19:53:10 +0100 Subject: [PATCH 011/187] Housekeeping --- src/wp-includes/html-api/class-wp-css-selectors.php | 4 +--- tests/phpunit/tests/html-api/wpCssSelectors.php | 7 ++++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 408d25395febb..f9c85f9b48a3c 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -1,14 +1,12 @@ array( '_-foo123#xyz', '_-foo123', '#xyz' ), @@ -33,6 +36,8 @@ public static function data_valid_idents() { } /** + * @ticket TBD + * * @dataProvider data_valid_idents */ public function test_valid_idents( string $input, string $result, string $rest ) { From 4f25bc21f907369c899ea2c8c07e7461bdb731e3 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 19:56:30 +0100 Subject: [PATCH 012/187] Require new file in WP --- src/wp-settings.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/wp-settings.php b/src/wp-settings.php index 635f6de248dd5..6c799d5c95140 100644 --- a/src/wp-settings.php +++ b/src/wp-settings.php @@ -265,6 +265,7 @@ require ABSPATH . WPINC . '/html-api/class-wp-html-stack-event.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php'; +require ABSPATH . WPINC . '/html-api/class-wp-css-selectors.php'; require ABSPATH . WPINC . '/class-wp-http.php'; require ABSPATH . WPINC . '/class-wp-http-streams.php'; require ABSPATH . WPINC . '/class-wp-http-curl.php'; From 943293f2f840988546c84d17d59dfe4d37e05448 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 20:14:21 +0100 Subject: [PATCH 013/187] Fix offset type --- .../html-api/class-wp-css-selectors.php | 18 +++++++++--------- .../phpunit/tests/html-api/wpCssSelectors.php | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index f9c85f9b48a3c..897cf4b59d752 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -119,13 +119,13 @@ interface IWP_CSS_Selector_Parser { /** * @return static|null */ - public static function parse( string $input, string &$offset ); + public static function parse( string $input, int &$offset ); } abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; - protected static function parse_whitespace( string $input, string &$offset ): bool { + protected static function parse_whitespace( string $input, int &$offset ): bool { $length = strspn( $input, " \t\r\n\f", $offset ); $advanced = $length > 0; $offset += $length; @@ -147,7 +147,7 @@ protected static function parse_whitespace( string $input, string &$offset ): bo * * This implementation is not interested in the , a '#' delim token is not relevant for selectors. */ - protected static function parse_hash_token( string $input, string &$offset ): ?string { + protected static function parse_hash_token( string $input, int &$offset ): ?string { if ( $offset + 1 >= strlen( $input ) || '#' !== $input[ $offset ] ) { return null; } @@ -183,7 +183,7 @@ protected static function parse_hash_token( string $input, string &$offset ): ?s * * https://www.w3.org/TR/css-syntax-3/#consume-name */ - protected static function parse_ident( string $input, string &$offset ): ?string { + protected static function parse_ident( string $input, int &$offset ): ?string { if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { return null; } @@ -307,7 +307,7 @@ protected static function consume_escaped_codepoint( $input, &$offset ): ?string * * @todo this does not check whether the second codepoint is valid. */ - protected static function next_two_are_valid_escape( string $input, string $offset ): bool { + protected static function next_two_are_valid_escape( string $input, int $offset ): bool { if ( $offset + 1 >= strlen( $input ) ) { return false; } @@ -326,7 +326,7 @@ protected static function next_two_are_valid_escape( string $input, string $offs * > non-ASCII code point * > A code point with a value equal to or greater than U+0080 . */ - protected static function is_ident_start_codepoint( string $input, string $offset ): bool { + protected static function is_ident_start_codepoint( string $input, int $offset ): bool { if ( $offset >= strlen( $input ) ) { return false; } @@ -345,7 +345,7 @@ protected static function is_ident_start_codepoint( string $input, string $offse * > digit * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. */ - protected static function is_ident_codepoint( string $input, string $offset ): bool { + protected static function is_ident_codepoint( string $input, int $offset ): bool { return '-' === $input[ $offset ] || ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || self::is_ident_start_codepoint( $input, $offset ); @@ -370,7 +370,7 @@ protected static function is_ident_codepoint( string $input, string $offset ): b * * https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier */ - protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, string $offset ): bool { + protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { if ( $offset >= strlen( $input ) ) { return false; } @@ -422,7 +422,7 @@ private function __construct( string $ident ) { $this->ident = $ident; } - public static function parse( string $input, string &$offset ): ?self { + public static function parse( string $input, int &$offset ): ?self { $ident = self::parse_hash_token( $input, $offset ); if ( null === $ident ) { return null; diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 39d68efcd8f4a..e0dd09c929d09 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -42,7 +42,7 @@ public static function data_valid_idents() { */ public function test_valid_idents( string $input, string $result, string $rest ) { $c = new class() extends WP_CSS_Selector_Parser { - public static function parse( string $input, string &$offset ) {} + public static function parse( string $input, int &$offset ) {} public static function test( string $input, &$offset ) { return self::parse_ident( $input, $offset ); } From 24c9744657023179a33f786a6a7b4d0242534783 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 20:14:48 +0100 Subject: [PATCH 014/187] Add more tests and invalid tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 66 +++++++++++++++---- 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index e0dd09c929d09..d12fcc42c8e60 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -18,20 +18,41 @@ class Tests_HtmlApi_WpCssSelectors extends WP_UnitTestCase { */ public static function data_valid_idents() { return array( - 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), - 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), - 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), - 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), - 'escaped space' => array( '\\ x', ' x', '' ), - 'escaped emoji' => array( '\\😍', '😍', '' ), - 'hex unicode codepoint' => array( '\\abcd', 'ꯍ', '' ), + 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), + 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), + 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), + 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), + 'escaped space' => array( '\\ x', ' x', '' ), + 'escaped emoji' => array( '\\😍', '😍', '' ), + 'hex unicode codepoint' => array( '\\abcd', 'ꯍ', '' ), - 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), - 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), - 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), - 'hex tab' => array( '\\9', "\t", '' ), - 'hex a' => array( '\\61 bc', 'abc', '' ), - 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), + 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), + 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), + 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), + 'hex tab' => array( '\\9', "\t", '' ), + 'hex a' => array( '\\61 bc', 'abc', '' ), + 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), + + 'out of range replacement min' => array( '\\110000 ', "\u{fffd}", '' ), + 'out of range replacement max' => array( '\\ffffff ', "\u{fffd}", '' ), + 'leading surrogate min replacement' => array( '\\d800 ', "\u{fffd}", '' ), + 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), + 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), + 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), + ); + } + + /** + * Data provider. + */ + public static function data_invalid_idents() { + return array( + 'bad start >' => array( '>' ), + 'bad start [' => array( '[' ), + 'bad start #' => array( '#' ), + 'bad start " "' => array( ' ' ), + 'bad start -' => array( '-' ), + 'bad start 1' => array( '-' ), ); } @@ -53,4 +74,23 @@ public static function test( string $input, &$offset ) { $this->assertSame( $ident, $result, 'Ident did not match.' ); $this->assertSame( substr( $input, $offset ), $rest, 'Offset was not updated correctly.' ); } + + /** + * @ticket TBD + * + * @dataProvider data_invalid_idents + */ + public function test_invalid_idents( string $input ) { + $c = new class() extends WP_CSS_Selector_Parser { + public static function parse( string $input, int &$offset ) {} + public static function test( string $input, int &$offset ) { + return self::parse_ident( $input, $offset ); + } + }; + + $offset = 0; + $result = $c::test( $input, $offset ); + $this->assertNull( $result, 'Ident did not match.' ); + $this->assertSame( 0, $offset, 'Offset was incorrectly adjusted.' ); + } } From a7c10b9e12aeed9263a69b46eeb011e59092ed07 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 20:15:03 +0100 Subject: [PATCH 015/187] Fix wrong offset var usage --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 897cf4b59d752..8afb3928e07de 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -383,7 +383,7 @@ protected static function check_if_three_code_points_would_start_an_ident_sequen // > U+002D HYPHEN-MINUS if ( '-' === $input[ $offset ] ) { $after_initial_hyphen_minus_offset = $offset + 1; - if ( $offset >= strlen( $input ) ) { + if ( $after_initial_hyphen_minus_offset >= strlen( $input ) ) { return false; } From dd718b7093dfa3510d6b7476b39510013f759797 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 20:17:15 +0100 Subject: [PATCH 016/187] comment tweak --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 8afb3928e07de..64020bcc0c607 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -392,7 +392,7 @@ protected static function check_if_three_code_points_would_start_an_ident_sequen return true; } - // > If the second and third code points are a valid escape, return true. + // > If the second and third code points are a valid escape… return true. if ( self::next_two_are_valid_escape( $input, $after_initial_hyphen_minus_offset ) ) { return true; } From 5884aca6e807002d6474c37e291b3dde5c59778d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 20:53:50 +0100 Subject: [PATCH 017/187] Implement codepoint escape with strspn --- .../html-api/class-wp-css-selectors.php | 24 ++++--------------- 1 file changed, 4 insertions(+), 20 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 64020bcc0c607..56c31911d95b8 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -230,25 +230,9 @@ protected static function parse_ident( string $input, int &$offset ): ?string { * > Return the current input code point. */ protected static function consume_escaped_codepoint( $input, &$offset ): ?string { - if ( - ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || - ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'f' ) || - ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'F' ) - ) { - $hex_end_offset = $offset + 1; - while ( - strlen( $input ) > $hex_end_offset && - $hex_end_offset - $offset < 6 && - ( - ( '0' <= $input[ $hex_end_offset ] && $input[ $hex_end_offset ] <= '9' ) || - ( 'a' <= $input[ $hex_end_offset ] && $input[ $hex_end_offset ] <= 'f' ) || - ( 'A' <= $input[ $hex_end_offset ] && $input[ $hex_end_offset ] <= 'F' ) - ) - ) { - $hex_end_offset += 1; - } - - $codepoint_value = hexdec( substr( $input, $offset, $hex_end_offset - $offset ) ); + $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); + if ( $hex_length > 0 ) { + $codepoint_value = hexdec( substr( $input, $offset, $hex_length ) ); // > A surrogate is a leading surrogate or a trailing surrogate. // > A leading surrogate is a code point that is in the range U+D800 to U+DBFF, inclusive. @@ -263,7 +247,7 @@ protected static function consume_escaped_codepoint( $input, &$offset ): ?string "\u{FFFD}" : mb_chr( $codepoint_value, 'UTF-8' ); - $offset = $hex_end_offset; + $offset += $hex_length; // If the next input code point is whitespace, consume it as well. if ( From a9a077f463c9c981adc811b7be6b27d89c05d9dc Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 22 Nov 2024 20:54:11 +0100 Subject: [PATCH 018/187] Test with UPPER HEX --- tests/phpunit/tests/html-api/wpCssSelectors.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index d12fcc42c8e60..270def39b53d3 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -24,7 +24,8 @@ public static function data_valid_idents() { 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), 'escaped space' => array( '\\ x', ' x', '' ), 'escaped emoji' => array( '\\😍', '😍', '' ), - 'hex unicode codepoint' => array( '\\abcd', 'ꯍ', '' ), + 'hex unicode codepoint' => array( '\\1f0a1', '🂡', '' ), + 'HEX UNICODE CODEPOINT' => array( '\\1D4B2', '𝒲', '' ), 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), From 5f53e0a50b472a0aff078f233d6d7ffae189de33 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 17:34:25 +0100 Subject: [PATCH 019/187] Add ID tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 270def39b53d3..149bcd1f9572d 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -94,4 +94,33 @@ public static function test( string $input, int &$offset ) { $this->assertNull( $result, 'Ident did not match.' ); $this->assertSame( 0, $offset, 'Offset was incorrectly adjusted.' ); } + + /** + * @ticket TBD + * + * @dataProvider data_ids + */ + public function test_parse_id( string $input, ?string $expected_id = null, ?string $rest = null ) { + $offset = 0; + $result = WP_CSS_ID_Selector::parse( $input, $offset ); + if ( null === $expected_id ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $result->ident, $expected_id ); + $this->assertSame( substr( $input, $offset ), $rest ); + } + } + + public static function data_ids(): array { + return array( + 'valid #_-foo123' => array( '#_-foo123', '_-foo123', '' ), + 'valid #foo#bar' => array( '#foo#bar', 'foo', '#bar' ), + 'escaped #\31 23' => array( '#\\31 23', '123', '' ), + 'with descendant #\31 23 div' => array( '#\\31 23 div', '123', ' div' ), + + 'not ID foo' => array( 'foo' ), + 'not valid #1foo' => array( '#1foo' ), + 'not id .bar' => array( '.bar' ), + ); + } } From effbbbece335486d269ecccf480fab99fc497d17 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 17:46:07 +0100 Subject: [PATCH 020/187] Improve tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 72 ++++++++----------- 1 file changed, 29 insertions(+), 43 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 149bcd1f9572d..53495f0b09004 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -15,8 +15,10 @@ class Tests_HtmlApi_WpCssSelectors extends WP_UnitTestCase { /** * Data provider. + * + * @return array */ - public static function data_valid_idents() { + public static function data_idents(): array { return array( 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), @@ -40,29 +42,23 @@ public static function data_valid_idents() { 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), - ); - } - /** - * Data provider. - */ - public static function data_invalid_idents() { - return array( - 'bad start >' => array( '>' ), - 'bad start [' => array( '[' ), - 'bad start #' => array( '#' ), - 'bad start " "' => array( ' ' ), - 'bad start -' => array( '-' ), - 'bad start 1' => array( '-' ), + // Invalid + 'bad start >' => array( '>' ), + 'bad start [' => array( '[' ), + 'bad start #' => array( '#' ), + 'bad start " "' => array( ' ' ), + 'bad start -' => array( '-' ), + 'bad start 1' => array( '-' ), ); } /** * @ticket TBD * - * @dataProvider data_valid_idents + * @dataProvider data_idents */ - public function test_valid_idents( string $input, string $result, string $rest ) { + public function test_parse_ident( string $input, ?string $expected = null, ?string $rest = null ) { $c = new class() extends WP_CSS_Selector_Parser { public static function parse( string $input, int &$offset ) {} public static function test( string $input, &$offset ) { @@ -70,48 +66,38 @@ public static function test( string $input, &$offset ) { } }; - $offset = 0; - $ident = $c::test( $input, $offset ); - $this->assertSame( $ident, $result, 'Ident did not match.' ); - $this->assertSame( substr( $input, $offset ), $rest, 'Offset was not updated correctly.' ); - } - - /** - * @ticket TBD - * - * @dataProvider data_invalid_idents - */ - public function test_invalid_idents( string $input ) { - $c = new class() extends WP_CSS_Selector_Parser { - public static function parse( string $input, int &$offset ) {} - public static function test( string $input, int &$offset ) { - return self::parse_ident( $input, $offset ); - } - }; - $offset = 0; $result = $c::test( $input, $offset ); - $this->assertNull( $result, 'Ident did not match.' ); - $this->assertSame( 0, $offset, 'Offset was incorrectly adjusted.' ); + if ( null === $expected ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $expected, $result, 'Ident did not match.' ); + $this->assertSame( substr( $input, $offset ), $rest, 'Offset was not updated correctly.' ); + } } /** * @ticket TBD * - * @dataProvider data_ids + * @dataProvider data_id_selectors */ - public function test_parse_id( string $input, ?string $expected_id = null, ?string $rest = null ) { + public function test_parse_id( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; $result = WP_CSS_ID_Selector::parse( $input, $offset ); - if ( null === $expected_id ) { + if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $result->ident, $expected_id ); + $this->assertSame( $result->ident, $expected ); $this->assertSame( substr( $input, $offset ), $rest ); } } - public static function data_ids(): array { + /** + * Data provider. + * + * @return array + */ + public static function data_id_selectors(): array { return array( 'valid #_-foo123' => array( '#_-foo123', '_-foo123', '' ), 'valid #foo#bar' => array( '#foo#bar', 'foo', '#bar' ), @@ -119,8 +105,8 @@ public static function data_ids(): array { 'with descendant #\31 23 div' => array( '#\\31 23 div', '123', ' div' ), 'not ID foo' => array( 'foo' ), + 'not ID .bar' => array( '.bar' ), 'not valid #1foo' => array( '#1foo' ), - 'not id .bar' => array( '.bar' ), ); } } From 62ec5bb804872afe38073e86a0e23ee1d5cd16a7 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 17:46:23 +0100 Subject: [PATCH 021/187] Add class selector tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 53495f0b09004..aac3339e4d27d 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -109,4 +109,38 @@ public static function data_id_selectors(): array { 'not valid #1foo' => array( '#1foo' ), ); } + + /** + * @ticket TBD + * + * @dataProvider data_class_selectors + */ + public function test_parse_class( string $input, ?string $expected = null, ?string $rest = null ) { + $offset = 0; + $result = WP_CSS_Class_Selector::parse( $input, $offset ); + if ( null === $expected ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $result->ident, $expected ); + $this->assertSame( substr( $input, $offset ), $rest ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_class_selectors(): array { + return array( + 'valid ._-foo123' => array( '._-foo123', '_-foo123', '' ), + 'valid .foo.bar' => array( '.foo.bar', 'foo', '.bar' ), + 'escaped .\31 23' => array( '.\\31 23', '123', '' ), + 'with descendant .\31 23 div' => array( '.\\31 23 div', '123', ' div' ), + + 'not class foo' => array( 'foo' ), + 'not class #bar' => array( '#bar' ), + 'not valid .1foo' => array( '.1foo' ), + ); + } } From 153f00978429f98cd7c5cc3d65a8b8affdcf1e45 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 17:47:00 +0100 Subject: [PATCH 022/187] Add class selector --- .../html-api/class-wp-css-selectors.php | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 56c31911d95b8..7b72fa0fe9616 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -414,3 +414,29 @@ public static function parse( string $input, int &$offset ): ?self { return new self( $ident ); } } + +final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser { + /** @var string */ + public $ident; + + private function __construct( string $ident ) { + $this->ident = $ident; + } + + public static function parse( string $input, int &$offset ): ?self { + if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { + return null; + } + + $updated_offset = $offset + 1; + $result = self::parse_ident( $input, $updated_offset ); + + if ( null === $result ) { + return null; + $offset = $updated_offset; + } + + $offset = $updated_offset; + return new self( $result ); + } +} From fcc6401475554cd955891ae1dd82e067064067e8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 17:47:21 +0100 Subject: [PATCH 023/187] Simplify id selector parse --- .../html-api/class-wp-css-selectors.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 7b72fa0fe9616..fbccb55a5a0eb 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -152,12 +152,16 @@ protected static function parse_hash_token( string $input, int &$offset ): ?stri return null; } - $offset_after_hash = $offset + 1; - if ( self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset_after_hash ) ) { - $offset = $offset_after_hash; - return self::parse_ident( $input, $offset ); + $updated_offset = $offset + 1; + $result = self::parse_ident( $input, $updated_offset ); + + if ( null === $result ) { + return null; + $offset = $updated_offset; } - return null; + + $offset = $updated_offset; + return $result; } /** From 21c67e52745b532489f6a494892b71c83f1b03ac Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 18:02:03 +0100 Subject: [PATCH 024/187] Improve ident tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index aac3339e4d27d..b3099146e226c 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -42,14 +42,20 @@ public static function data_idents(): array { 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), + 'can start with -ident' => array( '-ident', '-ident', '' ), + 'can start with --anything' => array( '--anything', '--anything', '' ), + 'can start with ---anything' => array( '--_anything', '--_anything', '' ), + 'can start with --1anything' => array( '--1anything', '--1anything', '' ), + 'can start with -\31 23' => array( '-\31 23', '-123', '' ), + 'can start with --\31 23' => array( '--\31 23', '--123', '' ), // Invalid - 'bad start >' => array( '>' ), - 'bad start [' => array( '[' ), - 'bad start #' => array( '#' ), - 'bad start " "' => array( ' ' ), - 'bad start -' => array( '-' ), - 'bad start 1' => array( '-' ), + 'bad start >' => array( '>ident' ), + 'bad start [' => array( '[ident' ), + 'bad start #' => array( '#ident' ), + 'bad start " "' => array( ' ident' ), + 'bad start 1' => array( '1ident' ), + 'bad start -1' => array( '-1ident' ), ); } From 728d798d663d27f5b385d82fe54f3b88544983de Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 18:31:24 +0100 Subject: [PATCH 025/187] Add type selector tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index b3099146e226c..694c405c09e0b 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -149,4 +149,39 @@ public static function data_class_selectors(): array { 'not valid .1foo' => array( '.1foo' ), ); } + + /** + * @ticket TBD + * + * @dataProvider data_type_selectors + */ + public function test_parse_type( string $input, ?string $expected = null, ?string $rest = null ) { + $offset = 0; + $result = WP_CSS_Type_Selector::parse( $input, $offset ); + if ( null === $expected ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $result->ident, $expected ); + $this->assertSame( substr( $input, $offset ), $rest ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_type_selectors(): array { + return array( + 'any *' => array( '* .class', '*', ' .class' ), + 'a' => array( 'a', 'a', '' ), + 'div.class' => array( 'div.class', 'div', '.class' ), + 'custom-type#id' => array( 'custom-type#id', 'custom-type', '#id' ), + + // invalid + '#id' => array( '#id' ), + '.class' => array( '.class' ), + '[attr]' => array( '[attr]' ), + ); + } } From e1e8e098cfa4d0854104760e7e225e265f022064 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 18:31:54 +0100 Subject: [PATCH 026/187] Add docs and remove unreachable line --- .../html-api/class-wp-css-selectors.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index fbccb55a5a0eb..4ea438b95d8ce 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -410,6 +410,13 @@ private function __construct( string $ident ) { $this->ident = $ident; } + /** + * Parse an ID selector + * + * > = + * + * https://www.w3.org/TR/selectors/#grammar + */ public static function parse( string $input, int &$offset ): ?self { $ident = self::parse_hash_token( $input, $offset ); if ( null === $ident ) { @@ -427,6 +434,13 @@ private function __construct( string $ident ) { $this->ident = $ident; } + /** + * Parse a class selector + * + * > = '.' + * + * https://www.w3.org/TR/selectors/#grammar + */ public static function parse( string $input, int &$offset ): ?self { if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { return null; @@ -437,7 +451,6 @@ public static function parse( string $input, int &$offset ): ?self { if ( null === $result ) { return null; - $offset = $updated_offset; } $offset = $updated_offset; From 13ac3c11204d31e30455870bff92f0b81ecd3386 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 18:32:17 +0100 Subject: [PATCH 027/187] Add type selector class --- .../html-api/class-wp-css-selectors.php | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 4ea438b95d8ce..4a6b65048b62b 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -457,3 +457,46 @@ public static function parse( string $input, int &$offset ): ?self { return new self( $result ); } } + +final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser { + /** + * @var string + * + * The type identifier string or '*'. + */ + public $ident; + + private function __construct( string $ident ) { + $this->ident = $ident; + } + + /** + * Parse a type selector + * + * > = | ? '*' + * > = [ | '*' ]? '|' + * > = ? + * + * Namespaces (e.g. |div, *|div, or namespace|div) are not supported, + * so this selector effectively matches * or ident. + * + * https://www.w3.org/TR/selectors/#grammar + */ + public static function parse( string $input, int &$offset ): ?self { + if ( $offset >= strlen( $input ) ) { + return false; + } + + if ( '*' === $input[ $offset ] ) { + ++$offset; + return new self( '*' ); + } + + $result = self::parse_ident( $input, $offset ); + if ( null === $result ) { + return null; + } + + return new self( $result ); + } +} From a3c25e892f059f02d42070d593d03c5199a15e8d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 19:13:39 +0100 Subject: [PATCH 028/187] Add attribute selector tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 694c405c09e0b..5d0af28006039 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -184,4 +184,69 @@ public static function data_type_selectors(): array { '[attr]' => array( '[attr]' ), ); } + + /** + * @ticket TBD + * + * @dataProvider data_attribute_selectors + */ + public function test_parse_attribute( + string $input, + ?string $expected_name = null, + ?string $expected_matcher = null, + ?string $expected_value = null, + ?string $expected_modifier = null, + ?string $rest = null + ) { + $offset = 0; + $result = WP_CSS_Attribute_Selector::parse( $input, $offset ); + if ( null === $expected_name ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $result->name, $expected_name ); + $this->assertSame( $result->matcher, $expected_matcher ); + $this->assertSame( $result->value, $expected_value ); + $this->assertSame( $result->modifier, $expected_modifier ); + $this->assertSame( substr( $input, $offset ), $rest ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_attribute_selectors(): array { + return array( + array( '[href]', 'href', null, null, null, '' ), + array( '[href] type', 'href', null, null, null, ' type' ), + array( '[href]#id', 'href', null, null, null, '#id' ), + array( '[href].class', 'href', null, null, null, '.class' ), + array( '[href][href2]', 'href', null, null, null, '[href2]' ), + array( "[\n href\t\r]", 'href', null, null, null, '' ), + array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), + array( "[href \n = bar ]", WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), + array( "[href \n ^= baz ]", WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'bar', null, '' ), + array( '[match $= insensitive i]', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + array( '[match|=sensitive s]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + array( '[match="quoted[][]"]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted[][]', null, '' ), + array( "[match='quoted!{}']", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted!{}', null, '' ), + array( "[match*='quoted's]", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + // Invalid + array( 'foo' ), + array( '[foo' ), + array( '[#foo]' ), + array( '[*|*]' ), + array( '[ns|*]' ), + array( '[* |att]' ), + array( '[*| att]' ), + array( '[att * =]' ), + array( '[att * =]' ), + array( '[att i]' ), + array( '[att s]' ), + array( '[att="val" I]' ), + array( '[att="val" S]' ), + ); + } } From ad5c600d99ffeb98e92e6678b1476c0a7e02a808 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 19:49:57 +0100 Subject: [PATCH 029/187] improve attr tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 5d0af28006039..43c710a6f750c 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -218,35 +218,35 @@ public function test_parse_attribute( */ public static function data_attribute_selectors(): array { return array( - array( '[href]', 'href', null, null, null, '' ), - array( '[href] type', 'href', null, null, null, ' type' ), - array( '[href]#id', 'href', null, null, null, '#id' ), - array( '[href].class', 'href', null, null, null, '.class' ), - array( '[href][href2]', 'href', null, null, null, '[href2]' ), - array( "[\n href\t\r]", 'href', null, null, null, '' ), - array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), - array( "[href \n = bar ]", WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), - array( "[href \n ^= baz ]", WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'bar', null, '' ), - array( '[match $= insensitive i]', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - array( '[match|=sensitive s]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - array( '[match="quoted[][]"]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted[][]', null, '' ), - array( "[match='quoted!{}']", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted!{}', null, '' ), - array( "[match*='quoted's]", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[href]' => array( '[href]', 'href', null, null, null, '' ), + '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), + '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), + '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), + '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), + '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), + '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), + '[href \n = bar ]' => array( "[href \n = bar ]", WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), + '[href \n ^= baz ]' => array( "[href \n ^= baz ]", WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'bar', null, '' ), + '[match $= insensitive i]' => array( '[match $= insensitive i]', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[match="quoted[][]"]' => array( '[match="quoted[][]"]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted[][]', null, '' ), + "[match='quoted!{}']" => array( "[match='quoted!{}']", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted!{}', null, '' ), + "[match*='quoted's]" => array( "[match*='quoted's]", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), // Invalid - array( 'foo' ), - array( '[foo' ), - array( '[#foo]' ), - array( '[*|*]' ), - array( '[ns|*]' ), - array( '[* |att]' ), - array( '[*| att]' ), - array( '[att * =]' ), - array( '[att * =]' ), - array( '[att i]' ), - array( '[att s]' ), - array( '[att="val" I]' ), - array( '[att="val" S]' ), + 'foo' => array( 'foo' ), + '[foo' => array( '[foo' ), + '[#foo]' => array( '[#foo]' ), + '[*|*]' => array( '[*|*]' ), + '[ns|*]' => array( '[ns|*]' ), + '[* |att]' => array( '[* |att]' ), + '[*| att]' => array( '[*| att]' ), + '[att * =]' => array( '[att * =]' ), + '[att * =]' => array( '[att * =]' ), + '[att i]' => array( '[att i]' ), + '[att s]' => array( '[att s]' ), + '[att="val" I]' => array( '[att="val" I]' ), + '[att="val" S]' => array( '[att="val" S]' ), ); } } From 675870497312b388d4992090c7681886b06c919a Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 19:53:06 +0100 Subject: [PATCH 030/187] Fix expectation argument order --- .../phpunit/tests/html-api/wpCssSelectors.php | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 43c710a6f750c..7bea7c3b34180 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -78,7 +78,7 @@ public static function test( string $input, &$offset ) { $this->assertNull( $result ); } else { $this->assertSame( $expected, $result, 'Ident did not match.' ); - $this->assertSame( substr( $input, $offset ), $rest, 'Offset was not updated correctly.' ); + $this->assertSame( $rest, substr( $input, $offset ), 'Offset was not updated correctly.' ); } } @@ -93,8 +93,8 @@ public function test_parse_id( string $input, ?string $expected = null, ?string if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $result->ident, $expected ); - $this->assertSame( substr( $input, $offset ), $rest ); + $this->assertSame( $expected, $result->ident ); + $this->assertSame( $rest, substr( $input, $offset ) ); } } @@ -127,8 +127,8 @@ public function test_parse_class( string $input, ?string $expected = null, ?stri if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $result->ident, $expected ); - $this->assertSame( substr( $input, $offset ), $rest ); + $this->assertSame( $expected, $result->ident ); + $this->assertSame( $rest, substr( $input, $offset ) ); } } @@ -161,8 +161,8 @@ public function test_parse_type( string $input, ?string $expected = null, ?strin if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $result->ident, $expected ); - $this->assertSame( substr( $input, $offset ), $rest ); + $this->assertSame( $expected, $result->ident ); + $this->assertSame( $rest, substr( $input, $offset ) ); } } @@ -203,11 +203,11 @@ public function test_parse_attribute( if ( null === $expected_name ) { $this->assertNull( $result ); } else { - $this->assertSame( $result->name, $expected_name ); - $this->assertSame( $result->matcher, $expected_matcher ); - $this->assertSame( $result->value, $expected_value ); - $this->assertSame( $result->modifier, $expected_modifier ); - $this->assertSame( substr( $input, $offset ), $rest ); + $this->assertSame( $expected_name, $result->name ); + $this->assertSame( $expected_matcher, $result->matcher ); + $this->assertSame( $expected_value, $result->value ); + $this->assertSame( $expected_modifier, $result->modifier ); + $this->assertSame( $rest, substr( $input, $offset ) ); } } From e97842cf6665fef97059b71acef61e70ebbdf03e Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 25 Nov 2024 21:31:31 +0100 Subject: [PATCH 031/187] Add test and fix is_ident --- .../html-api/class-wp-css-selectors.php | 2 +- .../phpunit/tests/html-api/wpCssSelectors.php | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 4a6b65048b62b..49b51e51fe81e 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -323,7 +323,7 @@ protected static function is_ident_start_codepoint( string $input, int $offset ) '_' === $input[ $offset ] || ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'Z' ) || - $input[ $offset ] > '\x7F' + ord( $input[ $offset ] ) > 0x7F ); } diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 7bea7c3b34180..55cd1eafb29c9 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -48,6 +48,7 @@ public static function data_idents(): array { 'can start with --1anything' => array( '--1anything', '--1anything', '' ), 'can start with -\31 23' => array( '-\31 23', '-123', '' ), 'can start with --\31 23' => array( '--\31 23', '--123', '' ), + 'ident ends before ]' => array( 'ident]', 'ident', ']' ), // Invalid 'bad start >' => array( '>ident' ), @@ -59,6 +60,28 @@ public static function data_idents(): array { ); } + /** + * @ticket TBD + */ + public function test_is_ident_and_is_ident_start() { + $c = new class() extends WP_CSS_Selector_Parser { + public static function parse( string $input, int &$offset ) {} + + public static function test_is_ident( string $input, int $offset ) { + return self::is_ident_codepoint( $input, $offset ); + } + + public static function test_is_ident_start( string $input, int $offset ) { + return self::is_ident_start_codepoint( $input, $offset ); + } + }; + + $this->assertFalse( $c::test_is_ident( '[', 0 ) ); + $this->assertFalse( $c::test_is_ident( ']', 0 ) ); + $this->assertFalse( $c::test_is_ident_start( '[', 0 ) ); + $this->assertFalse( $c::test_is_ident_start( ']', 0 ) ); + } + /** * @ticket TBD * From ef0085631424083dfc217308684c1baac3eea7f8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 12:36:40 +0100 Subject: [PATCH 032/187] Add parse_string stub --- src/wp-includes/html-api/class-wp-css-selectors.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 49b51e51fe81e..96c4465c2dbd6 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -212,6 +212,11 @@ protected static function parse_ident( string $input, int &$offset ): ?string { return $ident; } + // @todo stub + protected static function parse_string( string $input, int &$offset ): ?string { + return null; + } + /** * Consume an escaped code point. * From 463e799a75d713829f84a988d58595d2ba0923f0 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 12:37:31 +0100 Subject: [PATCH 033/187] Add attribute selector parsing --- .../html-api/class-wp-css-selectors.php | 213 ++++++++++++++++++ 1 file changed, 213 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 96c4465c2dbd6..5067d1c2b87e6 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -505,3 +505,216 @@ public static function parse( string $input, int &$offset ): ?self { return new self( $result ); } } + +final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser { + /** + * [attr=value] + * Represents elements with an attribute name of attr whose value is exactly value. + */ + const MATCH_EXACT = 'MATCH_EXACT'; + + /** + * [attr~=value] + * Represents elements with an attribute name of attr whose value is a + * whitespace-separated list of words, one of which is exactly value. + */ + const MATCH_ONE_OF_EXACT = 'MATCH_ONE_OF_EXACT'; + + /** + * [attr|=value] + * Represents elements with an attribute name of attr whose value can be exactly value or + * can begin with value immediately followed by a hyphen, - (U+002D). It is often used for + * language subcode matches. + */ + const MATCH_EXACT_OR_EXACT_WITH_HYPHEN = 'MATCH_EXACT_OR_EXACT_WITH_HYPHEN'; + + /** + * [attr^=value] + * Represents elements with an attribute name of attr whose value is prefixed (preceded) + * by value. + */ + const MATCH_PREFIXED_BY = 'MATCH_PREFIXED_BY'; + + /** + * [attr$=value] + * Represents elements with an attribute name of attr whose value is suffixed (followed) + * by value. + */ + const MATCH_SUFFIXED_BY = 'MATCH_SUFFIXED_BY'; + + /** + * [attr*=value] + * Represents elements with an attribute name of attr whose value contains at least one + * occurrence of value within the string. + */ + const MATCH_CONTAINS = 'MATCH_CONTAINS'; + + /** + * Modifier for case sensitive matching + * [attr=value s] + */ + const MODIFIER_CASE_SENSITIVE = 'case-sensitive'; + + /** + * Modifier for case insensitive matching + * [attr=value i] + */ + const MODIFIER_CASE_INSENSITIVE = 'case-insensitive'; + + + /** + * The attribute name. + * + * @var string + */ + public $name; + + /** + * The attribute matcher. + * + * @var string|null + */ + public $matcher; + + /** + * The attribute value. + * + * @var string|null + */ + public $value; + + /** + * The attribute modifier. + * + * @var string|null + */ + public $modifier; + + private function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { + $this->name = $name; + $this->matcher = $matcher; + $this->value = $value; + $this->modifier = $modifier; + } + + /** + * Parse a attribute selector + * + * > = '[' ']' | + * > '[' [ | ] ? ']' + * > = [ '~' | '|' | '^' | '$' | '*' ]? '=' + * > = i | s + * > = ? + * + * Namespaces are not supported, so attribute names are effectively identifiers. + * + * https://www.w3.org/TR/selectors/#grammar + */ + public static function parse( string $input, int &$offset ): ?self { + // Need at least 3 bytes [x] + if ( $offset + 2 >= strlen( $input ) ) { + return false; + } + + $updated_offset = $offset; + + if ( '[' !== $input[ $updated_offset ] ) { + return null; + } + ++$updated_offset; + + self::parse_whitespace( $input, $updated_offset ); + $attr_name = self::parse_ident( $input, $updated_offset ); + if ( null === $attr_name ) { + return null; + } + self::parse_whitespace( $input, $updated_offset ); + + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + + if ( ']' === $input[ $updated_offset ] ) { + $offset = $updated_offset + 1; + return new self( $attr_name ); + } + + // need to match at least `=x]` at this point + if ( $updated_offset + 3 >= strlen( $input ) ) { + return null; + } + + if ( '=' === $input[ $updated_offset ] ) { + ++$updated_offset; + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT; + } elseif ( '=' === $input[ $updated_offset + 1 ] ) { + switch ( $input[ $updated_offset ] ) { + case '~': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT; + $updated_offset += 2; + break; + case '|': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN; + $updated_offset += 2; + break; + case '^': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY; + $updated_offset += 2; + break; + case '$': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY; + $updated_offset += 2; + break; + case '*': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_CONTAINS; + $updated_offset += 2; + break; + default: + return null; + } + } else { + return null; + } + + self::parse_whitespace( $input, $updated_offset ); + $attr_val = + self::parse_string( $input, $updated_offset ) ?? + self::parse_ident( $input, $updated_offset ); + + if ( null === $attr_val ) { + return null; + } + + self::parse_whitespace( $input, $updated_offset ); + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + + $attr_modifier = null; + switch ( $input[ $updated_offset ] ) { + case 'i': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; + ++$updated_offset; + break; + + case 's': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; + ++$updated_offset; + break; + } + + if ( null !== $attr_modifier ) { + self::parse_whitespace( $input, $updated_offset ); + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + } + + if ( ']' === $input[ $updated_offset ] ) { + $offset = $updated_offset + 1; + return new self( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); + } + + return null; + } +} From 0f5b28cc5ed226f23ea38a3025ae5403b9b24bff Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 12:45:17 +0100 Subject: [PATCH 034/187] Fix test expectations --- tests/phpunit/tests/html-api/wpCssSelectors.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 55cd1eafb29c9..ae3c3e80c4f90 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -248,13 +248,13 @@ public static function data_attribute_selectors(): array { '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), - '[href \n = bar ]' => array( "[href \n = bar ]", WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), - '[href \n ^= baz ]' => array( "[href \n ^= baz ]", WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'bar', null, '' ), - '[match $= insensitive i]' => array( '[match $= insensitive i]', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[match|=sensitive s]' => array( '[match|=sensitive s]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - '[match="quoted[][]"]' => array( '[match="quoted[][]"]', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted[][]', null, '' ), - "[match='quoted!{}']" => array( "[match='quoted!{}']", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted!{}', null, '' ), - "[match*='quoted's]" => array( "[match*='quoted's]", WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), + '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), + '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[match="quoted[][]"]' => array( '[match="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted[][]', null, '' ), + "[match='quoted!{}']" => array( "[match='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted!{}', null, '' ), + "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), // Invalid 'foo' => array( 'foo' ), From f4a491ae52aaaf4807e9eb9c9b6c671bae105abf Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 18:11:25 +0100 Subject: [PATCH 035/187] More and improved attribute tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 36 ++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index ae3c3e80c4f90..4557ee1a5b3c4 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -252,24 +252,28 @@ public static function data_attribute_selectors(): array { '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - '[match="quoted[][]"]' => array( '[match="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted[][]', null, '' ), - "[match='quoted!{}']" => array( "[match='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted!{}', null, '' ), - "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), + "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), + "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), + '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), // Invalid - 'foo' => array( 'foo' ), - '[foo' => array( '[foo' ), - '[#foo]' => array( '[#foo]' ), - '[*|*]' => array( '[*|*]' ), - '[ns|*]' => array( '[ns|*]' ), - '[* |att]' => array( '[* |att]' ), - '[*| att]' => array( '[*| att]' ), - '[att * =]' => array( '[att * =]' ), - '[att * =]' => array( '[att * =]' ), - '[att i]' => array( '[att i]' ), - '[att s]' => array( '[att s]' ), - '[att="val" I]' => array( '[att="val" I]' ), - '[att="val" S]' => array( '[att="val" S]' ), + 'Invalid: foo' => array( 'foo' ), + 'Invalid: [foo' => array( '[foo' ), + 'Invalid: [#foo]' => array( '[#foo]' ), + 'Invalid: [*|*]' => array( '[*|*]' ), + 'Invalid: [ns|*]' => array( '[ns|*]' ), + 'Invalid: [* |att]' => array( '[* |att]' ), + 'Invalid: [*| att]' => array( '[*| att]' ), + 'Invalid: [att * =]' => array( '[att * =]' ), + 'Invalid: [att * =]' => array( '[att * =]' ), + 'Invalid: [att i]' => array( '[att i]' ), + 'Invalid: [att s]' => array( '[att s]' ), + 'Invalid: [att="val" I]' => array( '[att="val" I]' ), + 'Invalid: [att="val" S]' => array( '[att="val" S]' ), + "Invalid: [att='val\\n']" => array( "[att='val\n']" ), ); } } From b680b1b8e5f69bf17490934761899452fc935826 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 18:11:52 +0100 Subject: [PATCH 036/187] Implement parse_string --- .../html-api/class-wp-css-selectors.php | 84 ++++++++++++++++++- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 5067d1c2b87e6..c1c3e35fc9ae1 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -212,9 +212,89 @@ protected static function parse_ident( string $input, int &$offset ): ?string { return $ident; } - // @todo stub + /** + * Parse a string token + * + * > 4.3.5. Consume a string token + * > This section describes how to consume a string token from a stream of code points. It returns either a or . + * > + * > This algorithm may be called with an ending code point, which denotes the code point that ends the string. If an ending code point is not specified, the current input code point is used. + * > + * > Initially create a with its value set to the empty string. + * > + * > Repeatedly consume the next input code point from the stream: + * > + * > ending code point + * > Return the . + * > EOF + * > This is a parse error. Return the . + * > newline + * > This is a parse error. Reconsume the current input code point, create a , and return it. + * > U+005C REVERSE SOLIDUS (\) + * > If the next input code point is EOF, do nothing. + * > Otherwise, if the next input code point is a newline, consume it. + * > Otherwise, (the stream starts with a valid escape) consume an escaped code point and append the returned code point to the ’s value. + * > + * > anything else + * > Append the current input code point to the ’s value. + * + * https://www.w3.org/TR/css-syntax-3/#consume-string-token + * + * This implementation will never return a because + * the is not a part of the selector grammar. That + * case is treated as failure to parse and null is returned. + */ protected static function parse_string( string $input, int &$offset ): ?string { - return null; + if ( $offset + 1 >= strlen( $input ) ) { + return null; + } + + $ending_code_point = $input[ $offset ]; + if ( '"' !== $ending_code_point && "'" !== $ending_code_point ) { + return null; + } + + $string_token = ''; + + $stop_characters = "\\\n{$ending_code_point}"; + + $updated_offset = $offset + 1; + while ( $updated_offset < strlen( $input ) ) { + switch ( $input[ $updated_offset ] ) { + case '\\': + if ( $updated_offset + 1 >= strlen( $input ) ) { + break; + } + ++$updated_offset; + if ( "\n" === $input[ $updated_offset ] ) { + ++$updated_offset; + break; + } else { + $string_token .= self::consume_escaped_codepoint( $input, $updated_offset ); + } + break; + + /* + * This case would return a . + * The is not a part of the selector grammar + * so we do not return it and instead treat this as a + * failure to parse a string token. + */ + case "\n": + return null; + + case $ending_code_point: + ++$updated_offset; + break 2; + + default: + $string_token .= $input[ $updated_offset ]; + ++$updated_offset; + } + } + + $offset = $updated_offset; + return $string_token; } /** From e7da05f238008dd987f176672565acfeacbd86b4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 18:25:20 +0100 Subject: [PATCH 037/187] Add string parse tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 72 ++++++++++++++++++- 1 file changed, 70 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 4557ee1a5b3c4..96f2fa96dcb7f 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -9,8 +9,6 @@ * @since TBD * * @group html-api - * - * @coversDefaultClass WP_CSS_Selectors */ class Tests_HtmlApi_WpCssSelectors extends WP_UnitTestCase { /** @@ -62,6 +60,9 @@ public static function data_idents(): array { /** * @ticket TBD + * + * @covers WP_CSS_Selector_Parser::is_ident_codepoint + * @covers WP_CSS_Selector_Parser::is_ident_start_codepoint */ public function test_is_ident_and_is_ident_start() { $c = new class() extends WP_CSS_Selector_Parser { @@ -86,6 +87,8 @@ public static function test_is_ident_start( string $input, int $offset ) { * @ticket TBD * * @dataProvider data_idents + * + * @covers WP_CSS_Selector_Parser::parse_ident */ public function test_parse_ident( string $input, ?string $expected = null, ?string $rest = null ) { $c = new class() extends WP_CSS_Selector_Parser { @@ -105,10 +108,69 @@ public static function test( string $input, &$offset ) { } } + /** + * @ticket TBD + * + * @dataProvider data_strings + * + * @covers WP_CSS_Selector_Parser::parse_string + */ + public function test_parse_string( string $input, ?string $expected = null, ?string $rest = null ) { + $c = new class() extends WP_CSS_Selector_Parser { + public static function parse( string $input, int &$offset ) {} + public static function test( string $input, &$offset ) { + return self::parse_string( $input, $offset ); + } + }; + + $offset = 0; + $result = $c::test( $input, $offset ); + if ( null === $expected ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $expected, $result, 'String did not match.' ); + $this->assertSame( $rest, substr( $input, $offset ), 'Offset was not updated correctly.' ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_strings(): array { + return array( + '"foo"' => array( '"foo"', 'foo', '' ), + '"foo"after' => array( '"foo"after', 'foo', 'after' ), + '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), + '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), + + "'foo'" => array( "'foo'", 'foo', '' ), + "'foo'after" => array( "'foo'after", 'foo', 'after' ), + "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), + "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), + + "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), + "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), + "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), + "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), + "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), + + // Invalid + "Invalid: 'newline\\n'" => array( "'newline\n'" ), + 'Invalid: foo' => array( 'foo' ), + 'Invalid: \\"' => array( '\\"' ), + 'Invalid: .foo' => array( '.foo' ), + 'Invalid: #foo' => array( '#foo' ), + ); + } + /** * @ticket TBD * * @dataProvider data_id_selectors + * + * @covers WP_CSS_ID_Selector::parse */ public function test_parse_id( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; @@ -143,6 +205,8 @@ public static function data_id_selectors(): array { * @ticket TBD * * @dataProvider data_class_selectors + * + * @covers WP_CSS_Class_Selector::parse */ public function test_parse_class( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; @@ -177,6 +241,8 @@ public static function data_class_selectors(): array { * @ticket TBD * * @dataProvider data_type_selectors + * + * @covers WP_CSS_Type_Selector::parse */ public function test_parse_type( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; @@ -212,6 +278,8 @@ public static function data_type_selectors(): array { * @ticket TBD * * @dataProvider data_attribute_selectors + * + * @covers WP_CSS_Attribute_Selector::parse */ public function test_parse_attribute( string $input, From d5e7e6087aab9f58905aa3c5993a5357efe812e1 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 18:26:01 +0100 Subject: [PATCH 038/187] Remove covers annotations --- tests/phpunit/tests/html-api/wpCssSelectors.php | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 96f2fa96dcb7f..7c5cdca447bbe 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -60,9 +60,6 @@ public static function data_idents(): array { /** * @ticket TBD - * - * @covers WP_CSS_Selector_Parser::is_ident_codepoint - * @covers WP_CSS_Selector_Parser::is_ident_start_codepoint */ public function test_is_ident_and_is_ident_start() { $c = new class() extends WP_CSS_Selector_Parser { @@ -87,8 +84,6 @@ public static function test_is_ident_start( string $input, int $offset ) { * @ticket TBD * * @dataProvider data_idents - * - * @covers WP_CSS_Selector_Parser::parse_ident */ public function test_parse_ident( string $input, ?string $expected = null, ?string $rest = null ) { $c = new class() extends WP_CSS_Selector_Parser { @@ -112,8 +107,6 @@ public static function test( string $input, &$offset ) { * @ticket TBD * * @dataProvider data_strings - * - * @covers WP_CSS_Selector_Parser::parse_string */ public function test_parse_string( string $input, ?string $expected = null, ?string $rest = null ) { $c = new class() extends WP_CSS_Selector_Parser { @@ -169,8 +162,6 @@ public static function data_strings(): array { * @ticket TBD * * @dataProvider data_id_selectors - * - * @covers WP_CSS_ID_Selector::parse */ public function test_parse_id( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; @@ -205,8 +196,6 @@ public static function data_id_selectors(): array { * @ticket TBD * * @dataProvider data_class_selectors - * - * @covers WP_CSS_Class_Selector::parse */ public function test_parse_class( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; @@ -241,8 +230,6 @@ public static function data_class_selectors(): array { * @ticket TBD * * @dataProvider data_type_selectors - * - * @covers WP_CSS_Type_Selector::parse */ public function test_parse_type( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; @@ -278,8 +265,6 @@ public static function data_type_selectors(): array { * @ticket TBD * * @dataProvider data_attribute_selectors - * - * @covers WP_CSS_Attribute_Selector::parse */ public function test_parse_attribute( string $input, From 08187c6858d95503d0e11eed6832045a68579f8a Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 18:32:55 +0100 Subject: [PATCH 039/187] Remove unused line --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index c1c3e35fc9ae1..3a4c0a7577679 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -256,8 +256,6 @@ protected static function parse_string( string $input, int &$offset ): ?string { $string_token = ''; - $stop_characters = "\\\n{$ending_code_point}"; - $updated_offset = $offset + 1; while ( $updated_offset < strlen( $input ) ) { switch ( $input[ $updated_offset ] ) { From 5a5066ce52335b330a57441b765ed9cc33184467 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 19:32:21 +0100 Subject: [PATCH 040/187] Improve tests for 100% coverage on parse methods --- .../phpunit/tests/html-api/wpCssSelectors.php | 75 +++++++++++-------- 1 file changed, 42 insertions(+), 33 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 7c5cdca447bbe..7b6e5ce79a365 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -49,12 +49,14 @@ public static function data_idents(): array { 'ident ends before ]' => array( 'ident]', 'ident', ']' ), // Invalid - 'bad start >' => array( '>ident' ), - 'bad start [' => array( '[ident' ), - 'bad start #' => array( '#ident' ), - 'bad start " "' => array( ' ident' ), - 'bad start 1' => array( '1ident' ), - 'bad start -1' => array( '-1ident' ), + 'Invalid: (empty string)' => array( '' ), + 'Invalid: bad start >' => array( '>ident' ), + 'Invalid: bad start [' => array( '[ident' ), + 'Invalid: bad start #' => array( '#ident' ), + 'Invalid: bad start " "' => array( ' ident' ), + 'Invalid: bad start 1' => array( '1ident' ), + 'Invalid: bad start -1' => array( '-1ident' ), + 'Invalid: bad start -' => array( '-' ), ); } @@ -133,28 +135,31 @@ public static function test( string $input, &$offset ) { */ public static function data_strings(): array { return array( - '"foo"' => array( '"foo"', 'foo', '' ), - '"foo"after' => array( '"foo"after', 'foo', 'after' ), - '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), - '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), + '"foo"' => array( '"foo"', 'foo', '' ), + '"foo"after' => array( '"foo"after', 'foo', 'after' ), + '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), + '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), - "'foo'" => array( "'foo'", 'foo', '' ), - "'foo'after" => array( "'foo'after", 'foo', 'after' ), - "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), - "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), + "'foo'" => array( "'foo'", 'foo', '' ), + "'foo'after" => array( "'foo'after", 'foo', 'after' ), + "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), + "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), - "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), - "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), - "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), - "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), - "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), + "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), + "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), + "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), + "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), + "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), + + "'foo\\" => array( "'foo\\", 'foo', '' ), // Invalid - "Invalid: 'newline\\n'" => array( "'newline\n'" ), - 'Invalid: foo' => array( 'foo' ), - 'Invalid: \\"' => array( '\\"' ), - 'Invalid: .foo' => array( '.foo' ), - 'Invalid: #foo' => array( '#foo' ), + 'Invalid: (empty string)' => array( '' ), + "Invalid: 'newline\\n'" => array( "'newline\n'" ), + 'Invalid: foo' => array( 'foo' ), + 'Invalid: \\"' => array( '\\"' ), + 'Invalid: .foo' => array( '.foo' ), + 'Invalid: #foo' => array( '#foo' ), ); } @@ -249,15 +254,16 @@ public function test_parse_type( string $input, ?string $expected = null, ?strin */ public static function data_type_selectors(): array { return array( - 'any *' => array( '* .class', '*', ' .class' ), - 'a' => array( 'a', 'a', '' ), - 'div.class' => array( 'div.class', 'div', '.class' ), - 'custom-type#id' => array( 'custom-type#id', 'custom-type', '#id' ), + 'any *' => array( '* .class', '*', ' .class' ), + 'a' => array( 'a', 'a', '' ), + 'div.class' => array( 'div.class', 'div', '.class' ), + 'custom-type#id' => array( 'custom-type#id', 'custom-type', '#id' ), - // invalid - '#id' => array( '#id' ), - '.class' => array( '.class' ), - '[attr]' => array( '[attr]' ), + // Invalid + 'Invalid: (empty string)' => array( '' ), + 'Invalid: #id' => array( '#id' ), + 'Invalid: .class' => array( '.class' ), + 'Invalid: [attr]' => array( '[attr]' ), ); } @@ -313,6 +319,7 @@ public static function data_attribute_selectors(): array { '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), // Invalid + 'Invalid: (empty string)' => array( '' ), 'Invalid: foo' => array( 'foo' ), 'Invalid: [foo' => array( '[foo' ), 'Invalid: [#foo]' => array( '[#foo]' ), @@ -321,12 +328,14 @@ public static function data_attribute_selectors(): array { 'Invalid: [* |att]' => array( '[* |att]' ), 'Invalid: [*| att]' => array( '[*| att]' ), 'Invalid: [att * =]' => array( '[att * =]' ), - 'Invalid: [att * =]' => array( '[att * =]' ), + 'Invalid: [att+=val]' => array( '[att+=val]' ), + 'Invalid: [att=val ' => array( '[att=val ' ), 'Invalid: [att i]' => array( '[att i]' ), 'Invalid: [att s]' => array( '[att s]' ), 'Invalid: [att="val" I]' => array( '[att="val" I]' ), 'Invalid: [att="val" S]' => array( '[att="val" S]' ), "Invalid: [att='val\\n']" => array( "[att='val\n']" ), + 'Invalid: [att=val i ' => array( '[att=val i ' ), ); } } From 2f8bd19efec5fb4f5f6cabd51d7173642d79af34 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 19:33:01 +0100 Subject: [PATCH 041/187] Improve documentation --- .../html-api/class-wp-css-selectors.php | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 3a4c0a7577679..669c74c1b676d 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -260,10 +260,10 @@ protected static function parse_string( string $input, int &$offset ): ?string { while ( $updated_offset < strlen( $input ) ) { switch ( $input[ $updated_offset ] ) { case '\\': - if ( $updated_offset + 1 >= strlen( $input ) ) { + ++$updated_offset; + if ( $updated_offset >= strlen( $input ) ) { break; } - ++$updated_offset; if ( "\n" === $input[ $updated_offset ] ) { ++$updated_offset; break; @@ -386,6 +386,11 @@ protected static function next_two_are_valid_escape( string $input, int $offset } /** + * Check if the next code point is an "ident start code point". + * + * Caution! This method does not do any bounds checking, it should not be passed + * a string with an offset that is out of bounds. + * * > ident-start code point * > A letter, a non-ASCII code point, or U+005F LOW LINE (_). * > uppercase letter @@ -396,12 +401,10 @@ protected static function next_two_are_valid_escape( string $input, int $offset * > An uppercase letter or a lowercase letter. * > non-ASCII code point * > A code point with a value equal to or greater than U+0080 . + * + * https://www.w3.org/TR/css-syntax-3/#ident-start-code-point */ protected static function is_ident_start_codepoint( string $input, int $offset ): bool { - if ( $offset >= strlen( $input ) ) { - return false; - } - return ( '_' === $input[ $offset ] || ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || @@ -411,10 +414,17 @@ protected static function is_ident_start_codepoint( string $input, int $offset ) } /** + * Check if the next code point is an "ident code point". + * + * Caution! This method does not do any bounds checking, it should not be passed + * a string with an offset that is out of bounds. + * * > ident code point * > An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-). * > digit * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. + * + * https://www.w3.org/TR/css-syntax-3/#ident-code-point */ protected static function is_ident_codepoint( string $input, int $offset ): bool { return '-' === $input[ $offset ] || From 8b0ac551e7694d3de921d84e60afe372583558b8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 26 Nov 2024 19:37:26 +0100 Subject: [PATCH 042/187] Fix parse return type and return annotations --- .../html-api/class-wp-css-selectors.php | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 669c74c1b676d..6a80ca2e42b7c 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -186,6 +186,8 @@ protected static function parse_hash_token( string $input, int &$offset ): ?stri * > Reconsume the current input code point. Return result. * * https://www.w3.org/TR/css-syntax-3/#consume-name + * + * @return string|null */ protected static function parse_ident( string $input, int &$offset ): ?string { if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { @@ -243,6 +245,8 @@ protected static function parse_ident( string $input, int &$offset ): ?string { * This implementation will never return a because * the is not a part of the selector grammar. That * case is treated as failure to parse and null is returned. + * + * @return string|null */ protected static function parse_string( string $input, int &$offset ): ?string { if ( $offset + 1 >= strlen( $input ) ) { @@ -509,6 +513,8 @@ private function __construct( string $ident ) { * > = * * https://www.w3.org/TR/selectors/#grammar + * + * @return self|null */ public static function parse( string $input, int &$offset ): ?self { $ident = self::parse_hash_token( $input, $offset ); @@ -533,6 +539,8 @@ private function __construct( string $ident ) { * > = '.' * * https://www.w3.org/TR/selectors/#grammar + * + * @return self|null */ public static function parse( string $input, int &$offset ): ?self { if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { @@ -574,10 +582,12 @@ private function __construct( string $ident ) { * so this selector effectively matches * or ident. * * https://www.w3.org/TR/selectors/#grammar + * + * @return self|null */ public static function parse( string $input, int &$offset ): ?self { if ( $offset >= strlen( $input ) ) { - return false; + return null; } if ( '*' === $input[ $offset ] ) { @@ -697,11 +707,13 @@ private function __construct( string $name, ?string $matcher = null, ?string $va * Namespaces are not supported, so attribute names are effectively identifiers. * * https://www.w3.org/TR/selectors/#grammar + * + * @return self|null */ public static function parse( string $input, int &$offset ): ?self { // Need at least 3 bytes [x] if ( $offset + 2 >= strlen( $input ) ) { - return false; + return null; } $updated_offset = $offset; From dffcac6ed016f727aaacfb192f151f5c3cb3c67f Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 27 Nov 2024 17:07:48 +0100 Subject: [PATCH 043/187] Update documentation links and grammar --- .../html-api/class-wp-css-selectors.php | 32 ++++++++++++++++--- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 6a80ca2e42b7c..264f684692f17 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -19,7 +19,29 @@ * is invalid or unsupported. * * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax - * specification, which is available at https://www.w3.org/TR/css-syntax-3/. + * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}. + * + * @todo Review this grammar, especially the complex selector for accurate support information. + * The supported grammar is: + * + * = + * = # + * = # + * = # + * = [ ? ]* + * = [ ? * ]! + * = | + * = '>' | '+' | '~' | [ '|' '|' ] + * = | '*' + * = | | + * = + * = '.' + * = '[' ']' | + * '[' [ | ] ? ']' + * = [ '~' | '|' | '^' | '$' | '*' ]? '=' + * = i | s + * + * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details. * * Supported selector syntax: * - Type selectors (tag names, e.g. `div`) @@ -43,10 +65,10 @@ * * @access private * - * @see https://www.w3.org/TR/css-syntax-3/#consume-a-token - * @see https://www.w3.org/tr/selectors/#parse-selector - * @see https://www.w3.org/TR/selectors-api2/ - * @see https://www.w3.org/TR/selectors-4/ + * @see {@link https://www.w3.org/TR/css-syntax-3/} + * @see {@link https://www.w3.org/tr/selectors/} + * @see {@link https://www.w3.org/TR/selectors-api2/} + * @see {@link https://www.w3.org/TR/selectors-4/} * */ class WP_CSS_Selectors { From 9f81744aa7bc68fda9269d48251fa13fb2223519 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 27 Nov 2024 20:29:56 +0100 Subject: [PATCH 044/187] Update documentation and class name --- src/wp-includes/html-api/class-wp-css-selectors.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 264f684692f17..d9bbc4b9235c8 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -14,7 +14,7 @@ * * This class is designed for internal use by the HTML processor. * - * This class is instantiated via the `WP_CSS_Selector::from_selector( string $selector )` method. + * This class is instantiated via the `WP_CSS_Selector_List::from_selector( string $selector )` method. * It accepts a CSS selector string and returns an instance of itself or `null` if the selector * is invalid or unsupported. * @@ -27,10 +27,8 @@ * = * = # * = # - * = # * = [ ? ]* * = [ ? * ]! - * = | * = '>' | '+' | '~' | [ '|' '|' ] * = | '*' * = | | @@ -71,7 +69,7 @@ * @see {@link https://www.w3.org/TR/selectors-4/} * */ -class WP_CSS_Selectors { +class WP_CSS_Selector_List { private $selectors; private function __construct( array $selectors ) { @@ -131,7 +129,7 @@ private static function parse( string $input ) { } } if ( count( $selectors ) ) { - return new WP_CSS_Selectors( $selectors ); + return new WP_CSS_Selector_List( $selectors ); } return null; } From d4c6f382dc246e151dc688a70daf88ad8a9f7916 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 27 Nov 2024 20:30:12 +0100 Subject: [PATCH 045/187] Add selector class --- .../html-api/class-wp-css-selectors.php | 64 +++++++++++++++++++ .../phpunit/tests/html-api/wpCssSelectors.php | 18 ++++++ 2 files changed, 82 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index d9bbc4b9235c8..8d8ec35de98b6 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -838,3 +838,67 @@ public static function parse( string $input, int &$offset ): ?self { return null; } } + +/** + * This corresponds to in the grammar. + */ +final class WP_CSS_Selector extends WP_CSS_Selector_Parser { + + /** @var WP_CSS_Type_Selector|null */ + public $type_selector; + + /** @var array|null */ + public $subclass_selectors; + + private function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { + $this->type_selector = $type_selector; + $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; + } + + /** + * Parses a selector string into a `WP_CSS_Selector` object. + * + * > = [ ? * ]! + * + * @param string $input The selector string to parse. + * @return WP_CSS_Selector|null The parsed selector, or `null` if the selector is invalid or unsupported. + */ + public static function parse( string $input, int &$offset ): ?self { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $type_selector = WP_CSS_Type_Selector::parse( $input, $updated_offset ); + + $subclass_selectors = array(); + $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); + while ( null !== $last_parsed_subclass_selector ) { + $subclass_selectors[] = $last_parsed_subclass_selector; + $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); + } + + if ( null !== $type_selector || array() !== $subclass_selectors ) { + $offset = $updated_offset; + return new self( $type_selector, $subclass_selectors ); + } + } + + /** + * @return WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector|null + */ + private static function parse_subclass_selector( string $input, int &$offset ) { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $next_char = $input[ $offset ]; + return '.' === $next_char ? + WP_CSS_Class_Selector::parse( $input, $offset ) : ( + '#' === $next_char ? + WP_CSS_ID_Selector::parse( $input, $offset ) : ( + '[' === $next_char ? + WP_CSS_Attribute_Selector::parse( $input, $offset ) : + null ) ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 7b6e5ce79a365..180bee4f53c05 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -338,4 +338,22 @@ public static function data_attribute_selectors(): array { 'Invalid: [att=val i ' => array( '[att=val i ' ), ); } + + /** + * @ticket TBD + */ + public function test_parse_selector() { + $input = 'el.foo#bar[baz=quux] > .child'; + $offset = 0; + $sel = WP_CSS_Selector::parse( $input, $offset ); + + $this->assertSame( $sel->type_selector->ident, 'el' ); + $this->assertSame( count( $sel->subclass_selectors ), 3 ); + $this->assertSame( $sel->subclass_selectors[0]->ident, 'foo' ); + $this->assertSame( $sel->subclass_selectors[1]->ident, 'bar' ); + $this->assertSame( $sel->subclass_selectors[2]->name, 'baz' ); + $this->assertSame( $sel->subclass_selectors[2]->matcher, WP_CSS_Attribute_Selector::MATCH_EXACT ); + $this->assertSame( $sel->subclass_selectors[2]->value, 'quux' ); + $this->assertSame( ' > .child', substr( $input, $offset ) ); + } } From 6432056bd38a8aebb94c51b6bfe6ac87353181c7 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 27 Nov 2024 21:01:43 +0100 Subject: [PATCH 046/187] Implement complex selector --- .../html-api/class-wp-css-selectors.php | 87 +++++++++++++++++-- .../phpunit/tests/html-api/wpCssSelectors.php | 34 ++++++-- 2 files changed, 106 insertions(+), 15 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 8d8ec35de98b6..8ccec5de029cc 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -123,9 +123,9 @@ private static function parse( string $input ) { $offset = 0; while ( $offset < $length ) { - $sel = WP_CSS_ID_Selector::parse( $input, $offset ); - if ( $sel ) { - $selectors[] = $sel; + $selector = WP_CSS_ID_Selector::parse( $input, $offset ); + if ( null !== $selector ) { + $selectors[] = $selector; } } if ( count( $selectors ) ) { @@ -841,6 +841,8 @@ public static function parse( string $input, int &$offset ): ?self { /** * This corresponds to in the grammar. + * + * > = [ ? * ]! */ final class WP_CSS_Selector extends WP_CSS_Selector_Parser { @@ -856,12 +858,7 @@ private function __construct( ?WP_CSS_Type_Selector $type_selector, array $subcl } /** - * Parses a selector string into a `WP_CSS_Selector` object. - * * > = [ ? * ]! - * - * @param string $input The selector string to parse. - * @return WP_CSS_Selector|null The parsed selector, or `null` if the selector is invalid or unsupported. */ public static function parse( string $input, int &$offset ): ?self { if ( $offset >= strlen( $input ) ) { @@ -882,6 +879,7 @@ public static function parse( string $input, int &$offset ): ?self { $offset = $updated_offset; return new self( $type_selector, $subclass_selectors ); } + return null; } /** @@ -902,3 +900,76 @@ private static function parse_subclass_selector( string $input, int &$offset ) { null ) ); } } + + +/** + * This corresponds to in the grammar. + * + * > = [ ? ]* + */ +final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser { + const COMBINATOR_CHILD = '>'; + const COMBINATOR_DESCENDANT = ' '; + const COMBINATOR_NEXT_SIBLING = '+'; + const COMBINATOR_SUBSEQUENT_SIBLING = '~'; + + /** + * even indexes are WP_CSS_Selector, odd indexes are string combinators. + * @var array + */ + public $selectors = array(); + + private function __construct( array $selectors ) { + $this->selectors = $selectors; + } + + public static function parse( string $input, int &$offset ): ?self { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $selector = WP_CSS_Selector::parse( $input, $updated_offset ); + if ( null === $selector ) { + return null; + } + + $selectors = array( $selector ); + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + while ( $updated_offset < strlen( $input ) ) { + switch ( $input[ $updated_offset ] ) { + case self::COMBINATOR_CHILD: + case self::COMBINATOR_NEXT_SIBLING: + case self::COMBINATOR_SUBSEQUENT_SIBLING: + $combinator = $input[ $updated_offset ]; + ++$updated_offset; + self::parse_whitespace( $input, $updated_offset ); + break; + + default: + /* + * Whitespace is a descendant combinator. + * Either whitespace was found and we're on a selector, + * or we've failed to find any combinator and parsing is complete. + */ + if ( ! $found_whitespace ) { + break 2; + } + $combinator = self::COMBINATOR_DESCENDANT; + break; + } + // Here we've found a combinator and need another selector. + $selector = WP_CSS_Selector::parse( $input, $updated_offset ); + // Failure to find a selector is a parse error. + if ( null === $selector ) { + return null; + } + $selectors[] = $combinator; + $selectors[] = $selector; + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + } + $offset = $updated_offset; + return new self( $selectors ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 180bee4f53c05..4189ec586011a 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -347,13 +347,33 @@ public function test_parse_selector() { $offset = 0; $sel = WP_CSS_Selector::parse( $input, $offset ); - $this->assertSame( $sel->type_selector->ident, 'el' ); - $this->assertSame( count( $sel->subclass_selectors ), 3 ); - $this->assertSame( $sel->subclass_selectors[0]->ident, 'foo' ); - $this->assertSame( $sel->subclass_selectors[1]->ident, 'bar' ); - $this->assertSame( $sel->subclass_selectors[2]->name, 'baz' ); - $this->assertSame( $sel->subclass_selectors[2]->matcher, WP_CSS_Attribute_Selector::MATCH_EXACT ); - $this->assertSame( $sel->subclass_selectors[2]->value, 'quux' ); + $this->assertSame( 'el', $sel->type_selector->ident ); + $this->assertSame( 3, count( $sel->subclass_selectors ) ); + $this->assertSame( 'foo', $sel->subclass_selectors[0]->ident, 'foo' ); + $this->assertSame( 'bar', $sel->subclass_selectors[1]->ident, 'bar' ); + $this->assertSame( 'baz', $sel->subclass_selectors[2]->name, 'baz' ); + $this->assertSame( WP_CSS_Attribute_Selector::MATCH_EXACT, $sel->subclass_selectors[2]->matcher ); + $this->assertSame( 'quux', $sel->subclass_selectors[2]->value ); $this->assertSame( ' > .child', substr( $input, $offset ) ); } + + /** + * @ticket TBD + */ + public function test_parse_complex_selector() { + $input = 'el.foo#bar[baz=quux] > .child, rest'; + $offset = 0; + $sel = WP_CSS_Complex_Selector::parse( $input, $offset ); + + var_dump( $sel ); + $this->assertSame( 3, count( $sel->selectors ) ); + $this->assertNotNull( $sel->selectors[0]->type_selector ); + $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->selectors[1] ); + $this->assertNull( $sel->selectors[2]->type_selector ); + $this->assertSame( 1, count( $sel->selectors[2]->subclass_selectors ) ); + $this->assertSame( 'child', $sel->selectors[2]->subclass_selectors[0]->ident ); + + $this->assertSame( ', rest', substr( $input, $offset ) ); + } } From 5c746cd58b3e1178e9579e11b71974a5be652ac2 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 27 Nov 2024 22:39:22 +0100 Subject: [PATCH 047/187] Working and tested --- .../html-api/class-wp-css-selectors.php | 83 +++++++++++-------- .../phpunit/tests/html-api/wpCssSelectors.php | 67 ++++++++++++++- 2 files changed, 113 insertions(+), 37 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 8ccec5de029cc..734c3e38d094b 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -117,21 +117,31 @@ private static function parse( string $input ) { $input = str_replace( array( "\r", "\f" ), "\n", $input ); $input = str_replace( "\0", "\u{FFFD}", $input ); - $length = strlen( $input ); - $selectors = array(); - $offset = 0; - while ( $offset < $length ) { - $selector = WP_CSS_ID_Selector::parse( $input, $offset ); - if ( null !== $selector ) { - $selectors[] = $selector; - } + $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); + if ( null === $selector ) { + return null; } - if ( count( $selectors ) ) { - return new WP_CSS_Selector_List( $selectors ); + WP_CSS_Selector_Parser::parse_whitespace( $input, $offset ); + + $selectors = array( $selector ); + while ( $offset < strlen( $input ) ) { + // Each loop should stop on a `,` selector list delimiter. + if ( ',' !== $input[ $offset ] ) { + return null; + } + ++$offset; + WP_CSS_Selector_Parser::parse_whitespace( $input, $offset ); + $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); + if ( null === $selector ) { + return null; + } + $selectors[] = $selector; + WP_CSS_Selector_Parser::parse_whitespace( $input, $offset ); } - return null; + + return new WP_CSS_Selector_List( $selectors ); } } @@ -145,7 +155,7 @@ public static function parse( string $input, int &$offset ); abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; - protected static function parse_whitespace( string $input, int &$offset ): bool { + public static function parse_whitespace( string $input, int &$offset ): bool { $length = strspn( $input, " \t\r\n\f", $offset ); $advanced = $length > 0; $offset += $length; @@ -938,35 +948,38 @@ public static function parse( string $input, int &$offset ): ?self { $found_whitespace = self::parse_whitespace( $input, $updated_offset ); while ( $updated_offset < strlen( $input ) ) { - switch ( $input[ $updated_offset ] ) { - case self::COMBINATOR_CHILD: - case self::COMBINATOR_NEXT_SIBLING: - case self::COMBINATOR_SUBSEQUENT_SIBLING: + if ( + self::COMBINATOR_CHILD === $input[ $updated_offset ] || + self::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || + self::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] + ) { $combinator = $input[ $updated_offset ]; ++$updated_offset; self::parse_whitespace( $input, $updated_offset ); - break; - default: - /* - * Whitespace is a descendant combinator. - * Either whitespace was found and we're on a selector, - * or we've failed to find any combinator and parsing is complete. - */ - if ( ! $found_whitespace ) { - break 2; - } - $combinator = self::COMBINATOR_DESCENDANT; + // Failure to find a selector here is a parse error + $selector = WP_CSS_Selector::parse( $input, $updated_offset ); + // Failure to find a selector is a parse error. + if ( null === $selector ) { + return null; + } + $selectors[] = $combinator; + $selectors[] = $selector; + } elseif ( ! $found_whitespace ) { + break; + } else { + + /* + * Whitespace is ambiguous, it could be a descendant combinator or + * insignificant whitespace. + */ + $selector = WP_CSS_Selector::parse( $input, $updated_offset ); + if ( null === $selector ) { break; + } + $selectors[] = self::COMBINATOR_DESCENDANT; + $selectors[] = $selector; } - // Here we've found a combinator and need another selector. - $selector = WP_CSS_Selector::parse( $input, $updated_offset ); - // Failure to find a selector is a parse error. - if ( null === $selector ) { - return null; - } - $selectors[] = $combinator; - $selectors[] = $selector; $found_whitespace = self::parse_whitespace( $input, $updated_offset ); } $offset = $updated_offset; diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 4189ec586011a..33ada4ccbe3f9 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -357,15 +357,24 @@ public function test_parse_selector() { $this->assertSame( ' > .child', substr( $input, $offset ) ); } + /** + * @ticket TBD + */ + public function test_parse_empty_selector() { + $input = ''; + $offset = 0; + $result = WP_CSS_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + } + /** * @ticket TBD */ public function test_parse_complex_selector() { - $input = 'el.foo#bar[baz=quux] > .child, rest'; + $input = 'el.foo#bar[baz=quux] > .child , rest'; $offset = 0; $sel = WP_CSS_Complex_Selector::parse( $input, $offset ); - var_dump( $sel ); $this->assertSame( 3, count( $sel->selectors ) ); $this->assertNotNull( $sel->selectors[0]->type_selector ); $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); @@ -376,4 +385,58 @@ public function test_parse_complex_selector() { $this->assertSame( ', rest', substr( $input, $offset ) ); } + + /** + * @ticket TBD + */ + public function test_parse_invalid_complex_selector() { + $input = 'el.foo#bar[baz=quux] > , rest'; + $offset = 0; + $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + } + + public function test_parse_empty_complex_selector() { + $input = ''; + $offset = 0; + $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + } + + + /** + * @ticket TBD + */ + public function test_parse_selector_list() { + $input = 'el.foo#bar[baz=quux] .descendent , rest'; + $result = WP_CSS_Selector_List::from_selectors( $input ); + $this->assertNotNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_invalid_selector_list() { + $input = 'el,,'; + $result = WP_CSS_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_invalid_selector_list2() { + $input = 'el!'; + $result = WP_CSS_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_empty_selector_list() { + $input = " \t \t\n\r\f"; + $result = WP_CSS_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } } From 501102a87bb3f38bc2781c22b6de9a59d640bf62 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 18:30:47 +0100 Subject: [PATCH 048/187] Selector parsing should allow cap I,S modifier --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 734c3e38d094b..6e382f8f8b744 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -823,11 +823,13 @@ public static function parse( string $input, int &$offset ): ?self { $attr_modifier = null; switch ( $input[ $updated_offset ] ) { case 'i': + case 'I': $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; ++$updated_offset; break; case 's': + case 'S': $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; ++$updated_offset; break; From f98fbb39c71333b22e3c7f97c380c7ce81c56097 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 19:08:17 +0100 Subject: [PATCH 049/187] CSS Add matches to selector classes --- .../html-api/class-wp-css-selectors.php | 120 +++++++++++++++++- 1 file changed, 116 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 6e382f8f8b744..d9c507bb5f557 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -69,7 +69,20 @@ * @see {@link https://www.w3.org/TR/selectors-4/} * */ -class WP_CSS_Selector_List { +class WP_CSS_Selector_List implements IWP_CSS_Selector_Matcher { + public function matches( WP_HTML_Processor $processor ): bool { + if ( $processor->get_token_type() !== '#tag' ) { + return false; + } + + foreach ( $this->selectors as $selector ) { + if ( ! $selector->matches( $processor ) ) { + return false; + } + } + return true; + } + private $selectors; private function __construct( array $selectors ) { @@ -145,6 +158,13 @@ private static function parse( string $input ) { } } +interface IWP_CSS_Selector_Matcher { + /** + * @return bool + */ + public function matches( WP_HTML_Processor $processor ): bool; +} + interface IWP_CSS_Selector_Parser { /** * @return static|null @@ -152,7 +172,7 @@ interface IWP_CSS_Selector_Parser { public static function parse( string $input, int &$offset ); } -abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser { +abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; public static function parse_whitespace( string $input, int &$offset ): bool { @@ -553,9 +573,18 @@ public static function parse( string $input, int &$offset ): ?self { } return new self( $ident ); } + + public function matches( WP_HTML_Processor $processor ): bool { + // @todo check case sensitivity. + return $processor->get_attribute( 'id' ) === $this->ident; + } } final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser { + public function matches( WP_HTML_Processor $processor ): bool { + return $processor->has_class( $this->ident ); + } + /** @var string */ public $ident; @@ -590,6 +619,13 @@ public static function parse( string $input, int &$offset ): ?self { } final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser { + public function matches( WP_HTML_Processor $processor ): bool { + if ( '*' === $this->ident ) { + return true; + } + return 0 === strcasecmp( $processor->get_tag(), $this->ident ); + } + /** * @var string * @@ -635,9 +671,64 @@ public static function parse( string $input, int &$offset ): ?self { } final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser { + public function matches( WP_HTML_Processor $processor ): bool { + $att_value = $processor->get_attribute( $this->name ); + if ( null === $att_value ) { + return false; + } + + if ( null === $this->value ) { + return true; + } + + $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; + + switch ( $this->matcher ) { + case self::MATCH_EXACT: + return $case_insensitive ? + 0 === strcasecmp( $att_value, $this->value ) : + $att_value === $this->value; + + case self::MATCH_ONE_OF_EXACT: + // @todo + throw new Exception( 'One of attribute matching is not supported yet.' ); + + case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: + // Attempt the full match first + if ( + $case_insensitive ? + 0 === strcasecmp( $att_value, $this->value ) : + $att_value === $this->value + ) { + return true; + } + + // Partial match + if ( strlen( $att_value ) < strlen( $this->value ) + 1 ) { + return false; + } + + $starts_with = "{$this->value}-"; + return 0 === substr_compare( $att_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); + + case self::MATCH_PREFIXED_BY: + return 0 === substr_compare( $att_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); + + case self::MATCH_SUFFIXED_BY: + return 0 === substr_compare( $att_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); + + case self::MATCH_CONTAINS: + return false !== ( + $case_insensitive ? + stripos( $att_value, $this->value ) : + strpos( $att_value, $this->value ) + ); + } + } + /** - * [attr=value] - * Represents elements with an attribute name of attr whose value is exactly value. + * [att=val] + * Represents an element with the att attribute whose value is exactly "val". */ const MATCH_EXACT = 'MATCH_EXACT'; @@ -857,6 +948,19 @@ public static function parse( string $input, int &$offset ): ?self { * > = [ ? * ]! */ final class WP_CSS_Selector extends WP_CSS_Selector_Parser { + public function matches( WP_HTML_Processor $processor ): bool { + if ( $this->type_selector ) { + if ( ! $this->type_selector->matches( $processor ) ) { + return false; + } + } + foreach ( $this->subclass_selectors as $subclass_selector ) { + if ( ! $subclass_selector->matches( $processor ) ) { + return false; + } + } + return true; + } /** @var WP_CSS_Type_Selector|null */ public $type_selector; @@ -920,6 +1024,14 @@ private static function parse_subclass_selector( string $input, int &$offset ) { * > = [ ? ]* */ final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser { + public function matches( WP_HTML_Processor $processor ): bool { + // @todo this can throw on parse. + if ( count( $this->selectors ) > 1 ) { + throw new Exception( 'Combined complex selectors are not supported yet.' ); + } + return $this->selectors[0]->matches( $processor ); + } + const COMBINATOR_CHILD = '>'; const COMBINATOR_DESCENDANT = ' '; const COMBINATOR_NEXT_SIBLING = '+'; From c8f16e19f30ec4b4ad0cfbaac849b33e811229e3 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 19:40:55 +0100 Subject: [PATCH 050/187] Match is successful on _any_ match in selector list --- src/wp-includes/html-api/class-wp-css-selectors.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index d9c507bb5f557..1a50defba8ea3 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -76,11 +76,11 @@ public function matches( WP_HTML_Processor $processor ): bool { } foreach ( $this->selectors as $selector ) { - if ( ! $selector->matches( $processor ) ) { - return false; + if ( $selector->matches( $processor ) ) { + return true; } } - return true; + return false; } private $selectors; From c689c9c50fb6827dd330df1707844410479b4234 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 19:41:55 +0100 Subject: [PATCH 051/187] PICKME: Add is_quirks_mode method to processor --- src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php index 39390621e86a6..7dadbc1bebdb2 100644 --- a/src/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php @@ -537,6 +537,10 @@ class WP_HTML_Tag_Processor { */ protected $compat_mode = self::NO_QUIRKS_MODE; + public function is_quirks_mode() { + return self::QUIRKS_MODE === $this->compat_mode; + } + /** * Indicates whether the parser is inside foreign content, * e.g. inside an SVG or MathML element. From 1221efae34bf033af893180aa32a13e58b5312d8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 19:41:27 +0100 Subject: [PATCH 052/187] ID matches depend on quirks mode --- src/wp-includes/html-api/class-wp-css-selectors.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 1a50defba8ea3..01e3253893d57 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -575,8 +575,10 @@ public static function parse( string $input, int &$offset ): ?self { } public function matches( WP_HTML_Processor $processor ): bool { - // @todo check case sensitivity. - return $processor->get_attribute( 'id' ) === $this->ident; + $case_insensitive = method_exists( $processor, 'is_quirks_mode' ) && $processor->is_quirks_mode(); + return $case_insensitive ? + 0 === strcasecmp( $processor->get_attribute( 'id' ), $this->ident ) : + $processor->get_attribute( 'id' ) === $this->ident; } } From e5e94b11b5d9e3c113364c2a595ebb8cfdb715f7 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 19:42:12 +0100 Subject: [PATCH 053/187] has_class may return null, coerce to bool --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 01e3253893d57..3e35a383b4446 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -584,7 +584,7 @@ public function matches( WP_HTML_Processor $processor ): bool { final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser { public function matches( WP_HTML_Processor $processor ): bool { - return $processor->has_class( $this->ident ); + return (bool) $processor->has_class( $this->ident ); } /** @var string */ From 1e888babcc7e4448a02ace55a509e655bdea1e5d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 21:29:13 +0100 Subject: [PATCH 054/187] Update docs to only allow subclass selectors in final complex selector position --- .../html-api/class-wp-css-selectors.php | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 3e35a383b4446..b0d5afbb5bba7 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -27,9 +27,9 @@ * = * = # * = # - * = [ ? ]* + * = [ ? ]* * = [ ? * ]! - * = '>' | '+' | '~' | [ '|' '|' ] + * = '>' | [ '|' '|' ] * = | '*' * = | | * = @@ -47,17 +47,23 @@ * - ID selectors (e.g. `#unique-id`) * - Attribute selectors (e.g. `[attribute-name]` or `[attribute-name="value"]`) * - Comma-separated selector lists (e.g. `.selector-1, .selector-2`) - * - The following combinators: - * - descendant (e.g. `.parent .descendant`) - * - child (`.parent > .child`) + * - The following combinators. Only type (element) selectors are allowed in non-final position: + * - descendant (e.g. `el .descendant`) + * - child (`el > .child`) * * Unsupported selector syntax: * - Pseudo-element selectors (e.g. `::before`) * - Pseudo-class selectors (e.g. `:hover` or `:nth-child(2)`) * - Namespace prefixes (e.g. `svg|title` or `[xlink|href]`) * - The following combinators: - * - Next sibling (`.sibling + .sibling`) - * - Subsequent sibling (`.sibling ~ .sibling`) + * - Next sibling (`el + el`) + * - Subsequent sibling (`el ~ el`) + * + * Future ideas + * - Namespace type selectors could be implemented with select namespaces in order to + * select elements from a namespace, for example: + * - `svg|*` to select all SVG elements + * - `html|title` to select only HTML TITLE elements. * * @since TBD * From dd4fcb01184f9e07ec51067e1d7c1a8d4021d168 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 22:10:05 +0100 Subject: [PATCH 055/187] Restrict complex selectors to only allow subclass selectors in final position --- .../html-api/class-wp-css-selectors.php | 43 +++++++++++-------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index b0d5afbb5bba7..45a2f78d94fd5 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -1066,7 +1066,8 @@ public static function parse( string $input, int &$offset ): ?self { return null; } - $selectors = array( $selector ); + $selectors = array( $selector ); + $has_preceding_subclass_selector = null !== $selector->subclass_selectors; $found_whitespace = self::parse_whitespace( $input, $updated_offset ); while ( $updated_offset < strlen( $input ) ) { @@ -1075,22 +1076,13 @@ public static function parse( string $input, int &$offset ): ?self { self::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || self::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] ) { - $combinator = $input[ $updated_offset ]; - ++$updated_offset; - self::parse_whitespace( $input, $updated_offset ); - - // Failure to find a selector here is a parse error - $selector = WP_CSS_Selector::parse( $input, $updated_offset ); - // Failure to find a selector is a parse error. - if ( null === $selector ) { - return null; - } - $selectors[] = $combinator; - $selectors[] = $selector; - } elseif ( ! $found_whitespace ) { - break; - } else { + $combinator = $input[ $updated_offset ]; + ++$updated_offset; + self::parse_whitespace( $input, $updated_offset ); + // Failure to find a selector here is a parse error + $selector = WP_CSS_Selector::parse( $input, $updated_offset ); + } elseif ( $found_whitespace ) { /* * Whitespace is ambiguous, it could be a descendant combinator or * insignificant whitespace. @@ -1099,9 +1091,24 @@ public static function parse( string $input, int &$offset ): ?self { if ( null === $selector ) { break; } - $selectors[] = self::COMBINATOR_DESCENDANT; - $selectors[] = $selector; + $combinator = self::COMBINATOR_DESCENDANT; + } else { + break; + } + + if ( null === $selector ) { + return null; } + + // `div > .className` is valid, but `.className > div` is not. + if ( $has_preceding_subclass_selector ) { + throw new Exception( 'Unsupported non-final subclass selector.' ); + } + $has_preceding_subclass_selector = null !== $selector->subclass_selectors; + + $selectors[] = $combinator; + $selectors[] = $selector; + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); } $offset = $updated_offset; From 256c55a16d8e5adf3ebdc64a360e3373eeecaa28 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 22:10:21 +0100 Subject: [PATCH 056/187] Work on complex selector handling --- .../html-api/class-wp-css-selectors.php | 49 +++++++++++++++++-- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 45a2f78d94fd5..bc28cfaa4f20e 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -1033,11 +1033,47 @@ private static function parse_subclass_selector( string $input, int &$offset ) { */ final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser { public function matches( WP_HTML_Processor $processor ): bool { - // @todo this can throw on parse. - if ( count( $this->selectors ) > 1 ) { - throw new Exception( 'Combined complex selectors are not supported yet.' ); + if ( count( $this->selectors ) === 1 ) { + return $this->selectors[0]->matches( $processor ); + } + + // First selector must match this location. + if ( ! $this->selectors[0]->matches( $processor ) ) { + return false; + } + + $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); + $selectors = array_slice( $this->selectors, 1 ); + return $this->explore_matches( $selectors, $breadcrumbs ); + } + + /** + * This only looks at breadcrumbs and can therefore only support type selectors. + * + * @param array $selectors + */ + private function explore_matches( array $selectors, array $breadcrumbs ): bool { + if ( array() === $selectors ) { + return true; + } + if ( array() === $breadcrumbs ) { + return false; + } + + $combinator = $selectors[0]; + $selector = $selectors[1]; + + switch ( $combinator ) { + case self::COMBINATOR_CHILD: + if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[0], $selector->type_selector->ident ) === 0 ) { + return $this->explore_matches( array_slice( $selectors, 2 ), array_slice( $breadcrumbs, 1 ) ); + } + return $this->explore_matches( $selectors, array_slice( $breadcrumbs, 1 ) ); + + case self::COMBINATOR_DESCENDANT: + default: + throw new Exception( "Combinator '{$combinator}' is not supported yet." ); } - return $this->selectors[0]->matches( $processor ); } const COMBINATOR_CHILD = '>'; @@ -1047,12 +1083,15 @@ public function matches( WP_HTML_Processor $processor ): bool { /** * even indexes are WP_CSS_Selector, odd indexes are string combinators. + * In reverse order to match the current element and then work up the tree. + * Any non-final selector is a type selector. + * * @var array */ public $selectors = array(); private function __construct( array $selectors ) { - $this->selectors = $selectors; + $this->selectors = array_reverse( $selectors ); } public static function parse( string $input, int &$offset ): ?self { From 465cc3673cb15e2b229767223801224d8fd36335 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 22:26:43 +0100 Subject: [PATCH 057/187] Implement descendent selector matching --- src/wp-includes/html-api/class-wp-css-selectors.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index bc28cfaa4f20e..974c56e6581ff 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -1071,6 +1071,19 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return $this->explore_matches( $selectors, array_slice( $breadcrumbs, 1 ) ); case self::COMBINATOR_DESCENDANT: + $ident = $selector->type_selector->ident; + + // Find _all_ the breadcrumbs that match and recurse from each of them. + for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) { + if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[ $i ], $selector->type_selector->ident ) === 0 ) { + $next_crumbs = array_slice( $breadcrumbs, $i + 1 ); + if ( $this->explore_matches( array_slice( $selectors, 2 ), $next_crumbs ) ) { + return true; + } + } + } + return false; + default: throw new Exception( "Combinator '{$combinator}' is not supported yet." ); } From 467d45dc3133dfefb7081e8e7e7821254dd073a0 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 15:48:21 +0100 Subject: [PATCH 058/187] Add null check for subclass selectors --- src/wp-includes/html-api/class-wp-css-selectors.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 974c56e6581ff..21039c0c7940e 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -962,9 +962,11 @@ public function matches( WP_HTML_Processor $processor ): bool { return false; } } - foreach ( $this->subclass_selectors as $subclass_selector ) { - if ( ! $subclass_selector->matches( $processor ) ) { - return false; + if ( null !== $this->subclass_selectors ) { + foreach ( $this->subclass_selectors as $subclass_selector ) { + if ( ! $subclass_selector->matches( $processor ) ) { + return false; + } } } return true; From 44bfc64b4fe9711f1800e854c059156bcf2b45fb Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 16:20:22 +0100 Subject: [PATCH 059/187] CSS selector reformat ternaries --- .../html-api/class-wp-css-selectors.php | 41 ++++++++++--------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 21039c0c7940e..65e384639abcb 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -390,9 +390,9 @@ protected static function consume_escaped_codepoint( $input, &$offset ): ?string 0 === $codepoint_value || $codepoint_value > self::UTF8_MAX_CODEPOINT_VALUE || ( 0xD800 <= $codepoint_value && $codepoint_value <= 0xDFFF ) - ) ? - "\u{FFFD}" : - mb_chr( $codepoint_value, 'UTF-8' ); + ) + ? "\u{FFFD}" + : mb_chr( $codepoint_value, 'UTF-8' ); $offset += $hex_length; @@ -582,9 +582,9 @@ public static function parse( string $input, int &$offset ): ?self { public function matches( WP_HTML_Processor $processor ): bool { $case_insensitive = method_exists( $processor, 'is_quirks_mode' ) && $processor->is_quirks_mode(); - return $case_insensitive ? - 0 === strcasecmp( $processor->get_attribute( 'id' ), $this->ident ) : - $processor->get_attribute( 'id' ) === $this->ident; + return $case_insensitive + ? 0 === strcasecmp( $processor->get_attribute( 'id' ), $this->ident ) + : $processor->get_attribute( 'id' ) === $this->ident; } } @@ -693,9 +693,9 @@ public function matches( WP_HTML_Processor $processor ): bool { switch ( $this->matcher ) { case self::MATCH_EXACT: - return $case_insensitive ? - 0 === strcasecmp( $att_value, $this->value ) : - $att_value === $this->value; + return $case_insensitive + ? 0 === strcasecmp( $att_value, $this->value ) + : $att_value === $this->value; case self::MATCH_ONE_OF_EXACT: // @todo @@ -704,9 +704,9 @@ public function matches( WP_HTML_Processor $processor ): bool { case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: // Attempt the full match first if ( - $case_insensitive ? - 0 === strcasecmp( $att_value, $this->value ) : - $att_value === $this->value + $case_insensitive + ? 0 === strcasecmp( $att_value, $this->value ) + : $att_value === $this->value ) { return true; } @@ -1017,13 +1017,16 @@ private static function parse_subclass_selector( string $input, int &$offset ) { } $next_char = $input[ $offset ]; - return '.' === $next_char ? - WP_CSS_Class_Selector::parse( $input, $offset ) : ( - '#' === $next_char ? - WP_CSS_ID_Selector::parse( $input, $offset ) : ( - '[' === $next_char ? - WP_CSS_Attribute_Selector::parse( $input, $offset ) : - null ) ); + return '.' === $next_char + ? WP_CSS_Class_Selector::parse( $input, $offset ) + : ( + '#' === $next_char + ? WP_CSS_ID_Selector::parse( $input, $offset ) + : ( '[' === $next_char + ? WP_CSS_Attribute_Selector::parse( $input, $offset ) + : null + ) + ); } } From ca4531c0a190b89f6072799b2b1f90dbd1deb2c1 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 16:20:54 +0100 Subject: [PATCH 060/187] Implement ~= attribute matching --- .../html-api/class-wp-css-selectors.php | 43 ++++++++++++++++--- 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 65e384639abcb..49c3daf66c3b2 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -180,9 +180,10 @@ public static function parse( string $input, int &$offset ); abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; + const WHITESPACE_CHARACTERS = " \t\r\n\f"; public static function parse_whitespace( string $input, int &$offset ): bool { - $length = strspn( $input, " \t\r\n\f", $offset ); + $length = strspn( $input, self::WHITESPACE_CHARACTERS, $offset ); $advanced = $length > 0; $offset += $length; return $advanced; @@ -698,8 +699,16 @@ public function matches( WP_HTML_Processor $processor ): bool { : $att_value === $this->value; case self::MATCH_ONE_OF_EXACT: - // @todo - throw new Exception( 'One of attribute matching is not supported yet.' ); + foreach ( $this->whitespace_delimited_list( $att_value ) as $val ) { + if ( + $case_insensitive + ? 0 === strcasecmp( $val, $this->value ) + : $val === $this->value + ) { + return true; + } + } + return false; case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: // Attempt the full match first @@ -727,13 +736,35 @@ public function matches( WP_HTML_Processor $processor ): bool { case self::MATCH_CONTAINS: return false !== ( - $case_insensitive ? - stripos( $att_value, $this->value ) : - strpos( $att_value, $this->value ) + $case_insensitive + ? stripos( $att_value, $this->value ) + : strpos( $att_value, $this->value ) ); } } + /** + * @param string $input + * + * @return Generator + */ + private function whitespace_delimited_list( string $input ): Generator { + $offset = strspn( $input, self::WHITESPACE_CHARACTERS ); + + while ( $offset < strlen( $input ) ) { + // Find the byte length until the next boundary. + $length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset ); + if ( 0 === $length ) { + return; + } + + $value = substr( $input, $offset, $length ); + $offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length ); + + yield $value; + } + } + /** * [att=val] * Represents an element with the att attribute whose value is exactly "val". From 489db93a917625bc7d42d6e3d9f5ad924d3a96ed Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 16:48:15 +0100 Subject: [PATCH 061/187] CSS fix return type --- src/wp-includes/html-api/class-wp-css-selectors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 49c3daf66c3b2..1431dc58afb52 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -113,7 +113,7 @@ public static function from_selectors( string $selectors ): ?self { * * @since TBD * - * @return WP_CSS_Selectors|null + * @return self|null */ private static function parse( string $input ) { // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace and matches the dom_selectors_group production. From e57a2114aafdd6cb1d0e3cf1b7d2e3064c3e8d0b Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 17:05:40 +0100 Subject: [PATCH 062/187] Fix static analysis problems --- .../html-api/class-wp-css-selectors.php | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 1431dc58afb52..2205146bdf2be 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -1,4 +1,8 @@ -value ) ); } + + throw new Exception( 'Unreachable' ); } /** @@ -830,7 +834,7 @@ private function whitespace_delimited_list( string $input ): Generator { /** * The attribute matcher. * - * @var string|null + * @var null|self::MATCH_* */ public $matcher; @@ -844,7 +848,7 @@ private function whitespace_delimited_list( string $input ): Generator { /** * The attribute modifier. * - * @var string|null + * @var null|self::MODIFIER_* */ public $modifier; @@ -1086,7 +1090,7 @@ public function matches( WP_HTML_Processor $processor ): bool { /** * This only looks at breadcrumbs and can therefore only support type selectors. * - * @param array $selectors + * @param array $selectors */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { if ( array() === $selectors ) { @@ -1096,8 +1100,10 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return false; } + /** @var self::COMBINATOR_* $combinator */ $combinator = $selectors[0]; - $selector = $selectors[1]; + /** @var WP_CSS_Selector $selector */ + $selector = $selectors[1]; switch ( $combinator ) { case self::COMBINATOR_CHILD: @@ -1107,8 +1113,6 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return $this->explore_matches( $selectors, array_slice( $breadcrumbs, 1 ) ); case self::COMBINATOR_DESCENDANT: - $ident = $selector->type_selector->ident; - // Find _all_ the breadcrumbs that match and recurse from each of them. for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) { if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[ $i ], $selector->type_selector->ident ) === 0 ) { From 509e648685af757a6b38830c8ccd58e2ac36fe07 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 17:40:39 +0100 Subject: [PATCH 063/187] Fix and annotate things (static analysis) --- .../html-api/class-wp-css-selectors.php | 52 +++++++++++++------ 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 2205146bdf2be..28e51aa9a9735 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -77,7 +77,7 @@ * @see {@link https://www.w3.org/TR/selectors-4/} * */ -class WP_CSS_Selector_List implements IWP_CSS_Selector_Matcher { +class WP_CSS_Selector_List extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { if ( $processor->get_token_type() !== '#tag' ) { return false; @@ -91,8 +91,14 @@ public function matches( WP_HTML_Processor $processor ): bool { return false; } + /** + * @var array + */ private $selectors; + /** + * @param array $selectors + */ private function __construct( array $selectors ) { $this->selectors = $selectors; } @@ -122,7 +128,7 @@ private static function parse( string $input ) { $input = trim( $input, " \t\r\n\r" ); if ( '' === $input ) { - null; + return null; } /* @@ -144,7 +150,7 @@ private static function parse( string $input ) { if ( null === $selector ) { return null; } - WP_CSS_Selector_Parser::parse_whitespace( $input, $offset ); + self::parse_whitespace( $input, $offset ); $selectors = array( $selector ); while ( $offset < strlen( $input ) ) { @@ -153,16 +159,16 @@ private static function parse( string $input ) { return null; } ++$offset; - WP_CSS_Selector_Parser::parse_whitespace( $input, $offset ); + self::parse_whitespace( $input, $offset ); $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; } $selectors[] = $selector; - WP_CSS_Selector_Parser::parse_whitespace( $input, $offset ); + self::parse_whitespace( $input, $offset ); } - return new WP_CSS_Selector_List( $selectors ); + return new self( $selectors ); } } @@ -180,7 +186,7 @@ interface IWP_CSS_Selector_Parser { public static function parse( string $input, int &$offset ); } -abstract class WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { +abstract class WP_CSS_Selector_Parser { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; const WHITESPACE_CHARACTERS = " \t\r\n\f"; @@ -216,7 +222,6 @@ protected static function parse_hash_token( string $input, int &$offset ): ?stri if ( null === $result ) { return null; - $offset = $updated_offset; } $offset = $updated_offset; @@ -263,8 +268,8 @@ protected static function parse_ident( string $input, int &$offset ): ?string { continue; } elseif ( self::is_ident_codepoint( $input, $offset ) ) { // @todo this should append and advance the correct number of bytes. - $ident .= $input[ $offset ]; - $offset += 1; + $ident .= $input[ $offset ]; + ++$offset; continue; } break; @@ -378,6 +383,10 @@ protected static function parse_string( string $input, int &$offset ): ?string { * > This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�). * > anything else * > Return the current input code point. + * + * @param string $input + * @param int $offset + * @return string|null */ protected static function consume_escaped_codepoint( $input, &$offset ): ?string { $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); @@ -558,7 +567,8 @@ protected static function check_if_three_code_points_would_start_an_ident_sequen } } -final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser { +final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { + /** @var string */ public $ident; @@ -591,7 +601,7 @@ public function matches( WP_HTML_Processor $processor ): bool { } } -final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser { +final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { return (bool) $processor->has_class( $this->ident ); } @@ -629,7 +639,7 @@ public static function parse( string $input, int &$offset ): ?self { } } -final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser { +final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { if ( '*' === $this->ident ) { return true; @@ -681,7 +691,7 @@ public static function parse( string $input, int &$offset ): ?self { } } -final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser { +final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { $att_value = $processor->get_attribute( $this->name ); if ( null === $att_value ) { @@ -990,7 +1000,7 @@ public static function parse( string $input, int &$offset ): ?self { * * > = [ ? * ]! */ -final class WP_CSS_Selector extends WP_CSS_Selector_Parser { +final class WP_CSS_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { if ( $this->type_selector ) { if ( ! $this->type_selector->matches( $processor ) ) { @@ -1013,6 +1023,10 @@ public function matches( WP_HTML_Processor $processor ): bool { /** @var array|null */ public $subclass_selectors; + /** + * @param WP_CSS_Type_Selector|null $type_selector + * @param array $subclass_selectors + */ private function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { $this->type_selector = $type_selector; $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; @@ -1071,7 +1085,7 @@ private static function parse_subclass_selector( string $input, int &$offset ) { * * > = [ ? ]* */ -final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser { +final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { if ( count( $this->selectors ) === 1 ) { return $this->selectors[0]->matches( $processor ); @@ -1091,6 +1105,7 @@ public function matches( WP_HTML_Processor $processor ): bool { * This only looks at breadcrumbs and can therefore only support type selectors. * * @param array $selectors + * @param array $breadcrumbs */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { if ( array() === $selectors ) { @@ -1139,10 +1154,13 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { * In reverse order to match the current element and then work up the tree. * Any non-final selector is a type selector. * - * @var array + * @var array */ public $selectors = array(); + /** + * @param array $selectors + */ private function __construct( array $selectors ) { $this->selectors = array_reverse( $selectors ); } From 58c1698b16a55ac3d9bc92c35b4c2346e43b67c7 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 17:40:46 +0100 Subject: [PATCH 064/187] update tests --- .../phpunit/tests/html-api/wpCssSelectors.php | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 33ada4ccbe3f9..5983f91c5d9ba 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -309,8 +309,12 @@ public static function data_attribute_selectors(): array { '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), + '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), @@ -332,8 +336,6 @@ public static function data_attribute_selectors(): array { 'Invalid: [att=val ' => array( '[att=val ' ), 'Invalid: [att i]' => array( '[att i]' ), 'Invalid: [att s]' => array( '[att s]' ), - 'Invalid: [att="val" I]' => array( '[att="val" I]' ), - 'Invalid: [att="val" S]' => array( '[att="val" S]' ), "Invalid: [att='val\\n']" => array( "[att='val\n']" ), 'Invalid: [att=val i ' => array( '[att=val i ' ), ); @@ -371,17 +373,21 @@ public function test_parse_empty_selector() { * @ticket TBD */ public function test_parse_complex_selector() { - $input = 'el.foo#bar[baz=quux] > .child , rest'; + $input = 'el1 > .child#bar[baz=quux] , rest'; $offset = 0; $sel = WP_CSS_Complex_Selector::parse( $input, $offset ); $this->assertSame( 3, count( $sel->selectors ) ); - $this->assertNotNull( $sel->selectors[0]->type_selector ); - $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); + + $this->assertSame( 'el1', $sel->selectors[2]->type_selector->ident ); + $this->assertNull( $sel->selectors[2]->subclass_selectors ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->selectors[1] ); - $this->assertNull( $sel->selectors[2]->type_selector ); - $this->assertSame( 1, count( $sel->selectors[2]->subclass_selectors ) ); - $this->assertSame( 'child', $sel->selectors[2]->subclass_selectors[0]->ident ); + + $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); + $this->assertNull( $sel->selectors[0]->type_selector ); + $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); + $this->assertSame( 'child', $sel->selectors[0]->subclass_selectors[0]->ident ); $this->assertSame( ', rest', substr( $input, $offset ) ); } @@ -408,7 +414,7 @@ public function test_parse_empty_complex_selector() { * @ticket TBD */ public function test_parse_selector_list() { - $input = 'el.foo#bar[baz=quux] .descendent , rest'; + $input = 'el1 el2 el.foo#bar[baz=quux], rest'; $result = WP_CSS_Selector_List::from_selectors( $input ); $this->assertNotNull( $result ); } From c9b914517674004d8b7c38099325183cf3a592a8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 17:44:21 +0100 Subject: [PATCH 065/187] Id attribute must be a string to match id selector --- src/wp-includes/html-api/class-wp-css-selectors.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 28e51aa9a9735..8af33c2194723 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -594,9 +594,14 @@ public static function parse( string $input, int &$offset ): ?self { } public function matches( WP_HTML_Processor $processor ): bool { + $id = $processor->get_attribute( 'id' ); + if ( ! is_string( $id ) ) { + return false; + } + $case_insensitive = method_exists( $processor, 'is_quirks_mode' ) && $processor->is_quirks_mode(); return $case_insensitive - ? 0 === strcasecmp( $processor->get_attribute( 'id' ), $this->ident ) + ? 0 === strcasecmp( $id, $this->ident ) : $processor->get_attribute( 'id' ) === $this->ident; } } From e5cac63369f3c7b1a6cdf3c02c097bdae4e3d669 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 17:47:31 +0100 Subject: [PATCH 066/187] Coerce boolean attributes to "" --- src/wp-includes/html-api/class-wp-css-selectors.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 8af33c2194723..8b92150cbef8f 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -707,6 +707,10 @@ public function matches( WP_HTML_Processor $processor ): bool { return true; } + if ( true === $att_value ) { + $att_value = ''; + } + $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; switch ( $this->matcher ) { From 2bafae995a64897ec393167e8a7416b74ff8b485 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 29 Nov 2024 17:56:57 +0100 Subject: [PATCH 067/187] Fix a few more static analysis things --- .../html-api/class-wp-css-selectors.php | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 8b92150cbef8f..87e32727a434e 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -871,6 +871,12 @@ private function whitespace_delimited_list( string $input ): Generator { */ public $modifier; + /** + * @param string $name + * @param null|self::MATCH_* $matcher + * @param null|string $value + * @param null|self::MODIFIER_* $modifier + */ private function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { $this->name = $name; $this->matcher = $matcher; @@ -1092,19 +1098,20 @@ private static function parse_subclass_selector( string $input, int &$offset ) { /** * This corresponds to in the grammar. * - * > = [ ? ]* + * > = [ ? ] * */ final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { - if ( count( $this->selectors ) === 1 ) { - return $this->selectors[0]->matches( $processor ); - } - // First selector must match this location. if ( ! $this->selectors[0]->matches( $processor ) ) { return false; } + if ( count( $this->selectors ) === 1 ) { + return true; + } + + /** @var array $breadcrumbs */ $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); $selectors = array_slice( $this->selectors, 1 ); return $this->explore_matches( $selectors, $breadcrumbs ); From 8fe57e393d947c2b8db0ee326cfa7989ade8c801 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 28 Nov 2024 18:04:13 +0100 Subject: [PATCH 068/187] Add select method --- .../html-api/class-wp-html-processor.php | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index e88757ec7b4c2..438dee4c47f4e 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -635,6 +635,44 @@ public function get_unsupported_exception() { return $this->unsupported_exception; } + /** + * Use a selector to advance. + * + * @param string $selectors + * @return Generator|null + */ + public function select_all( string $selectors ): ?Generator { + $select = WP_CSS_Selector_List::from_selectors( $selectors ); + if ( null === $select ) { + return null; + } + + while ( $this->next_tag() ) { + if ( $select->matches( $this ) ) { + yield; + } + } + } + + /** + * Select the next matching element. + * + * If iterating through matching elements, use `select_all` instead. + * + * @param string $selectors + * @return bool|null + */ + public function select( string $selectors ) { + $selection = $this->select_all( $selectors ); + if ( null === $selection ) { + return null; + } + foreach ( $selection as $_ ) { + return true; + } + return false; + } + /** * Finds the next tag matching the $query. * From ab2fe0d78e2f2f54b29dae6ddb36a664f703d476 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 3 Dec 2024 18:20:01 +0100 Subject: [PATCH 069/187] Unify parsing under single class --- .../html-api/class-wp-css-selectors.php | 820 +++++++++--------- .../html-api/class-wp-html-processor.php | 2 +- .../phpunit/tests/html-api/wpCssSelectors.php | 121 ++- 3 files changed, 510 insertions(+), 433 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selectors.php index 87e32727a434e..7588eb72294bd 100644 --- a/src/wp-includes/html-api/class-wp-css-selectors.php +++ b/src/wp-includes/html-api/class-wp-css-selectors.php @@ -16,8 +16,8 @@ * * This class is designed for internal use by the HTML processor. * - * This class is instantiated via the `WP_CSS_Selector_List::from_selector( string $selector )` method. - * It accepts a CSS selector string and returns an instance of itself or `null` if the selector + * This class is instantiated via the `WP_CSS_Selector::from_selectors( string $input )` method. + * It takes a CSS selector string and returns an instance of itself or `null` if the selector * is invalid or unsupported. * * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax @@ -39,7 +39,7 @@ * = '[' ']' | * '[' [ | ] ? ']' * = [ '~' | '|' | '^' | '$' | '*' ]? '=' - * = i | s + * = i | I | s | S * * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details. * @@ -77,7 +77,7 @@ * @see {@link https://www.w3.org/TR/selectors-4/} * */ -class WP_CSS_Selector_List extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Matcher { +class WP_CSS_Selector implements IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { if ( $processor->get_token_type() !== '#tag' ) { return false; @@ -97,34 +97,25 @@ public function matches( WP_HTML_Processor $processor ): bool { private $selectors; /** + * Constructor. + * * @param array $selectors */ - private function __construct( array $selectors ) { + protected function __construct( array $selectors ) { $this->selectors = $selectors; } /** - * Takes a CSS selectors string and returns an instance of itself or `null` if the selector - * is invalid or unsupported. - * - * @since TBD - * - * @param string $selectors CSS selectors string. - * @return self|null - */ - public static function from_selectors( string $selectors ): ?self { - return self::parse( $selectors ); - } - - /** - * Returns a list of selectors. + * Takes a CSS selector string and returns an instance of itself or `null` if the selector + * string is invalid or unsupported. * * @since TBD * + * @param string $input CSS selectors. * @return self|null */ - private static function parse( string $input ) { - // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace and matches the dom_selectors_group production. + public static function from_selectors( string $input ): ?self { + // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… $input = trim( $input, " \t\r\n\r" ); if ( '' === $input ) { @@ -146,7 +137,7 @@ private static function parse( string $input ) { $offset = 0; - $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); + $selector = self::parse_complex_selector( $input, $offset ); if ( null === $selector ) { return null; } @@ -160,7 +151,7 @@ private static function parse( string $input ) { } ++$offset; self::parse_whitespace( $input, $offset ); - $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); + $selector = self::parse_complex_selector( $input, $offset ); if ( null === $selector ) { return null; } @@ -170,23 +161,343 @@ private static function parse( string $input ) { return new self( $selectors ); } -} -interface IWP_CSS_Selector_Matcher { + /* + * ------------------------------ + * Selector parsing functionality + * ------------------------------ + */ + /** - * @return bool + * Parse an ID selector + * + * > = + * + * https://www.w3.org/TR/selectors/#grammar + * + * @return WP_CSS_ID_Selector|null */ - public function matches( WP_HTML_Processor $processor ): bool; -} + final protected static function parse_id_selector( string $input, int &$offset ): ?WP_CSS_ID_Selector { + $ident = self::parse_hash_token( $input, $offset ); + if ( null === $ident ) { + return null; + } + return new WP_CSS_ID_Selector( $ident ); + } -interface IWP_CSS_Selector_Parser { /** - * @return static|null + * Parse a class selector + * + * > = '.' + * + * https://www.w3.org/TR/selectors/#grammar + * + * @return WP_CSS_Class_Selector|null + */ + final protected static function parse_class_selector( string $input, int &$offset ): ?WP_CSS_Class_Selector { + if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { + return null; + } + + $updated_offset = $offset + 1; + $result = self::parse_ident( $input, $updated_offset ); + + if ( null === $result ) { + return null; + } + + $offset = $updated_offset; + return new WP_CSS_Class_Selector( $result ); + } + + /** + * Parse a type selector + * + * > = | ? '*' + * > = [ | '*' ]? '|' + * > = ? + * + * Namespaces (e.g. |div, *|div, or namespace|div) are not supported, + * so this selector effectively matches * or ident. + * + * https://www.w3.org/TR/selectors/#grammar + * + * @return WP_CSS_Type_Selector|null + */ + final protected static function parse_type_selector( string $input, int &$offset ): ?WP_CSS_Type_Selector { + if ( $offset >= strlen( $input ) ) { + return null; + } + + if ( '*' === $input[ $offset ] ) { + ++$offset; + return new WP_CSS_Type_Selector( '*' ); + } + + $result = self::parse_ident( $input, $offset ); + if ( null === $result ) { + return null; + } + + return new WP_CSS_Type_Selector( $result ); + } + + /** + * Parse an attribute selector + * + * > = '[' ']' | + * > '[' [ | ] ? ']' + * > = [ '~' | '|' | '^' | '$' | '*' ]? '=' + * > = i | s + * > = ? + * + * Namespaces are not supported, so attribute names are effectively identifiers. + * + * https://www.w3.org/TR/selectors/#grammar + * + * @return WP_CSS_Attribute_Selector|null + */ + final protected static function parse_attribute_selector( string $input, int &$offset ): ?WP_CSS_Attribute_Selector { + // Need at least 3 bytes [x] + if ( $offset + 2 >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + + if ( '[' !== $input[ $updated_offset ] ) { + return null; + } + ++$updated_offset; + + self::parse_whitespace( $input, $updated_offset ); + $attr_name = self::parse_ident( $input, $updated_offset ); + if ( null === $attr_name ) { + return null; + } + self::parse_whitespace( $input, $updated_offset ); + + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + + if ( ']' === $input[ $updated_offset ] ) { + $offset = $updated_offset + 1; + return new WP_CSS_Attribute_Selector( $attr_name ); + } + + // need to match at least `=x]` at this point + if ( $updated_offset + 3 >= strlen( $input ) ) { + return null; + } + + if ( '=' === $input[ $updated_offset ] ) { + ++$updated_offset; + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT; + } elseif ( '=' === $input[ $updated_offset + 1 ] ) { + switch ( $input[ $updated_offset ] ) { + case '~': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT; + $updated_offset += 2; + break; + case '|': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN; + $updated_offset += 2; + break; + case '^': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY; + $updated_offset += 2; + break; + case '$': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY; + $updated_offset += 2; + break; + case '*': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_CONTAINS; + $updated_offset += 2; + break; + default: + return null; + } + } else { + return null; + } + + self::parse_whitespace( $input, $updated_offset ); + $attr_val = + self::parse_string( $input, $updated_offset ) ?? + self::parse_ident( $input, $updated_offset ); + + if ( null === $attr_val ) { + return null; + } + + self::parse_whitespace( $input, $updated_offset ); + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + + $attr_modifier = null; + switch ( $input[ $updated_offset ] ) { + case 'i': + case 'I': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; + ++$updated_offset; + break; + + case 's': + case 'S': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; + ++$updated_offset; + break; + } + + if ( null !== $attr_modifier ) { + self::parse_whitespace( $input, $updated_offset ); + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + } + + if ( ']' === $input[ $updated_offset ] ) { + $offset = $updated_offset + 1; + return new WP_CSS_Attribute_Selector( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); + } + + return null; + } + + /** + * Parses a compound selector. + * + * > = [ ? * ]! + * + * @return WP_CSS_Compound_Selector|null + */ + final protected static function parse_compound_selector( string $input, int &$offset ): ?WP_CSS_Compound_Selector { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $type_selector = self::parse_type_selector( $input, $updated_offset ); + + $subclass_selectors = array(); + $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); + while ( null !== $last_parsed_subclass_selector ) { + $subclass_selectors[] = $last_parsed_subclass_selector; + $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); + } + + if ( null !== $type_selector || array() !== $subclass_selectors ) { + $offset = $updated_offset; + return new WP_CSS_Compound_Selector( $type_selector, $subclass_selectors ); + } + return null; + } + + /** + * Parses a complex selector. + * + * > = [ ? ]* + * + * @return WP_CSS_Complex_Selector|null + */ + final protected static function parse_complex_selector( string $input, int &$offset ): ?WP_CSS_Complex_Selector { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null === $selector ) { + return null; + } + + $selectors = array( $selector ); + $has_preceding_subclass_selector = null !== $selector->subclass_selectors; + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + while ( $updated_offset < strlen( $input ) ) { + if ( + WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || + WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || + WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] + ) { + $combinator = $input[ $updated_offset ]; + ++$updated_offset; + self::parse_whitespace( $input, $updated_offset ); + + // Failure to find a selector here is a parse error + $selector = self::parse_compound_selector( $input, $updated_offset ); + } elseif ( $found_whitespace ) { + /* + * Whitespace is ambiguous, it could be a descendant combinator or + * insignificant whitespace. + */ + $selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null === $selector ) { + break; + } + $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; + } else { + break; + } + + if ( null === $selector ) { + return null; + } + + // `div > .className` is valid, but `.className > div` is not. + if ( $has_preceding_subclass_selector ) { + throw new Exception( 'Unsupported non-final subclass selector.' ); + } + $has_preceding_subclass_selector = null !== $selector->subclass_selectors; + + $selectors[] = $combinator; + $selectors[] = $selector; + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + } + $offset = $updated_offset; + return new WP_CSS_Complex_Selector( $selectors ); + } + + /** + * Parses a subclass selector. + * + * > = | | + * + * @return WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector|null + */ + private static function parse_subclass_selector( string $input, int &$offset ) { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $next_char = $input[ $offset ]; + return '.' === $next_char + ? self::parse_class_selector( $input, $offset ) + : ( + '#' === $next_char + ? self::parse_id_selector( $input, $offset ) + : ( '[' === $next_char + ? self::parse_attribute_selector( $input, $offset ) + : null + ) + ); + } + + + /* + * ------------------------ + * Selector partial parsing + * ------------------------ + * + * These functions consume parts of a selector string input when successful + * and return meaningful values to be used by selectors. */ - public static function parse( string $input, int &$offset ); -} -abstract class WP_CSS_Selector_Parser { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; const WHITESPACE_CHARACTERS = " \t\r\n\f"; @@ -212,7 +523,7 @@ public static function parse_whitespace( string $input, int &$offset ): bool { * * This implementation is not interested in the , a '#' delim token is not relevant for selectors. */ - protected static function parse_hash_token( string $input, int &$offset ): ?string { + final protected static function parse_hash_token( string $input, int &$offset ): ?string { if ( $offset + 1 >= strlen( $input ) || '#' !== $input[ $offset ] ) { return null; } @@ -253,7 +564,7 @@ protected static function parse_hash_token( string $input, int &$offset ): ?stri * * @return string|null */ - protected static function parse_ident( string $input, int &$offset ): ?string { + final protected static function parse_ident( string $input, int &$offset ): ?string { if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { return null; } @@ -312,7 +623,7 @@ protected static function parse_ident( string $input, int &$offset ): ?string { * * @return string|null */ - protected static function parse_string( string $input, int &$offset ): ?string { + final protected static function parse_string( string $input, int &$offset ): ?string { if ( $offset + 1 >= strlen( $input ) ) { return null; } @@ -388,16 +699,24 @@ protected static function parse_string( string $input, int &$offset ): ?string { * @param int $offset * @return string|null */ - protected static function consume_escaped_codepoint( $input, &$offset ): ?string { + final protected static function consume_escaped_codepoint( $input, &$offset ): ?string { $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); if ( $hex_length > 0 ) { + /** + * The 6-character hex string has a maximum value of 0xFFFFFF. + * It is likely to fit in an int value and not be a float. + * + * @var int + */ $codepoint_value = hexdec( substr( $input, $offset, $hex_length ) ); - // > A surrogate is a leading surrogate or a trailing surrogate. - // > A leading surrogate is a code point that is in the range U+D800 to U+DBFF, inclusive. - // > A trailing surrogate is a code point that is in the range U+DC00 to U+DFFF, inclusive. - // The surrogate ranges are adjacent, so the complete range is 0xD800..=0xDFFF, - // inclusive. + /* + * > A surrogate is a leading surrogate or a trailing surrogate. + * > A leading surrogate is a code point that is in the range U+D800 to U+DBFF, inclusive. + * > A trailing surrogate is a code point that is in the range U+DC00 to U+DFFF, inclusive. + * + * The surrogate ranges are adjacent, so the complete range is 0xD800 to 0xDFFF, inclusive. + */ $codepoint_char = ( 0 === $codepoint_value || $codepoint_value > self::UTF8_MAX_CODEPOINT_VALUE || @@ -428,13 +747,16 @@ protected static function consume_escaped_codepoint( $input, &$offset ): ?string } /* - * Utiltities - * ========== + * --------------------------- + * Selector parsing utiltities + * --------------------------- * - * The following functions do not consume any input. + * The following functions are used for parsing but do not consume any input. */ /** + * Checks for two valid escape codepoints. + * * > 4.3.8. Check if two code points are a valid escape * > This section describes how to check if two code points are a valid escape. The algorithm described here can be called explicitly with two code points, or can be called with the input stream itself. In the latter case, the two code points in question are the current input code point and the next input code point, in that order. * > @@ -449,8 +771,12 @@ protected static function consume_escaped_codepoint( $input, &$offset ): ?string * https://www.w3.org/TR/css-syntax-3/#starts-with-a-valid-escape * * @todo this does not check whether the second codepoint is valid. + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next two codepoints are a valid escape, otherwise false. */ - protected static function next_two_are_valid_escape( string $input, int $offset ): bool { + private static function next_two_are_valid_escape( string $input, int $offset ): bool { if ( $offset + 1 >= strlen( $input ) ) { return false; } @@ -458,7 +784,7 @@ protected static function next_two_are_valid_escape( string $input, int $offset } /** - * Check if the next code point is an "ident start code point". + * Checks if the next code point is an "ident start code point". * * Caution! This method does not do any bounds checking, it should not be passed * a string with an offset that is out of bounds. @@ -474,9 +800,13 @@ protected static function next_two_are_valid_escape( string $input, int $offset * > non-ASCII code point * > A code point with a value equal to or greater than U+0080 . * - * https://www.w3.org/TR/css-syntax-3/#ident-start-code-point + * @link https://www.w3.org/TR/css-syntax-3/#ident-start-code-point + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next codepoint is an ident start code point, otherwise false. */ - protected static function is_ident_start_codepoint( string $input, int $offset ): bool { + final protected static function is_ident_start_codepoint( string $input, int $offset ): bool { return ( '_' === $input[ $offset ] || ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || @@ -486,7 +816,7 @@ protected static function is_ident_start_codepoint( string $input, int $offset ) } /** - * Check if the next code point is an "ident code point". + * Checks if the next code point is an "ident code point". * * Caution! This method does not do any bounds checking, it should not be passed * a string with an offset that is out of bounds. @@ -496,15 +826,21 @@ protected static function is_ident_start_codepoint( string $input, int $offset ) * > digit * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. * - * https://www.w3.org/TR/css-syntax-3/#ident-code-point + * @link https://www.w3.org/TR/css-syntax-3/#ident-code-point + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next codepoint is an ident code point, otherwise false. */ - protected static function is_ident_codepoint( string $input, int $offset ): bool { + final protected static function is_ident_codepoint( string $input, int $offset ): bool { return '-' === $input[ $offset ] || ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || self::is_ident_start_codepoint( $input, $offset ); } /** + * Checks if three code points would start an ident sequence. + * * > 4.3.9. Check if three code points would start an ident sequence * > This section describes how to check if three code points would start an ident sequence. The algorithm described here can be called explicitly with three code points, or can be called with the input stream itself. In the latter case, the three code points in question are the current input code point and the next two input code points, in that order. * > @@ -521,9 +857,13 @@ protected static function is_ident_codepoint( string $input, int $offset ): bool * > anything else * > Return false. * - * https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier + * @link https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next three codepoints would start an ident sequence, otherwise false. */ - protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { + private static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { if ( $offset >= strlen( $input ) ) { return false; } @@ -567,32 +907,21 @@ protected static function check_if_three_code_points_would_start_an_ident_sequen } } -final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { +interface IWP_CSS_Selector_Matcher { + /** + * @return bool + */ + public function matches( WP_HTML_Processor $processor ): bool; +} +final class WP_CSS_ID_Selector implements IWP_CSS_Selector_Matcher { /** @var string */ public $ident; - private function __construct( string $ident ) { + public function __construct( string $ident ) { $this->ident = $ident; } - /** - * Parse an ID selector - * - * > = - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return self|null - */ - public static function parse( string $input, int &$offset ): ?self { - $ident = self::parse_hash_token( $input, $offset ); - if ( null === $ident ) { - return null; - } - return new self( $ident ); - } - public function matches( WP_HTML_Processor $processor ): bool { $id = $processor->get_attribute( 'id' ); if ( ! is_string( $id ) ) { @@ -606,50 +935,29 @@ public function matches( WP_HTML_Processor $processor ): bool { } } -final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { - return (bool) $processor->has_class( $this->ident ); - } - - /** @var string */ - public $ident; - - private function __construct( string $ident ) { - $this->ident = $ident; - } - - /** - * Parse a class selector - * - * > = '.' - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return self|null - */ - public static function parse( string $input, int &$offset ): ?self { - if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { - return null; - } - - $updated_offset = $offset + 1; - $result = self::parse_ident( $input, $updated_offset ); - - if ( null === $result ) { - return null; - } +final class WP_CSS_Class_Selector implements IWP_CSS_Selector_Matcher { + public function matches( WP_HTML_Processor $processor ): bool { + return (bool) $processor->has_class( $this->ident ); + } - $offset = $updated_offset; - return new self( $result ); + /** @var string */ + public $ident; + + public function __construct( string $ident ) { + $this->ident = $ident; } } -final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { +final class WP_CSS_Type_Selector implements IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { + $tag_name = $processor->get_tag(); + if ( null === $tag_name ) { + return false; + } if ( '*' === $this->ident ) { return true; } - return 0 === strcasecmp( $processor->get_tag(), $this->ident ); + return 0 === strcasecmp( $tag_name, $this->ident ); } /** @@ -659,44 +967,12 @@ public function matches( WP_HTML_Processor $processor ): bool { */ public $ident; - private function __construct( string $ident ) { + public function __construct( string $ident ) { $this->ident = $ident; } - - /** - * Parse a type selector - * - * > = | ? '*' - * > = [ | '*' ]? '|' - * > = ? - * - * Namespaces (e.g. |div, *|div, or namespace|div) are not supported, - * so this selector effectively matches * or ident. - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return self|null - */ - public static function parse( string $input, int &$offset ): ?self { - if ( $offset >= strlen( $input ) ) { - return null; - } - - if ( '*' === $input[ $offset ] ) { - ++$offset; - return new self( '*' ); - } - - $result = self::parse_ident( $input, $offset ); - if ( null === $result ) { - return null; - } - - return new self( $result ); - } } -final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { +final class WP_CSS_Attribute_Selector implements IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { $att_value = $processor->get_attribute( $this->name ); if ( null === $att_value ) { @@ -772,17 +1048,17 @@ public function matches( WP_HTML_Processor $processor ): bool { * @return Generator */ private function whitespace_delimited_list( string $input ): Generator { - $offset = strspn( $input, self::WHITESPACE_CHARACTERS ); + $offset = strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS ); while ( $offset < strlen( $input ) ) { // Find the byte length until the next boundary. - $length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset ); + $length = strcspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset ); if ( 0 === $length ) { return; } $value = substr( $input, $offset, $length ); - $offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length ); + $offset += $length + strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset + $length ); yield $value; } @@ -877,137 +1153,12 @@ private function whitespace_delimited_list( string $input ): Generator { * @param null|string $value * @param null|self::MODIFIER_* $modifier */ - private function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { + public function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { $this->name = $name; $this->matcher = $matcher; $this->value = $value; $this->modifier = $modifier; } - - /** - * Parse a attribute selector - * - * > = '[' ']' | - * > '[' [ | ] ? ']' - * > = [ '~' | '|' | '^' | '$' | '*' ]? '=' - * > = i | s - * > = ? - * - * Namespaces are not supported, so attribute names are effectively identifiers. - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return self|null - */ - public static function parse( string $input, int &$offset ): ?self { - // Need at least 3 bytes [x] - if ( $offset + 2 >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - - if ( '[' !== $input[ $updated_offset ] ) { - return null; - } - ++$updated_offset; - - self::parse_whitespace( $input, $updated_offset ); - $attr_name = self::parse_ident( $input, $updated_offset ); - if ( null === $attr_name ) { - return null; - } - self::parse_whitespace( $input, $updated_offset ); - - if ( $updated_offset >= strlen( $input ) ) { - return null; - } - - if ( ']' === $input[ $updated_offset ] ) { - $offset = $updated_offset + 1; - return new self( $attr_name ); - } - - // need to match at least `=x]` at this point - if ( $updated_offset + 3 >= strlen( $input ) ) { - return null; - } - - if ( '=' === $input[ $updated_offset ] ) { - ++$updated_offset; - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT; - } elseif ( '=' === $input[ $updated_offset + 1 ] ) { - switch ( $input[ $updated_offset ] ) { - case '~': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT; - $updated_offset += 2; - break; - case '|': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN; - $updated_offset += 2; - break; - case '^': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY; - $updated_offset += 2; - break; - case '$': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY; - $updated_offset += 2; - break; - case '*': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_CONTAINS; - $updated_offset += 2; - break; - default: - return null; - } - } else { - return null; - } - - self::parse_whitespace( $input, $updated_offset ); - $attr_val = - self::parse_string( $input, $updated_offset ) ?? - self::parse_ident( $input, $updated_offset ); - - if ( null === $attr_val ) { - return null; - } - - self::parse_whitespace( $input, $updated_offset ); - if ( $updated_offset >= strlen( $input ) ) { - return null; - } - - $attr_modifier = null; - switch ( $input[ $updated_offset ] ) { - case 'i': - case 'I': - $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; - ++$updated_offset; - break; - - case 's': - case 'S': - $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; - ++$updated_offset; - break; - } - - if ( null !== $attr_modifier ) { - self::parse_whitespace( $input, $updated_offset ); - if ( $updated_offset >= strlen( $input ) ) { - return null; - } - } - - if ( ']' === $input[ $updated_offset ] ) { - $offset = $updated_offset + 1; - return new self( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); - } - - return null; - } } /** @@ -1015,7 +1166,7 @@ public static function parse( string $input, int &$offset ): ?self { * * > = [ ? * ]! */ -final class WP_CSS_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { +final class WP_CSS_Compound_Selector implements IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { if ( $this->type_selector ) { if ( ! $this->type_selector->matches( $processor ) ) { @@ -1042,65 +1193,18 @@ public function matches( WP_HTML_Processor $processor ): bool { * @param WP_CSS_Type_Selector|null $type_selector * @param array $subclass_selectors */ - private function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { + public function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { $this->type_selector = $type_selector; $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; } - - /** - * > = [ ? * ]! - */ - public static function parse( string $input, int &$offset ): ?self { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - $type_selector = WP_CSS_Type_Selector::parse( $input, $updated_offset ); - - $subclass_selectors = array(); - $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); - while ( null !== $last_parsed_subclass_selector ) { - $subclass_selectors[] = $last_parsed_subclass_selector; - $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); - } - - if ( null !== $type_selector || array() !== $subclass_selectors ) { - $offset = $updated_offset; - return new self( $type_selector, $subclass_selectors ); - } - return null; - } - - /** - * @return WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector|null - */ - private static function parse_subclass_selector( string $input, int &$offset ) { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $next_char = $input[ $offset ]; - return '.' === $next_char - ? WP_CSS_Class_Selector::parse( $input, $offset ) - : ( - '#' === $next_char - ? WP_CSS_ID_Selector::parse( $input, $offset ) - : ( '[' === $next_char - ? WP_CSS_Attribute_Selector::parse( $input, $offset ) - : null - ) - ); - } } - /** * This corresponds to in the grammar. * * > = [ ? ] * */ -final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser implements IWP_CSS_Selector_Parser, IWP_CSS_Selector_Matcher { +final class WP_CSS_Complex_Selector implements IWP_CSS_Selector_Matcher { public function matches( WP_HTML_Processor $processor ): bool { // First selector must match this location. if ( ! $this->selectors[0]->matches( $processor ) ) { @@ -1120,7 +1224,7 @@ public function matches( WP_HTML_Processor $processor ): bool { /** * This only looks at breadcrumbs and can therefore only support type selectors. * - * @param array $selectors + * @param array $selectors * @param array $breadcrumbs */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { @@ -1133,7 +1237,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { /** @var self::COMBINATOR_* $combinator */ $combinator = $selectors[0]; - /** @var WP_CSS_Selector $selector */ + /** @var WP_CSS_Compound_Selector $selector */ $selector = $selectors[1]; switch ( $combinator ) { @@ -1166,78 +1270,18 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { const COMBINATOR_SUBSEQUENT_SIBLING = '~'; /** - * even indexes are WP_CSS_Selector, odd indexes are string combinators. + * even indexes are WP_CSS_Compound_Selector, odd indexes are string combinators. * In reverse order to match the current element and then work up the tree. * Any non-final selector is a type selector. * - * @var array + * @var array */ public $selectors = array(); /** - * @param array $selectors + * @param array $selectors */ - private function __construct( array $selectors ) { + public function __construct( array $selectors ) { $this->selectors = array_reverse( $selectors ); } - - public static function parse( string $input, int &$offset ): ?self { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - $selector = WP_CSS_Selector::parse( $input, $updated_offset ); - if ( null === $selector ) { - return null; - } - - $selectors = array( $selector ); - $has_preceding_subclass_selector = null !== $selector->subclass_selectors; - - $found_whitespace = self::parse_whitespace( $input, $updated_offset ); - while ( $updated_offset < strlen( $input ) ) { - if ( - self::COMBINATOR_CHILD === $input[ $updated_offset ] || - self::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || - self::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] - ) { - $combinator = $input[ $updated_offset ]; - ++$updated_offset; - self::parse_whitespace( $input, $updated_offset ); - - // Failure to find a selector here is a parse error - $selector = WP_CSS_Selector::parse( $input, $updated_offset ); - } elseif ( $found_whitespace ) { - /* - * Whitespace is ambiguous, it could be a descendant combinator or - * insignificant whitespace. - */ - $selector = WP_CSS_Selector::parse( $input, $updated_offset ); - if ( null === $selector ) { - break; - } - $combinator = self::COMBINATOR_DESCENDANT; - } else { - break; - } - - if ( null === $selector ) { - return null; - } - - // `div > .className` is valid, but `.className > div` is not. - if ( $has_preceding_subclass_selector ) { - throw new Exception( 'Unsupported non-final subclass selector.' ); - } - $has_preceding_subclass_selector = null !== $selector->subclass_selectors; - - $selectors[] = $combinator; - $selectors[] = $selector; - - $found_whitespace = self::parse_whitespace( $input, $updated_offset ); - } - $offset = $updated_offset; - return new self( $selectors ); - } } diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 438dee4c47f4e..bee0f63824abd 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -642,7 +642,7 @@ public function get_unsupported_exception() { * @return Generator|null */ public function select_all( string $selectors ): ?Generator { - $select = WP_CSS_Selector_List::from_selectors( $selectors ); + $select = WP_CSS_Selector::from_selectors( $selectors ); if ( null === $select ) { return null; } diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelectors.php index 5983f91c5d9ba..19c1595253d84 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelectors.php @@ -11,6 +11,63 @@ * @group html-api */ class Tests_HtmlApi_WpCssSelectors extends WP_UnitTestCase { + private $test_class; + + public function set_up(): void { + parent::set_up(); + $this->test_class = new class() extends WP_CSS_Selector { + public function __construct() { + parent::__construct( array() ); + } + + /* + * Parsing + */ + public static function test_parse_ident( string $input, int &$offset ) { + return self::parse_ident( $input, $offset ); + } + + public static function test_parse_string( string $input, int &$offset ) { + return self::parse_string( $input, $offset ); + } + + public static function test_parse_type_selector( string $input, int &$offset ) { + return self::parse_type_selector( $input, $offset ); + } + + public static function test_parse_id_selector( string $input, int &$offset ) { + return self::parse_id_selector( $input, $offset ); + } + + public static function test_parse_class_selector( string $input, int &$offset ) { + return self::parse_class_selector( $input, $offset ); + } + + public static function test_parse_attribute_selector( string $input, int &$offset ) { + return self::parse_attribute_selector( $input, $offset ); + } + + public static function test_parse_compound_selector( string $input, int &$offset ) { + return self::parse_compound_selector( $input, $offset ); + } + + public static function test_parse_complex_selector( string $input, int &$offset ) { + return self::parse_complex_selector( $input, $offset ); + } + + /* + * Utilities + */ + public static function test_is_ident_codepoint( string $input, int $offset ) { + return self::is_ident_codepoint( $input, $offset ); + } + + public static function test_is_ident_start_codepoint( string $input, int $offset ) { + return self::is_ident_start_codepoint( $input, $offset ); + } + }; + } + /** * Data provider. * @@ -64,22 +121,10 @@ public static function data_idents(): array { * @ticket TBD */ public function test_is_ident_and_is_ident_start() { - $c = new class() extends WP_CSS_Selector_Parser { - public static function parse( string $input, int &$offset ) {} - - public static function test_is_ident( string $input, int $offset ) { - return self::is_ident_codepoint( $input, $offset ); - } - - public static function test_is_ident_start( string $input, int $offset ) { - return self::is_ident_start_codepoint( $input, $offset ); - } - }; - - $this->assertFalse( $c::test_is_ident( '[', 0 ) ); - $this->assertFalse( $c::test_is_ident( ']', 0 ) ); - $this->assertFalse( $c::test_is_ident_start( '[', 0 ) ); - $this->assertFalse( $c::test_is_ident_start( ']', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_codepoint( '[', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_codepoint( ']', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_start_codepoint( '[', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_start_codepoint( ']', 0 ) ); } /** @@ -88,15 +133,9 @@ public static function test_is_ident_start( string $input, int $offset ) { * @dataProvider data_idents */ public function test_parse_ident( string $input, ?string $expected = null, ?string $rest = null ) { - $c = new class() extends WP_CSS_Selector_Parser { - public static function parse( string $input, int &$offset ) {} - public static function test( string $input, &$offset ) { - return self::parse_ident( $input, $offset ); - } - }; $offset = 0; - $result = $c::test( $input, $offset ); + $result = $this->test_class::test_parse_ident( $input, $offset ); if ( null === $expected ) { $this->assertNull( $result ); } else { @@ -111,15 +150,8 @@ public static function test( string $input, &$offset ) { * @dataProvider data_strings */ public function test_parse_string( string $input, ?string $expected = null, ?string $rest = null ) { - $c = new class() extends WP_CSS_Selector_Parser { - public static function parse( string $input, int &$offset ) {} - public static function test( string $input, &$offset ) { - return self::parse_string( $input, $offset ); - } - }; - $offset = 0; - $result = $c::test( $input, $offset ); + $result = $this->test_class::test_parse_string( $input, $offset ); if ( null === $expected ) { $this->assertNull( $result ); } else { @@ -170,7 +202,7 @@ public static function data_strings(): array { */ public function test_parse_id( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; - $result = WP_CSS_ID_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_id_selector( $input, $offset ); if ( null === $expected ) { $this->assertNull( $result ); } else { @@ -204,7 +236,7 @@ public static function data_id_selectors(): array { */ public function test_parse_class( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; - $result = WP_CSS_Class_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_class_selector( $input, $offset ); if ( null === $expected ) { $this->assertNull( $result ); } else { @@ -238,7 +270,7 @@ public static function data_class_selectors(): array { */ public function test_parse_type( string $input, ?string $expected = null, ?string $rest = null ) { $offset = 0; - $result = WP_CSS_Type_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_type_selector( $input, $offset ); if ( null === $expected ) { $this->assertNull( $result ); } else { @@ -281,7 +313,7 @@ public function test_parse_attribute( ?string $rest = null ) { $offset = 0; - $result = WP_CSS_Attribute_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_attribute_selector( $input, $offset ); if ( null === $expected_name ) { $this->assertNull( $result ); } else { @@ -347,7 +379,7 @@ public static function data_attribute_selectors(): array { public function test_parse_selector() { $input = 'el.foo#bar[baz=quux] > .child'; $offset = 0; - $sel = WP_CSS_Selector::parse( $input, $offset ); + $sel = $this->test_class::test_parse_compound_selector( $input, $offset ); $this->assertSame( 'el', $sel->type_selector->ident ); $this->assertSame( 3, count( $sel->subclass_selectors ) ); @@ -365,8 +397,9 @@ public function test_parse_selector() { public function test_parse_empty_selector() { $input = ''; $offset = 0; - $result = WP_CSS_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_compound_selector( $input, $offset ); $this->assertNull( $result ); + $this->assertSame( 0, $offset ); } /** @@ -375,7 +408,7 @@ public function test_parse_empty_selector() { public function test_parse_complex_selector() { $input = 'el1 > .child#bar[baz=quux] , rest'; $offset = 0; - $sel = WP_CSS_Complex_Selector::parse( $input, $offset ); + $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); $this->assertSame( 3, count( $sel->selectors ) ); @@ -398,14 +431,14 @@ public function test_parse_complex_selector() { public function test_parse_invalid_complex_selector() { $input = 'el.foo#bar[baz=quux] > , rest'; $offset = 0; - $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_complex_selector( $input, $offset ); $this->assertNull( $result ); } public function test_parse_empty_complex_selector() { $input = ''; $offset = 0; - $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $result = $this->test_class::test_parse_complex_selector( $input, $offset ); $this->assertNull( $result ); } @@ -415,7 +448,7 @@ public function test_parse_empty_complex_selector() { */ public function test_parse_selector_list() { $input = 'el1 el2 el.foo#bar[baz=quux], rest'; - $result = WP_CSS_Selector_List::from_selectors( $input ); + $result = WP_CSS_Selector::from_selectors( $input ); $this->assertNotNull( $result ); } @@ -424,7 +457,7 @@ public function test_parse_selector_list() { */ public function test_parse_invalid_selector_list() { $input = 'el,,'; - $result = WP_CSS_Selector_List::from_selectors( $input ); + $result = WP_CSS_Selector::from_selectors( $input ); $this->assertNull( $result ); } @@ -433,7 +466,7 @@ public function test_parse_invalid_selector_list() { */ public function test_parse_invalid_selector_list2() { $input = 'el!'; - $result = WP_CSS_Selector_List::from_selectors( $input ); + $result = WP_CSS_Selector::from_selectors( $input ); $this->assertNull( $result ); } @@ -442,7 +475,7 @@ public function test_parse_invalid_selector_list2() { */ public function test_parse_empty_selector_list() { $input = " \t \t\n\r\f"; - $result = WP_CSS_Selector_List::from_selectors( $input ); + $result = WP_CSS_Selector::from_selectors( $input ); $this->assertNull( $result ); } } From 6a6969f435d659f9fc26c208faf4495c18c60278 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 3 Dec 2024 18:22:35 +0100 Subject: [PATCH 070/187] Rename files to align with class name --- .../{class-wp-css-selectors.php => class-wp-css-selector.php} | 0 src/wp-settings.php | 2 +- .../html-api/{wpCssSelectors.php => wpCssSelector-parsing.php} | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename src/wp-includes/html-api/{class-wp-css-selectors.php => class-wp-css-selector.php} (100%) rename tests/phpunit/tests/html-api/{wpCssSelectors.php => wpCssSelector-parsing.php} (99%) diff --git a/src/wp-includes/html-api/class-wp-css-selectors.php b/src/wp-includes/html-api/class-wp-css-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-selectors.php rename to src/wp-includes/html-api/class-wp-css-selector.php diff --git a/src/wp-settings.php b/src/wp-settings.php index 6c799d5c95140..cfdd9234b7003 100644 --- a/src/wp-settings.php +++ b/src/wp-settings.php @@ -265,7 +265,7 @@ require ABSPATH . WPINC . '/html-api/class-wp-html-stack-event.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-selectors.php'; +require ABSPATH . WPINC . '/html-api/class-wp-css-selector.php'; require ABSPATH . WPINC . '/class-wp-http.php'; require ABSPATH . WPINC . '/class-wp-http-streams.php'; require ABSPATH . WPINC . '/class-wp-http-curl.php'; diff --git a/tests/phpunit/tests/html-api/wpCssSelectors.php b/tests/phpunit/tests/html-api/wpCssSelector-parsing.php similarity index 99% rename from tests/phpunit/tests/html-api/wpCssSelectors.php rename to tests/phpunit/tests/html-api/wpCssSelector-parsing.php index 19c1595253d84..4caa186158149 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectors.php +++ b/tests/phpunit/tests/html-api/wpCssSelector-parsing.php @@ -10,7 +10,7 @@ * * @group html-api */ -class Tests_HtmlApi_WpCssSelectors extends WP_UnitTestCase { +class Tests_HtmlApi_WpCssSelector_Parsing extends WP_UnitTestCase { private $test_class; public function set_up(): void { From 27ca891846d35f6d18f0b0031147ece99bd11d9e Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 3 Dec 2024 21:00:08 +0100 Subject: [PATCH 071/187] Add html processor select test suite --- .../tests/html-api/wpHtmlProcessor-select.php | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 tests/phpunit/tests/html-api/wpHtmlProcessor-select.php diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php new file mode 100644 index 0000000000000..e70dedcfcd3c4 --- /dev/null +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -0,0 +1,68 @@ +' ); + $this->assertFalse( $processor->select( 'div' ) ); + } + + /** + * @ticket TBD + * + * @dataProvider data_selectors + */ + public function test_select( string $html, string $selector ) { + $processor = WP_HTML_Processor::create_full_parser( $html ); + $this->assertTrue( $processor->select( $selector ) ); + $this->assertTrue( $processor->get_attribute( 'match' ) ); + } + + /** + * Data provider. + * + * @return array + */ + public static function data_selectors(): array { + return array( + 'simple type' => array( '
', 'div' ), + 'any type' => array( '', '*' ), + 'simple class' => array( '
', '.x' ), + 'simple id' => array( '
', '#x' ), + 'simple attribute' => array( '
', '[att]' ), + 'attribute value' => array( '
', '[att=val]' ), + 'attribute quoted value' => array( '
', '[att="::"]' ), + 'complex any descendant' => array( '
', 'section *' ), + 'complex any child' => array( '
', 'section > *' ), + + 'list' => array( '

', 'a, p' ), + 'compound' => array( '

', 'section[att~="bar"]' ), + ); + } + + /** + * @ticket TBD + */ + public function test_select_all() { + $processor = WP_HTML_Processor::create_full_parser( '

' ); + $count = 0; + foreach ( $processor->select_all( 'div, .x, svg>rect, #y' ) as $_ ) { + ++$count; + $this->assertTrue( $processor->get_attribute( 'match' ) ); + } + $this->assertSame( 4, $count ); + } +} From 9ff276965a60f3a7ccd89facc67cc9d4b267d90e Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 3 Dec 2024 21:00:30 +0100 Subject: [PATCH 072/187] Fix select types --- src/wp-includes/html-api/class-wp-html-processor.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index bee0f63824abd..23ca6edc4ff7e 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -638,13 +638,15 @@ public function get_unsupported_exception() { /** * Use a selector to advance. * + * @todo _doing_it_wrong on null selector? + * * @param string $selectors - * @return Generator|null + * @return Generator */ public function select_all( string $selectors ): ?Generator { $select = WP_CSS_Selector::from_selectors( $selectors ); if ( null === $select ) { - return null; + return; } while ( $this->next_tag() ) { @@ -660,13 +662,10 @@ public function select_all( string $selectors ): ?Generator { * If iterating through matching elements, use `select_all` instead. * * @param string $selectors - * @return bool|null + * @return bool */ public function select( string $selectors ) { $selection = $this->select_all( $selectors ); - if ( null === $selection ) { - return null; - } foreach ( $selection as $_ ) { return true; } From d1a276b848ef8b9b5f954641ed762ad3d591b2cb Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 13:55:57 +0100 Subject: [PATCH 073/187] Update class doc --- src/wp-includes/html-api/class-wp-css-selector.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php index 7588eb72294bd..c27c81593059d 100644 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ b/src/wp-includes/html-api/class-wp-css-selector.php @@ -23,8 +23,7 @@ * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}. * - * @todo Review this grammar, especially the complex selector for accurate support information. - * The supported grammar is: + * This class is rougly analogous to the in the grammar. The supported grammar is: * * = * = # @@ -43,6 +42,7 @@ * * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details. * + * Note that this grammar has been adapted and does not support the full CSS selector grammar. * Supported selector syntax: * - Type selectors (tag names, e.g. `div`) * - Class selectors (e.g. `.class-name`) @@ -61,11 +61,11 @@ * - Next sibling (`el + el`) * - Subsequent sibling (`el ~ el`) * - * Future ideas - * - Namespace type selectors could be implemented with select namespaces in order to - * select elements from a namespace, for example: - * - `svg|*` to select all SVG elements - * - `html|title` to select only HTML TITLE elements. + * Future ideas: + * - Namespace type selectors could be implemented with select namespaces in order to + * select elements from a namespace, for example: + * - `svg|*` to select all SVG elements + * - `html|title` to select only HTML TITLE elements. * * @since TBD * From 4909b569c067ab556e81b0cbcce087d3d1867676 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 16:00:36 +0100 Subject: [PATCH 074/187] Improve select_ method arguments, docs, implementation --- .../html-api/class-wp-html-processor.php | 57 ++++++++++++++----- 1 file changed, 42 insertions(+), 15 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 23ca6edc4ff7e..398c5c4fd096c 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -636,37 +636,64 @@ public function get_unsupported_exception() { } /** - * Use a selector to advance. + * Progress through a document pausing on tags matching the provided CSS selector string. + * + * @example + * + * $processor = WP_HTML_Processor::create_fragment( + * 'Example' + * ); + * foreach ( $processor->select_all( 'meta[property^="og:" i]' ) as $_ ) { + * // Loop is entered twice. + * var_dump( + * $processor->get_tag(), // string(4) "META" + * $processor->get_attribute( 'property' ), // string(7) "og:type" / string(14) "og:description" + * $processor->get_attribute( 'content' ), // string(7) "website" / string(11) "An example." + * ); + * } * - * @todo _doing_it_wrong on null selector? + * @since TBD * - * @param string $selectors - * @return Generator + * @param string $selector_string Selector string. + * @return Generator A generator pausing on each tag matching the selector. */ - public function select_all( string $selectors ): ?Generator { - $select = WP_CSS_Selector::from_selectors( $selectors ); - if ( null === $select ) { + public function select_all( string $selector_string ): ?Generator { + $selector = WP_CSS_Selector::from_selectors( $selector_string ); + if ( null === $selector ) { return; } while ( $this->next_tag() ) { - if ( $select->matches( $this ) ) { + if ( $selector->matches( $this ) ) { yield; } } } /** - * Select the next matching element. + * Move to the next tag matching the provided CSS selector string. * - * If iterating through matching elements, use `select_all` instead. + * This method will stop at the next match. To progress through all matches, use + * the `select_all` method. * - * @param string $selectors - * @return bool + * @example + * + * $processor = WP_HTML_Processor::create_fragment( + * 'Example' + * ); + * $processor->select( 'meta[charset]' ); + * var_dump( + * $processor->get_tag(), // string(4) "META" + * $processor->get_attribute( 'charset' ), // string(5) "utf-8" + * ); + * + * @since TBD + * + * @param string $selector_string + * @return bool True if a matching tag was found, otherwise false. */ - public function select( string $selectors ) { - $selection = $this->select_all( $selectors ); - foreach ( $selection as $_ ) { + public function select( string $selector_string ) { + foreach ( $this->select_all( $selector_string ) as $_ ) { return true; } return false; From 1d45225e46b85b2e8e9f8091cf9aefac3c46c2eb Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 18:08:58 +0100 Subject: [PATCH 075/187] Split classes into their own files Satisfy the 1-class-per-file requirement --- .../class-wp-css-attribute-selector.php | 190 +++++++++ .../html-api/class-wp-css-class-selector.php | 14 + .../class-wp-css-complex-selector.php | 88 ++++ .../class-wp-css-compound-selector.php | 39 ++ .../html-api/class-wp-css-id-selector.php | 22 + .../html-api/class-wp-css-selector.php | 389 +----------------- .../html-api/class-wp-css-type-selector.php | 25 ++ ...nterface-wp-css-html-processor-matcher.php | 8 + src/wp-settings.php | 7 + 9 files changed, 396 insertions(+), 386 deletions(-) create mode 100644 src/wp-includes/html-api/class-wp-css-attribute-selector.php create mode 100644 src/wp-includes/html-api/class-wp-css-class-selector.php create mode 100644 src/wp-includes/html-api/class-wp-css-complex-selector.php create mode 100644 src/wp-includes/html-api/class-wp-css-compound-selector.php create mode 100644 src/wp-includes/html-api/class-wp-css-id-selector.php create mode 100644 src/wp-includes/html-api/class-wp-css-type-selector.php create mode 100644 src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php new file mode 100644 index 0000000000000..be7332c85b72d --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -0,0 +1,190 @@ +get_attribute( $this->name ); + if ( null === $att_value ) { + return false; + } + + if ( null === $this->value ) { + return true; + } + + if ( true === $att_value ) { + $att_value = ''; + } + + $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; + + switch ( $this->matcher ) { + case self::MATCH_EXACT: + return $case_insensitive + ? 0 === strcasecmp( $att_value, $this->value ) + : $att_value === $this->value; + + case self::MATCH_ONE_OF_EXACT: + foreach ( $this->whitespace_delimited_list( $att_value ) as $val ) { + if ( + $case_insensitive + ? 0 === strcasecmp( $val, $this->value ) + : $val === $this->value + ) { + return true; + } + } + return false; + + case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: + // Attempt the full match first + if ( + $case_insensitive + ? 0 === strcasecmp( $att_value, $this->value ) + : $att_value === $this->value + ) { + return true; + } + + // Partial match + if ( strlen( $att_value ) < strlen( $this->value ) + 1 ) { + return false; + } + + $starts_with = "{$this->value}-"; + return 0 === substr_compare( $att_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); + + case self::MATCH_PREFIXED_BY: + return 0 === substr_compare( $att_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); + + case self::MATCH_SUFFIXED_BY: + return 0 === substr_compare( $att_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); + + case self::MATCH_CONTAINS: + return false !== ( + $case_insensitive + ? stripos( $att_value, $this->value ) + : strpos( $att_value, $this->value ) + ); + } + + throw new Exception( 'Unreachable' ); + } + + /** + * @param string $input + * + * @return Generator + */ + private function whitespace_delimited_list( string $input ): Generator { + $offset = strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS ); + + while ( $offset < strlen( $input ) ) { + // Find the byte length until the next boundary. + $length = strcspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset ); + if ( 0 === $length ) { + return; + } + + $value = substr( $input, $offset, $length ); + $offset += $length + strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset + $length ); + + yield $value; + } + } + + /** + * [att=val] + * Represents an element with the att attribute whose value is exactly "val". + */ + const MATCH_EXACT = 'MATCH_EXACT'; + + /** + * [attr~=value] + * Represents elements with an attribute name of attr whose value is a + * whitespace-separated list of words, one of which is exactly value. + */ + const MATCH_ONE_OF_EXACT = 'MATCH_ONE_OF_EXACT'; + + /** + * [attr|=value] + * Represents elements with an attribute name of attr whose value can be exactly value or + * can begin with value immediately followed by a hyphen, - (U+002D). It is often used for + * language subcode matches. + */ + const MATCH_EXACT_OR_EXACT_WITH_HYPHEN = 'MATCH_EXACT_OR_EXACT_WITH_HYPHEN'; + + /** + * [attr^=value] + * Represents elements with an attribute name of attr whose value is prefixed (preceded) + * by value. + */ + const MATCH_PREFIXED_BY = 'MATCH_PREFIXED_BY'; + + /** + * [attr$=value] + * Represents elements with an attribute name of attr whose value is suffixed (followed) + * by value. + */ + const MATCH_SUFFIXED_BY = 'MATCH_SUFFIXED_BY'; + + /** + * [attr*=value] + * Represents elements with an attribute name of attr whose value contains at least one + * occurrence of value within the string. + */ + const MATCH_CONTAINS = 'MATCH_CONTAINS'; + + /** + * Modifier for case sensitive matching + * [attr=value s] + */ + const MODIFIER_CASE_SENSITIVE = 'case-sensitive'; + + /** + * Modifier for case insensitive matching + * [attr=value i] + */ + const MODIFIER_CASE_INSENSITIVE = 'case-insensitive'; + + + /** + * The attribute name. + * + * @var string + */ + public $name; + + /** + * The attribute matcher. + * + * @var null|self::MATCH_* + */ + public $matcher; + + /** + * The attribute value. + * + * @var string|null + */ + public $value; + + /** + * The attribute modifier. + * + * @var null|self::MODIFIER_* + */ + public $modifier; + + /** + * @param string $name + * @param null|self::MATCH_* $matcher + * @param null|string $value + * @param null|self::MODIFIER_* $modifier + */ + public function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { + $this->name = $name; + $this->matcher = $matcher; + $this->value = $value; + $this->modifier = $modifier; + } +} diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php new file mode 100644 index 0000000000000..c4f858d4a05d9 --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -0,0 +1,14 @@ +has_class( $this->ident ); + } + + /** @var string */ + public $ident; + + public function __construct( string $ident ) { + $this->ident = $ident; + } +} diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php new file mode 100644 index 0000000000000..520f3bf3d8fde --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -0,0 +1,88 @@ + in the grammar. + * + * > = [ ? ] * + */ +final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { + public function matches( WP_HTML_Processor $processor ): bool { + // First selector must match this location. + if ( ! $this->selectors[0]->matches( $processor ) ) { + return false; + } + + if ( count( $this->selectors ) === 1 ) { + return true; + } + + /** @var array $breadcrumbs */ + $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); + $selectors = array_slice( $this->selectors, 1 ); + return $this->explore_matches( $selectors, $breadcrumbs ); + } + + /** + * This only looks at breadcrumbs and can therefore only support type selectors. + * + * @param array $selectors + * @param array $breadcrumbs + */ + private function explore_matches( array $selectors, array $breadcrumbs ): bool { + if ( array() === $selectors ) { + return true; + } + if ( array() === $breadcrumbs ) { + return false; + } + + /** @var self::COMBINATOR_* $combinator */ + $combinator = $selectors[0]; + /** @var WP_CSS_Compound_Selector $selector */ + $selector = $selectors[1]; + + switch ( $combinator ) { + case self::COMBINATOR_CHILD: + if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[0], $selector->type_selector->ident ) === 0 ) { + return $this->explore_matches( array_slice( $selectors, 2 ), array_slice( $breadcrumbs, 1 ) ); + } + return $this->explore_matches( $selectors, array_slice( $breadcrumbs, 1 ) ); + + case self::COMBINATOR_DESCENDANT: + // Find _all_ the breadcrumbs that match and recurse from each of them. + for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) { + if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[ $i ], $selector->type_selector->ident ) === 0 ) { + $next_crumbs = array_slice( $breadcrumbs, $i + 1 ); + if ( $this->explore_matches( array_slice( $selectors, 2 ), $next_crumbs ) ) { + return true; + } + } + } + return false; + + default: + throw new Exception( "Combinator '{$combinator}' is not supported yet." ); + } + } + + const COMBINATOR_CHILD = '>'; + const COMBINATOR_DESCENDANT = ' '; + const COMBINATOR_NEXT_SIBLING = '+'; + const COMBINATOR_SUBSEQUENT_SIBLING = '~'; + + /** + * even indexes are WP_CSS_Compound_Selector, odd indexes are string combinators. + * In reverse order to match the current element and then work up the tree. + * Any non-final selector is a type selector. + * + * @var array + */ + public $selectors = array(); + + /** + * @param array $selectors + */ + public function __construct( array $selectors ) { + $this->selectors = array_reverse( $selectors ); + } +} diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php new file mode 100644 index 0000000000000..1162aaef78c1e --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -0,0 +1,39 @@ + in the grammar. + * + * > = [ ? * ]! + */ +final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Processor_Matcher { + public function matches( WP_HTML_Processor $processor ): bool { + if ( $this->type_selector ) { + if ( ! $this->type_selector->matches( $processor ) ) { + return false; + } + } + if ( null !== $this->subclass_selectors ) { + foreach ( $this->subclass_selectors as $subclass_selector ) { + if ( ! $subclass_selector->matches( $processor ) ) { + return false; + } + } + } + return true; + } + + /** @var WP_CSS_Type_Selector|null */ + public $type_selector; + + /** @var array|null */ + public $subclass_selectors; + + /** + * @param WP_CSS_Type_Selector|null $type_selector + * @param array $subclass_selectors + */ + public function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { + $this->type_selector = $type_selector; + $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; + } +} diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php new file mode 100644 index 0000000000000..cc0589327c829 --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -0,0 +1,22 @@ +ident = $ident; + } + + public function matches( WP_HTML_Processor $processor ): bool { + $id = $processor->get_attribute( 'id' ); + if ( ! is_string( $id ) ) { + return false; + } + + $case_insensitive = method_exists( $processor, 'is_quirks_mode' ) && $processor->is_quirks_mode(); + return $case_insensitive + ? 0 === strcasecmp( $id, $this->ident ) + : $processor->get_attribute( 'id' ) === $this->ident; + } +} diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php index c27c81593059d..b776bad66146b 100644 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ b/src/wp-includes/html-api/class-wp-css-selector.php @@ -1,10 +1,6 @@ -get_token_type() !== '#tag' ) { return false; @@ -906,382 +902,3 @@ private static function check_if_three_code_points_would_start_an_ident_sequence return self::is_ident_start_codepoint( $input, $offset ); } } - -interface IWP_CSS_Selector_Matcher { - /** - * @return bool - */ - public function matches( WP_HTML_Processor $processor ): bool; -} - -final class WP_CSS_ID_Selector implements IWP_CSS_Selector_Matcher { - /** @var string */ - public $ident; - - public function __construct( string $ident ) { - $this->ident = $ident; - } - - public function matches( WP_HTML_Processor $processor ): bool { - $id = $processor->get_attribute( 'id' ); - if ( ! is_string( $id ) ) { - return false; - } - - $case_insensitive = method_exists( $processor, 'is_quirks_mode' ) && $processor->is_quirks_mode(); - return $case_insensitive - ? 0 === strcasecmp( $id, $this->ident ) - : $processor->get_attribute( 'id' ) === $this->ident; - } -} - -final class WP_CSS_Class_Selector implements IWP_CSS_Selector_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { - return (bool) $processor->has_class( $this->ident ); - } - - /** @var string */ - public $ident; - - public function __construct( string $ident ) { - $this->ident = $ident; - } -} - -final class WP_CSS_Type_Selector implements IWP_CSS_Selector_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { - $tag_name = $processor->get_tag(); - if ( null === $tag_name ) { - return false; - } - if ( '*' === $this->ident ) { - return true; - } - return 0 === strcasecmp( $tag_name, $this->ident ); - } - - /** - * @var string - * - * The type identifier string or '*'. - */ - public $ident; - - public function __construct( string $ident ) { - $this->ident = $ident; - } -} - -final class WP_CSS_Attribute_Selector implements IWP_CSS_Selector_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { - $att_value = $processor->get_attribute( $this->name ); - if ( null === $att_value ) { - return false; - } - - if ( null === $this->value ) { - return true; - } - - if ( true === $att_value ) { - $att_value = ''; - } - - $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; - - switch ( $this->matcher ) { - case self::MATCH_EXACT: - return $case_insensitive - ? 0 === strcasecmp( $att_value, $this->value ) - : $att_value === $this->value; - - case self::MATCH_ONE_OF_EXACT: - foreach ( $this->whitespace_delimited_list( $att_value ) as $val ) { - if ( - $case_insensitive - ? 0 === strcasecmp( $val, $this->value ) - : $val === $this->value - ) { - return true; - } - } - return false; - - case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: - // Attempt the full match first - if ( - $case_insensitive - ? 0 === strcasecmp( $att_value, $this->value ) - : $att_value === $this->value - ) { - return true; - } - - // Partial match - if ( strlen( $att_value ) < strlen( $this->value ) + 1 ) { - return false; - } - - $starts_with = "{$this->value}-"; - return 0 === substr_compare( $att_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); - - case self::MATCH_PREFIXED_BY: - return 0 === substr_compare( $att_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); - - case self::MATCH_SUFFIXED_BY: - return 0 === substr_compare( $att_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); - - case self::MATCH_CONTAINS: - return false !== ( - $case_insensitive - ? stripos( $att_value, $this->value ) - : strpos( $att_value, $this->value ) - ); - } - - throw new Exception( 'Unreachable' ); - } - - /** - * @param string $input - * - * @return Generator - */ - private function whitespace_delimited_list( string $input ): Generator { - $offset = strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS ); - - while ( $offset < strlen( $input ) ) { - // Find the byte length until the next boundary. - $length = strcspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset ); - if ( 0 === $length ) { - return; - } - - $value = substr( $input, $offset, $length ); - $offset += $length + strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset + $length ); - - yield $value; - } - } - - /** - * [att=val] - * Represents an element with the att attribute whose value is exactly "val". - */ - const MATCH_EXACT = 'MATCH_EXACT'; - - /** - * [attr~=value] - * Represents elements with an attribute name of attr whose value is a - * whitespace-separated list of words, one of which is exactly value. - */ - const MATCH_ONE_OF_EXACT = 'MATCH_ONE_OF_EXACT'; - - /** - * [attr|=value] - * Represents elements with an attribute name of attr whose value can be exactly value or - * can begin with value immediately followed by a hyphen, - (U+002D). It is often used for - * language subcode matches. - */ - const MATCH_EXACT_OR_EXACT_WITH_HYPHEN = 'MATCH_EXACT_OR_EXACT_WITH_HYPHEN'; - - /** - * [attr^=value] - * Represents elements with an attribute name of attr whose value is prefixed (preceded) - * by value. - */ - const MATCH_PREFIXED_BY = 'MATCH_PREFIXED_BY'; - - /** - * [attr$=value] - * Represents elements with an attribute name of attr whose value is suffixed (followed) - * by value. - */ - const MATCH_SUFFIXED_BY = 'MATCH_SUFFIXED_BY'; - - /** - * [attr*=value] - * Represents elements with an attribute name of attr whose value contains at least one - * occurrence of value within the string. - */ - const MATCH_CONTAINS = 'MATCH_CONTAINS'; - - /** - * Modifier for case sensitive matching - * [attr=value s] - */ - const MODIFIER_CASE_SENSITIVE = 'case-sensitive'; - - /** - * Modifier for case insensitive matching - * [attr=value i] - */ - const MODIFIER_CASE_INSENSITIVE = 'case-insensitive'; - - - /** - * The attribute name. - * - * @var string - */ - public $name; - - /** - * The attribute matcher. - * - * @var null|self::MATCH_* - */ - public $matcher; - - /** - * The attribute value. - * - * @var string|null - */ - public $value; - - /** - * The attribute modifier. - * - * @var null|self::MODIFIER_* - */ - public $modifier; - - /** - * @param string $name - * @param null|self::MATCH_* $matcher - * @param null|string $value - * @param null|self::MODIFIER_* $modifier - */ - public function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { - $this->name = $name; - $this->matcher = $matcher; - $this->value = $value; - $this->modifier = $modifier; - } -} - -/** - * This corresponds to in the grammar. - * - * > = [ ? * ]! - */ -final class WP_CSS_Compound_Selector implements IWP_CSS_Selector_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { - if ( $this->type_selector ) { - if ( ! $this->type_selector->matches( $processor ) ) { - return false; - } - } - if ( null !== $this->subclass_selectors ) { - foreach ( $this->subclass_selectors as $subclass_selector ) { - if ( ! $subclass_selector->matches( $processor ) ) { - return false; - } - } - } - return true; - } - - /** @var WP_CSS_Type_Selector|null */ - public $type_selector; - - /** @var array|null */ - public $subclass_selectors; - - /** - * @param WP_CSS_Type_Selector|null $type_selector - * @param array $subclass_selectors - */ - public function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { - $this->type_selector = $type_selector; - $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; - } -} - -/** - * This corresponds to in the grammar. - * - * > = [ ? ] * - */ -final class WP_CSS_Complex_Selector implements IWP_CSS_Selector_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { - // First selector must match this location. - if ( ! $this->selectors[0]->matches( $processor ) ) { - return false; - } - - if ( count( $this->selectors ) === 1 ) { - return true; - } - - /** @var array $breadcrumbs */ - $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); - $selectors = array_slice( $this->selectors, 1 ); - return $this->explore_matches( $selectors, $breadcrumbs ); - } - - /** - * This only looks at breadcrumbs and can therefore only support type selectors. - * - * @param array $selectors - * @param array $breadcrumbs - */ - private function explore_matches( array $selectors, array $breadcrumbs ): bool { - if ( array() === $selectors ) { - return true; - } - if ( array() === $breadcrumbs ) { - return false; - } - - /** @var self::COMBINATOR_* $combinator */ - $combinator = $selectors[0]; - /** @var WP_CSS_Compound_Selector $selector */ - $selector = $selectors[1]; - - switch ( $combinator ) { - case self::COMBINATOR_CHILD: - if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[0], $selector->type_selector->ident ) === 0 ) { - return $this->explore_matches( array_slice( $selectors, 2 ), array_slice( $breadcrumbs, 1 ) ); - } - return $this->explore_matches( $selectors, array_slice( $breadcrumbs, 1 ) ); - - case self::COMBINATOR_DESCENDANT: - // Find _all_ the breadcrumbs that match and recurse from each of them. - for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) { - if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[ $i ], $selector->type_selector->ident ) === 0 ) { - $next_crumbs = array_slice( $breadcrumbs, $i + 1 ); - if ( $this->explore_matches( array_slice( $selectors, 2 ), $next_crumbs ) ) { - return true; - } - } - } - return false; - - default: - throw new Exception( "Combinator '{$combinator}' is not supported yet." ); - } - } - - const COMBINATOR_CHILD = '>'; - const COMBINATOR_DESCENDANT = ' '; - const COMBINATOR_NEXT_SIBLING = '+'; - const COMBINATOR_SUBSEQUENT_SIBLING = '~'; - - /** - * even indexes are WP_CSS_Compound_Selector, odd indexes are string combinators. - * In reverse order to match the current element and then work up the tree. - * Any non-final selector is a type selector. - * - * @var array - */ - public $selectors = array(); - - /** - * @param array $selectors - */ - public function __construct( array $selectors ) { - $this->selectors = array_reverse( $selectors ); - } -} diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php new file mode 100644 index 0000000000000..a2dcd16521cb5 --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -0,0 +1,25 @@ +get_tag(); + if ( null === $tag_name ) { + return false; + } + if ( '*' === $this->ident ) { + return true; + } + return 0 === strcasecmp( $tag_name, $this->ident ); + } + + /** + * @var string + * + * The type identifier string or '*'. + */ + public $ident; + + public function __construct( string $ident ) { + $this->ident = $ident; + } +} diff --git a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php new file mode 100644 index 0000000000000..2ae29413b35d2 --- /dev/null +++ b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php @@ -0,0 +1,8 @@ + Date: Wed, 4 Dec 2024 18:09:17 +0100 Subject: [PATCH 076/187] Remove redundant see phpdoc annotations --- src/wp-includes/html-api/class-wp-css-selector.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-selector.php index b776bad66146b..487c100ab47e4 100644 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ b/src/wp-includes/html-api/class-wp-css-selector.php @@ -67,11 +67,10 @@ * * @access private * - * @see {@link https://www.w3.org/TR/css-syntax-3/} - * @see {@link https://www.w3.org/tr/selectors/} - * @see {@link https://www.w3.org/TR/selectors-api2/} - * @see {@link https://www.w3.org/TR/selectors-4/} - * + * @link https://www.w3.org/TR/css-syntax-3/ + * @link https://www.w3.org/tr/selectors/ + * @link https://www.w3.org/TR/selectors-api2/ + * @link https://www.w3.org/TR/selectors-4/ */ class WP_CSS_Selector implements WP_CSS_HTML_Processor_Matcher { public function matches( WP_HTML_Processor $processor ): bool { From 0c53c422de2f40206b9322f8f0ae3beaf85b5e4b Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 18:28:54 +0100 Subject: [PATCH 077/187] Fix docs and return type on select_all --- src/wp-includes/html-api/class-wp-html-processor.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 398c5c4fd096c..9f7a43acaebbd 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -657,7 +657,7 @@ public function get_unsupported_exception() { * @param string $selector_string Selector string. * @return Generator A generator pausing on each tag matching the selector. */ - public function select_all( string $selector_string ): ?Generator { + public function select_all( string $selector_string ): Generator { $selector = WP_CSS_Selector::from_selectors( $selector_string ); if ( null === $selector ) { return; @@ -674,7 +674,7 @@ public function select_all( string $selector_string ): ?Generator { * Move to the next tag matching the provided CSS selector string. * * This method will stop at the next match. To progress through all matches, use - * the `select_all` method. + * the {@see WP_HTML_Processor::select_all()} method. * * @example * From d966e9ad7fdc9270fded62abb9e32923ced79d61 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 18:31:05 +0100 Subject: [PATCH 078/187] Improve html select test docs --- tests/phpunit/tests/html-api/wpHtmlProcessor-select.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index e70dedcfcd3c4..c3a1e4121ecab 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -1,6 +1,9 @@ Date: Wed, 4 Dec 2024 19:40:23 +0100 Subject: [PATCH 079/187] Add select support to tag processor Split up main CSS selector class and support more restricted selectors in the tag processor. --- .../class-wp-css-attribute-selector.php | 12 +- .../html-api/class-wp-css-class-selector.php | 4 +- .../class-wp-css-complex-selector-list.php | 165 ++++++++++++++++++ ...> class-wp-css-compound-selector-list.php} | 126 ++++--------- .../class-wp-css-compound-selector.php | 4 +- .../html-api/class-wp-css-id-selector.php | 7 +- .../html-api/class-wp-css-type-selector.php | 4 +- .../html-api/class-wp-html-processor.php | 11 +- .../html-api/class-wp-html-tag-processor.php | 69 ++++++++ ...face-wp-css-html-tag-processor-matcher.php | 8 + src/wp-settings.php | 4 +- .../html-api/wpCssComplexSelectorList.php | 107 ++++++++++++ ...sing.php => wpCssCompoundSelectorList.php} | 59 +------ .../tests/html-api/wpHtmlProcessor-select.php | 10 ++ .../html-api/wpHtmlTagProcessor-select.php | 92 ++++++++++ 15 files changed, 520 insertions(+), 162 deletions(-) create mode 100644 src/wp-includes/html-api/class-wp-css-complex-selector-list.php rename src/wp-includes/html-api/{class-wp-css-selector.php => class-wp-css-compound-selector-list.php} (87%) create mode 100644 src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php create mode 100644 tests/phpunit/tests/html-api/wpCssComplexSelectorList.php rename tests/phpunit/tests/html-api/{wpCssSelector-parsing.php => wpCssCompoundSelectorList.php} (89%) create mode 100644 tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index be7332c85b72d..76ccdf3804b36 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -1,7 +1,9 @@ get_attribute( $this->name ); if ( null === $att_value ) { return false; @@ -76,17 +78,17 @@ public function matches( WP_HTML_Processor $processor ): bool { * @return Generator */ private function whitespace_delimited_list( string $input ): Generator { - $offset = strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS ); + $offset = strspn( $input, self::WHITESPACE_CHARACTERS ); while ( $offset < strlen( $input ) ) { // Find the byte length until the next boundary. - $length = strcspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset ); + $length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset ); if ( 0 === $length ) { return; } $value = substr( $input, $offset, $length ); - $offset += $length + strspn( $input, WP_CSS_Selector::WHITESPACE_CHARACTERS, $offset + $length ); + $offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length ); yield $value; } diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index c4f858d4a05d9..c3e7ced008a6e 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -1,7 +1,7 @@ has_class( $this->ident ); } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php new file mode 100644 index 0000000000000..f3769a035f6e5 --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -0,0 +1,165 @@ + in the grammar. See {@see WP_CSS_Compound_Selector_List} for more details on the grammar. + * + * This class supports the same selector syntax as {@see WP_CSS_Compound_Selector_List} as well as: + * - The following combinators: + * - Next sibling (`el + el`) + * - Subsequent sibling (`el ~ el`) + * + * @since TBD + * + * @access private + */ +class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Processor_Matcher { + /** + * Takes a CSS selector string and returns an instance of itself or `null` if the selector + * string is invalid or unsupported. + * + * @since TBD + * + * @param string $input CSS selectors. + * @return static|null + */ + public static function from_selectors( string $input ) { + // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… + $input = trim( $input, " \t\r\n\r" ); + + if ( '' === $input ) { + return null; + } + + /* + * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. + * > + * > To filter code points from a stream of (unfiltered) code points input: + * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. + * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). + * + * https://www.w3.org/TR/css-syntax-3/#input-preprocessing + */ + $input = str_replace( array( "\r\n" ), "\n", $input ); + $input = str_replace( array( "\r", "\f" ), "\n", $input ); + $input = str_replace( "\0", "\u{FFFD}", $input ); + + $offset = 0; + + $selector = self::parse_complex_selector( $input, $offset ); + if ( null === $selector ) { + return null; + } + self::parse_whitespace( $input, $offset ); + + $selectors = array( $selector ); + while ( $offset < strlen( $input ) ) { + // Each loop should stop on a `,` selector list delimiter. + if ( ',' !== $input[ $offset ] ) { + return null; + } + ++$offset; + self::parse_whitespace( $input, $offset ); + $selector = self::parse_complex_selector( $input, $offset ); + if ( null === $selector ) { + return null; + } + $selectors[] = $selector; + self::parse_whitespace( $input, $offset ); + } + + return new self( $selectors ); + } + + /* + * ------------------------------ + * Selector parsing functionality + * ------------------------------ + */ + + /** + * Parses a complex selector. + * + * > = [ ? ]* + * + * @return WP_CSS_Complex_Selector|null + */ + final protected static function parse_complex_selector( string $input, int &$offset ): ?WP_CSS_Complex_Selector { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null === $selector ) { + return null; + } + + $selectors = array( $selector ); + $has_preceding_subclass_selector = null !== $selector->subclass_selectors; + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + while ( $updated_offset < strlen( $input ) ) { + if ( + WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || + WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || + WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] + ) { + $combinator = $input[ $updated_offset ]; + ++$updated_offset; + self::parse_whitespace( $input, $updated_offset ); + + // Failure to find a selector here is a parse error + $selector = self::parse_compound_selector( $input, $updated_offset ); + } elseif ( $found_whitespace ) { + /* + * Whitespace is ambiguous, it could be a descendant combinator or + * insignificant whitespace. + */ + $selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null === $selector ) { + break; + } + $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; + } else { + break; + } + + if ( null === $selector ) { + return null; + } + + // `div > .className` is valid, but `.className > div` is not. + if ( $has_preceding_subclass_selector ) { + throw new Exception( 'Unsupported non-final subclass selector.' ); + } + $has_preceding_subclass_selector = null !== $selector->subclass_selectors; + + $selectors[] = $combinator; + $selectors[] = $selector; + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + } + $offset = $updated_offset; + return new WP_CSS_Complex_Selector( $selectors ); + } +} diff --git a/src/wp-includes/html-api/class-wp-css-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php similarity index 87% rename from src/wp-includes/html-api/class-wp-css-selector.php rename to src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 487c100ab47e4..2aae51d671f6b 100644 --- a/src/wp-includes/html-api/class-wp-css-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -1,6 +1,6 @@ in the grammar. The supported grammar is: + * This class is analogous to in the grammar. The supported grammar is: * * = * = # @@ -38,6 +40,10 @@ * * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details. * + * This class of selectors does not support "complex" selectors. That is any selector with a + * combinator such as descendent (`.ancestor .descendant`) or child (`.parent > .child`). + * See {@see WP_CSS_Complex_Selector_List} for support of some combinators. + * * Note that this grammar has been adapted and does not support the full CSS selector grammar. * Supported selector syntax: * - Type selectors (tag names, e.g. `div`) @@ -50,12 +56,10 @@ * - child (`el > .child`) * * Unsupported selector syntax: - * - Pseudo-element selectors (e.g. `::before`) - * - Pseudo-class selectors (e.g. `:hover` or `:nth-child(2)`) - * - Namespace prefixes (e.g. `svg|title` or `[xlink|href]`) - * - The following combinators: - * - Next sibling (`el + el`) - * - Subsequent sibling (`el ~ el`) + * - Pseudo-element selectors (`::before`) + * - Pseudo-class selectors (`:hover` or `:nth-child(2)`) + * - Namespace prefixes (`svg|title` or `[xlink|href]`) + * - No combinators are supported (descendant, child, next sibling, subsequent sibling) * * Future ideas: * - Namespace type selectors could be implemented with select namespaces in order to @@ -72,8 +76,12 @@ * @link https://www.w3.org/TR/selectors-api2/ * @link https://www.w3.org/TR/selectors-4/ */ -class WP_CSS_Selector implements WP_CSS_HTML_Processor_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { +class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher { + /** + * @param WP_HTML_Tag_Processor $processor + * @return bool + */ + public function matches( $processor ): bool { if ( $processor->get_token_type() !== '#tag' ) { return false; } @@ -87,14 +95,16 @@ public function matches( WP_HTML_Processor $processor ): bool { } /** - * @var array + * Array of selectors. + * + * @var array */ private $selectors; /** * Constructor. * - * @param array $selectors + * @param array $selectors Array of selectors. */ protected function __construct( array $selectors ) { $this->selectors = $selectors; @@ -107,10 +117,9 @@ protected function __construct( array $selectors ) { * @since TBD * * @param string $input CSS selectors. - * @return self|null + * @return static|null */ - public static function from_selectors( string $input ): ?self { - // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… + public static function from_selectors( string $input ) { $input = trim( $input, " \t\r\n\r" ); if ( '' === $input ) { @@ -132,7 +141,7 @@ public static function from_selectors( string $input ): ?self { $offset = 0; - $selector = self::parse_complex_selector( $input, $offset ); + $selector = self::parse_compound_selector( $input, $offset ); if ( null === $selector ) { return null; } @@ -146,7 +155,7 @@ public static function from_selectors( string $input ): ?self { } ++$offset; self::parse_whitespace( $input, $offset ); - $selector = self::parse_complex_selector( $input, $offset ); + $selector = self::parse_compound_selector( $input, $offset ); if ( null === $selector ) { return null; } @@ -391,73 +400,6 @@ final protected static function parse_compound_selector( string $input, int &$of return null; } - /** - * Parses a complex selector. - * - * > = [ ? ]* - * - * @return WP_CSS_Complex_Selector|null - */ - final protected static function parse_complex_selector( string $input, int &$offset ): ?WP_CSS_Complex_Selector { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - $selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null === $selector ) { - return null; - } - - $selectors = array( $selector ); - $has_preceding_subclass_selector = null !== $selector->subclass_selectors; - - $found_whitespace = self::parse_whitespace( $input, $updated_offset ); - while ( $updated_offset < strlen( $input ) ) { - if ( - WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || - WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || - WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] - ) { - $combinator = $input[ $updated_offset ]; - ++$updated_offset; - self::parse_whitespace( $input, $updated_offset ); - - // Failure to find a selector here is a parse error - $selector = self::parse_compound_selector( $input, $updated_offset ); - } elseif ( $found_whitespace ) { - /* - * Whitespace is ambiguous, it could be a descendant combinator or - * insignificant whitespace. - */ - $selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null === $selector ) { - break; - } - $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; - } else { - break; - } - - if ( null === $selector ) { - return null; - } - - // `div > .className` is valid, but `.className > div` is not. - if ( $has_preceding_subclass_selector ) { - throw new Exception( 'Unsupported non-final subclass selector.' ); - } - $has_preceding_subclass_selector = null !== $selector->subclass_selectors; - - $selectors[] = $combinator; - $selectors[] = $selector; - - $found_whitespace = self::parse_whitespace( $input, $updated_offset ); - } - $offset = $updated_offset; - return new WP_CSS_Complex_Selector( $selectors ); - } - /** * Parses a subclass selector. * @@ -496,7 +438,7 @@ private static function parse_subclass_selector( string $input, int &$offset ) { const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; const WHITESPACE_CHARACTERS = " \t\r\n\f"; - public static function parse_whitespace( string $input, int &$offset ): bool { + final public static function parse_whitespace( string $input, int &$offset ): bool { $length = strspn( $input, self::WHITESPACE_CHARACTERS, $offset ); $advanced = $length > 0; $offset += $length; @@ -692,9 +634,9 @@ final protected static function parse_string( string $input, int &$offset ): ?st * * @param string $input * @param int $offset - * @return string|null + * @return string */ - final protected static function consume_escaped_codepoint( $input, &$offset ): ?string { + final protected static function consume_escaped_codepoint( $input, &$offset ): string { $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); if ( $hex_length > 0 ) { /** @@ -771,7 +713,7 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): ? * @param int $offset The byte offset in the string. * @return bool True if the next two codepoints are a valid escape, otherwise false. */ - private static function next_two_are_valid_escape( string $input, int $offset ): bool { + final protected static function next_two_are_valid_escape( string $input, int $offset ): bool { if ( $offset + 1 >= strlen( $input ) ) { return false; } @@ -858,7 +800,7 @@ final protected static function is_ident_codepoint( string $input, int $offset ) * @param int $offset The byte offset in the string. * @return bool True if the next three codepoints would start an ident sequence, otherwise false. */ - private static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { + final protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { if ( $offset >= strlen( $input ) ) { return false; } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 1162aaef78c1e..e64695abe9ab3 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -5,8 +5,8 @@ * * > = [ ? * ]! */ -final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Processor_Matcher { - public function matches( WP_HTML_Processor $processor ): bool { +final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { + public function matches( WP_HTML_Tag_Processor $processor ): bool { if ( $this->type_selector ) { if ( ! $this->type_selector->matches( $processor ) ) { return false; diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index cc0589327c829..83339ff839317 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -1,6 +1,6 @@ ident = $ident; } - public function matches( WP_HTML_Processor $processor ): bool { + public function matches( WP_HTML_Tag_Processor $processor ): bool { $id = $processor->get_attribute( 'id' ); if ( ! is_string( $id ) ) { return false; } - $case_insensitive = method_exists( $processor, 'is_quirks_mode' ) && $processor->is_quirks_mode(); + $case_insensitive = $processor->is_quirks_mode(); + return $case_insensitive ? 0 === strcasecmp( $id, $this->ident ) : $processor->get_attribute( 'id' ) === $this->ident; diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index a2dcd16521cb5..c65adce14047d 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -1,7 +1,7 @@ get_tag(); if ( null === $tag_name ) { return false; diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 9f7a43acaebbd..bbca730279876 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -657,9 +657,14 @@ public function get_unsupported_exception() { * @param string $selector_string Selector string. * @return Generator A generator pausing on each tag matching the selector. */ - public function select_all( string $selector_string ): Generator { - $selector = WP_CSS_Selector::from_selectors( $selector_string ); + public function select_all( $selector_string ): Generator { + $selector = WP_CSS_Complex_Selector_List::from_selectors( $selector_string ); if ( null === $selector ) { + _doing_it_wrong( + __METHOD__, + sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ), + '6.8' + ); return; } @@ -692,7 +697,7 @@ public function select_all( string $selector_string ): Generator { * @param string $selector_string * @return bool True if a matching tag was found, otherwise false. */ - public function select( string $selector_string ) { + public function select( string $selector_string ): bool { foreach ( $this->select_all( $selector_string ) as $_ ) { return true; } diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php index 7dadbc1bebdb2..a7633291b6bb2 100644 --- a/src/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php @@ -860,6 +860,75 @@ public function change_parsing_namespace( string $new_namespace ): bool { return true; } + /** + * Progress through a document pausing on tags matching the provided CSS selector string. + * + * @example + * + * $processor = new WP_HTML_Tag_Processor( + * 'Example' + * ); + * foreach ( $processor->select_all( 'meta[property^="og:" i]' ) as $_ ) { + * // Loop is entered twice. + * var_dump( + * $processor->get_tag(), // string(4) "META" + * $processor->get_attribute( 'property' ), // string(7) "og:type" / string(14) "og:description" + * $processor->get_attribute( 'content' ), // string(7) "website" / string(11) "An example." + * ); + * } + * + * @since TBD + * + * @param string $selector_string Selector string. + * @return Generator A generator pausing on each tag matching the selector. + */ + public function select_all( $selector_string ): Generator { + $selector = WP_CSS_Compound_Selector_List::from_selectors( $selector_string ); + if ( null === $selector ) { + _doing_it_wrong( + __METHOD__, + sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ), + '6.8' + ); + return; + } + + while ( $this->next_tag() ) { + if ( $selector->matches( $this ) ) { + yield; + } + } + } + + /** + * Move to the next tag matching the provided CSS selector string. + * + * This method will stop at the next match. To progress through all matches, use + * the {@see WP_HTML_Tag_Processor::select_all()} method. + * + * @example + * + * $processor = new WP_HTML_Tag_Processor( + * 'Example' + * ); + * $processor->select( 'meta[charset]' ); + * var_dump( + * $processor->get_tag(), // string(4) "META" + * $processor->get_attribute( 'charset' ), // string(5) "utf-8" + * ); + * + * @since TBD + * + * @param string $selector_string + * @return bool True if a matching tag was found, otherwise false. + */ + public function select( string $selector_string ): bool { + foreach ( $this->select_all( $selector_string ) as $_ ) { + return true; + } + return false; + } + /** * Finds the next tag matching the $query. * diff --git a/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php new file mode 100644 index 0000000000000..73d108150bb95 --- /dev/null +++ b/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php @@ -0,0 +1,8 @@ +test_class = new class() extends WP_CSS_Complex_Selector_List { + public function __construct() { + parent::__construct( array() ); + } + + public static function test_parse_complex_selector( string $input, int &$offset ) { + return self::parse_complex_selector( $input, $offset ); + } + }; + } + + /** + * @ticket TBD + */ + public function test_parse_complex_selector() { + $input = 'el1 > .child#bar[baz=quux] , rest'; + $offset = 0; + $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); + + $this->assertSame( 3, count( $sel->selectors ) ); + + $this->assertSame( 'el1', $sel->selectors[2]->type_selector->ident ); + $this->assertNull( $sel->selectors[2]->subclass_selectors ); + + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->selectors[1] ); + + $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); + $this->assertNull( $sel->selectors[0]->type_selector ); + $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); + $this->assertSame( 'child', $sel->selectors[0]->subclass_selectors[0]->ident ); + + $this->assertSame( ', rest', substr( $input, $offset ) ); + } + + /** + * @ticket TBD + */ + public function test_parse_invalid_complex_selector() { + $input = 'el.foo#bar[baz=quux] > , rest'; + $offset = 0; + $result = $this->test_class::test_parse_complex_selector( $input, $offset ); + $this->assertNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_empty_complex_selector() { + $input = ''; + $offset = 0; + $result = $this->test_class::test_parse_complex_selector( $input, $offset ); + $this->assertNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_complex_selector_list() { + $input = 'el1 el2 el.foo#bar[baz=quux], second > selector'; + $result = WP_CSS_Complex_Selector_List::from_selectors( $input ); + $this->assertNotNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_invalid_selector_list() { + $input = 'el,,'; + $result = WP_CSS_Complex_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_invalid_selector_list2() { + $input = 'el!'; + $result = WP_CSS_Complex_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } + + /** + * @ticket TBD + */ + public function test_parse_empty_selector_list() { + $input = " \t \t\n\r\f"; + $result = WP_CSS_Complex_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssSelector-parsing.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php similarity index 89% rename from tests/phpunit/tests/html-api/wpCssSelector-parsing.php rename to tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 4caa186158149..d94b61d49c14e 100644 --- a/tests/phpunit/tests/html-api/wpCssSelector-parsing.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -10,12 +10,12 @@ * * @group html-api */ -class Tests_HtmlApi_WpCssSelector_Parsing extends WP_UnitTestCase { +class Tests_HtmlApi_WpCssCompoundSelectorList extends WP_UnitTestCase { private $test_class; public function set_up(): void { parent::set_up(); - $this->test_class = new class() extends WP_CSS_Selector { + $this->test_class = new class() extends WP_CSS_Compound_Selector_List { public function __construct() { parent::__construct( array() ); } @@ -51,10 +51,6 @@ public static function test_parse_compound_selector( string $input, int &$offset return self::parse_compound_selector( $input, $offset ); } - public static function test_parse_complex_selector( string $input, int &$offset ) { - return self::parse_complex_selector( $input, $offset ); - } - /* * Utilities */ @@ -402,53 +398,12 @@ public function test_parse_empty_selector() { $this->assertSame( 0, $offset ); } - /** - * @ticket TBD - */ - public function test_parse_complex_selector() { - $input = 'el1 > .child#bar[baz=quux] , rest'; - $offset = 0; - $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); - - $this->assertSame( 3, count( $sel->selectors ) ); - - $this->assertSame( 'el1', $sel->selectors[2]->type_selector->ident ); - $this->assertNull( $sel->selectors[2]->subclass_selectors ); - - $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->selectors[1] ); - - $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); - $this->assertNull( $sel->selectors[0]->type_selector ); - $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); - $this->assertSame( 'child', $sel->selectors[0]->subclass_selectors[0]->ident ); - - $this->assertSame( ', rest', substr( $input, $offset ) ); - } - - /** - * @ticket TBD - */ - public function test_parse_invalid_complex_selector() { - $input = 'el.foo#bar[baz=quux] > , rest'; - $offset = 0; - $result = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertNull( $result ); - } - - public function test_parse_empty_complex_selector() { - $input = ''; - $offset = 0; - $result = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertNull( $result ); - } - - /** * @ticket TBD */ public function test_parse_selector_list() { - $input = 'el1 el2 el.foo#bar[baz=quux], rest'; - $result = WP_CSS_Selector::from_selectors( $input ); + $input = 'el1, el2, el.foo#bar[baz=quux]'; + $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); $this->assertNotNull( $result ); } @@ -457,7 +412,7 @@ public function test_parse_selector_list() { */ public function test_parse_invalid_selector_list() { $input = 'el,,'; - $result = WP_CSS_Selector::from_selectors( $input ); + $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); $this->assertNull( $result ); } @@ -466,7 +421,7 @@ public function test_parse_invalid_selector_list() { */ public function test_parse_invalid_selector_list2() { $input = 'el!'; - $result = WP_CSS_Selector::from_selectors( $input ); + $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); $this->assertNull( $result ); } @@ -475,7 +430,7 @@ public function test_parse_invalid_selector_list2() { */ public function test_parse_empty_selector_list() { $input = " \t \t\n\r\f"; - $result = WP_CSS_Selector::from_selectors( $input ); + $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); $this->assertNull( $result ); } } diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index c3a1e4121ecab..733a7135f1b17 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -66,4 +66,14 @@ public function test_select_all() { } $this->assertSame( 4, $count ); } + + /** + * @ticket TBD + * + * @expectedIncorrectUsage WP_HTML_Processor::select_all + */ + public function test_invalid_selector() { + $processor = WP_HTML_Processor::create_fragment( 'irrelevant' ); + $this->assertFalse( $processor->select( '[invalid!selector]' ) ); + } } diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php new file mode 100644 index 0000000000000..c42c69ff0a095 --- /dev/null +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -0,0 +1,92 @@ +' ); + $this->assertFalse( $processor->select( 'div' ) ); + } + + /** + * @ticket TBD + * + * @dataProvider data_selectors + */ + public function test_select( string $html, string $selector ) { + $processor = new WP_HTML_Tag_Processor( $html ); + $this->assertTrue( $processor->select( $selector ) ); + $this->assertTrue( $processor->get_attribute( 'match' ) ); + } + + /** + * Data provider. + * + * @return array + */ + public static function data_selectors(): array { + return array( + 'simple type' => array( '

', 'div' ), + 'any type' => array( '', '*' ), + 'simple class' => array( '
', '.x' ), + 'simple id' => array( '
', '#x' ), + 'simple attribute' => array( '
', '[att]' ), + 'attribute value' => array( '
', '[att=val]' ), + 'attribute quoted value' => array( '
', '[att="::"]' ), + + 'list' => array( '

', 'a, p' ), + 'compound' => array( '

', 'section[att~="bar"]' ), + ); + } + + /** + * @ticket TBD + */ + public function test_select_all() { + $processor = new WP_HTML_Tag_Processor( '

' ); + $count = 0; + foreach ( $processor->select_all( 'div, .x, rect, #y' ) as $_ ) { + ++$count; + $this->assertTrue( $processor->get_attribute( 'match' ) ); + } + $this->assertSame( 4, $count ); + } + + /** + * @ticket TBD + * + * @expectedIncorrectUsage WP_HTML_Tag_Processor::select_all + * + * @dataProvider data_invalid_selectors + */ + public function test_invalid_selector( string $selector ) { + $processor = new WP_HTML_Tag_Processor( 'irrelevant' ); + $this->assertFalse( $processor->select( $selector ) ); + } + + /** + * Data provider. + * + * @return array + */ + public static function data_invalid_selectors(): array { + return array( + 'complex descendant' => array( 'div *' ), + 'complex child' => array( 'div > *' ), + 'invalid selector' => array( '[invalid!selector]' ), + ); + } +} From 2036a83f77a419fd1f3df89c7c7a316d4a42d5bb Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 21:36:19 +0100 Subject: [PATCH 080/187] Simplify whitspace splitting function --- .../html-api/class-wp-css-attribute-selector.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 76ccdf3804b36..1a7a9ffb37716 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -78,16 +78,15 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { * @return Generator */ private function whitespace_delimited_list( string $input ): Generator { + // Start by skipping whitespace. $offset = strspn( $input, self::WHITESPACE_CHARACTERS ); while ( $offset < strlen( $input ) ) { // Find the byte length until the next boundary. $length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset ); - if ( 0 === $length ) { - return; - } + $value = substr( $input, $offset, $length ); - $value = substr( $input, $offset, $length ); + // Move past trailing whitespace. $offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length ); yield $value; From 3421a4e0d634686fd820db906eb6077503985fe8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 21:41:15 +0100 Subject: [PATCH 081/187] Remove unreachable code --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 1a7a9ffb37716..17787dd70815b 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -68,8 +68,6 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { : strpos( $att_value, $this->value ) ); } - - throw new Exception( 'Unreachable' ); } /** From 784b2d913cbf469a3847b93a46c9c202f19091b7 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 21:41:25 +0100 Subject: [PATCH 082/187] Add a lot of selector integration tests --- .../html-api/wpHtmlTagProcessor-select.php | 44 +++++++++++++++---- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index c42c69ff0a095..66f32f905c04f 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -39,16 +39,42 @@ public function test_select( string $html, string $selector ) { */ public static function data_selectors(): array { return array( - 'simple type' => array( '

', 'div' ), - 'any type' => array( '', '*' ), - 'simple class' => array( '
', '.x' ), - 'simple id' => array( '
', '#x' ), - 'simple attribute' => array( '
', '[att]' ), - 'attribute value' => array( '
', '[att=val]' ), - 'attribute quoted value' => array( '
', '[att="::"]' ), + 'simple type' => array( '

', 'div' ), + 'any type' => array( '
', '*' ), + 'simple class' => array( '
', '.x' ), + 'simple id' => array( '
', '#x' ), + 'boolean attribute' => array( '
', '[att]' ), + 'boolean attribute with string match' => array( '
', '[att=""]' ), - 'list' => array( '

', 'a, p' ), - 'compound' => array( '

', 'section[att~="bar"]' ), + 'attribute value' => array( '
', '[att=val]' ), + 'attribute quoted value' => array( '
', '[att="::"]' ), + 'attribute case insensitive' => array( '
', '[att="VAL"i]' ), + 'attribute case sensitive mod' => array( '
', '[att="val"s]' ), + + 'attribute one of' => array( '
', '[att~="b"]' ), + 'attribute one of insensitive' => array( '
', '[att~="b"i]' ), + 'attribute one of mod sensitive' => array( '
', '[att~="b"s]' ), + 'attribute one of whitespace cases' => array( "
", '[att~="b"]' ), + + 'attribute with-hyphen (no hyphen)' => array( '

', '[att|="special"]' ), + 'attribute with-hyphen (hyphen prefix)' => array( '

', '[att|="special"]' ), + 'attribute with-hyphen insensitive' => array( '

', '[att|="special"i]' ), + 'attribute with-hyphen sensitive mod' => array( '

', '[att|="special"s]' ), + + 'attribute prefixed' => array( '

', '[att^="p"]' ), + 'attribute prefixed insensitive' => array( '

', '[att^="p"i]' ), + 'attribute prefixed sensitive mod' => array( '

', '[att^="p"s]' ), + + 'attribute suffixed' => array( '

', '[att$="x"]' ), + 'attribute suffixed insensitive' => array( '

', '[att$="x"i]' ), + 'attribute suffixed sensitive mod' => array( '

', '[att$="x"s]' ), + + 'attribute contains' => array( '

', '[att*="x"]' ), + 'attribute contains insensitive' => array( '

', '[att*="x"i]' ), + 'attribute contains sensitive mod' => array( '

', '[att*="x"s]' ), + + 'list' => array( '

', 'a, p' ), + 'compound' => array( '

', 'section[att="bar"]' ), ); } From 4d4c5fe2db713a4a85a8c4073e3e39f44731d140 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 21:48:39 +0100 Subject: [PATCH 083/187] Extract normalize input method --- .../class-wp-css-complex-selector-list.php | 16 +------ .../class-wp-css-compound-selector-list.php | 43 +++++++++++++------ 2 files changed, 30 insertions(+), 29 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index f3769a035f6e5..59b08532868a8 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -43,26 +43,12 @@ class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List impleme * @return static|null */ public static function from_selectors( string $input ) { - // > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… - $input = trim( $input, " \t\r\n\r" ); + $input = self::normalize_selector_input( $input ); if ( '' === $input ) { return null; } - /* - * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. - * > - * > To filter code points from a stream of (unfiltered) code points input: - * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. - * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). - * - * https://www.w3.org/TR/css-syntax-3/#input-preprocessing - */ - $input = str_replace( array( "\r\n" ), "\n", $input ); - $input = str_replace( array( "\r", "\f" ), "\n", $input ); - $input = str_replace( "\0", "\u{FFFD}", $input ); - $offset = 0; $selector = self::parse_complex_selector( $input, $offset ); diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 2aae51d671f6b..a41b0ac9cd530 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -120,25 +120,12 @@ protected function __construct( array $selectors ) { * @return static|null */ public static function from_selectors( string $input ) { - $input = trim( $input, " \t\r\n\r" ); + $input = self::normalize_selector_input( $input ); if ( '' === $input ) { return null; } - /* - * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. - * > - * > To filter code points from a stream of (unfiltered) code points input: - * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. - * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). - * - * https://www.w3.org/TR/css-syntax-3/#input-preprocessing - */ - $input = str_replace( array( "\r\n" ), "\n", $input ); - $input = str_replace( array( "\r", "\f" ), "\n", $input ); - $input = str_replace( "\0", "\u{FFFD}", $input ); - $offset = 0; $selector = self::parse_compound_selector( $input, $offset ); @@ -842,4 +829,32 @@ final protected static function check_if_three_code_points_would_start_an_ident_ // > Return false. return self::is_ident_start_codepoint( $input, $offset ); } + + /** + * @todo doc… + */ + final protected static function normalize_selector_input( string $input ): string { + /* + * > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… + * + * This list includes \f. + * A later step would normalize it to a known whitespace character, but it can be trimmed here as well. + */ + $input = trim( $input, " \t\r\n\r\f" ); + + /* + * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. + * > + * > To filter code points from a stream of (unfiltered) code points input: + * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. + * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). + * + * https://www.w3.org/TR/css-syntax-3/#input-preprocessing + */ + $input = str_replace( array( "\r\n" ), "\n", $input ); + $input = str_replace( array( "\r", "\f" ), "\n", $input ); + $input = str_replace( "\0", "\u{FFFD}", $input ); + + return $input; + } } From dbc37fc2d819057c9678364021d1d14ee8f91292 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 21:52:54 +0100 Subject: [PATCH 084/187] tests --- tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index d94b61d49c14e..2a20e317338bd 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -366,6 +366,7 @@ public static function data_attribute_selectors(): array { 'Invalid: [att s]' => array( '[att s]' ), "Invalid: [att='val\\n']" => array( "[att='val\n']" ), 'Invalid: [att=val i ' => array( '[att=val i ' ), + 'Invalid: [att="val"ix' => array( '[att="val"ix' ), ); } From d241f31643a14f70ed3469121d6f45ce0db143d0 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 4 Dec 2024 21:57:08 +0100 Subject: [PATCH 085/187] Add nonfinal subclass selector test --- .../html-api/class-wp-css-complex-selector-list.php | 8 ++++++-- .../tests/html-api/wpCssComplexSelectorList.php | 10 ++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 59b08532868a8..0413b8dea426a 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -134,9 +134,13 @@ final protected static function parse_complex_selector( string $input, int &$off return null; } - // `div > .className` is valid, but `.className > div` is not. + /* + * Subclass selectors in non-final position is not supported: + * - `div > .className` is valid + * - `.className > div` is not + */ if ( $has_preceding_subclass_selector ) { - throw new Exception( 'Unsupported non-final subclass selector.' ); + return null; } $has_preceding_subclass_selector = null !== $selector->subclass_selectors; diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 5b485a5029db5..5cceddbdddd30 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -59,6 +59,16 @@ public function test_parse_invalid_complex_selector() { $this->assertNull( $result ); } + /** + * @ticket TBD + */ + public function test_parse_invalid_complex_selector_nonfinal_subclass() { + $input = 'el.foo#bar[baz=quux] > final, rest'; + $offset = 0; + $result = $this->test_class::test_parse_complex_selector( $input, $offset ); + $this->assertNull( $result ); + } + /** * @ticket TBD */ From 663070b34b7b9b04413a6d8b7cf0f20645d7eadb Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 12:38:54 +0100 Subject: [PATCH 086/187] Fix logic bug in child selector exploration --- src/wp-includes/html-api/class-wp-css-complex-selector.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 520f3bf3d8fde..ed4d2e7a6e662 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -46,7 +46,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[0], $selector->type_selector->ident ) === 0 ) { return $this->explore_matches( array_slice( $selectors, 2 ), array_slice( $breadcrumbs, 1 ) ); } - return $this->explore_matches( $selectors, array_slice( $breadcrumbs, 1 ) ); + return false; case self::COMBINATOR_DESCENDANT: // Find _all_ the breadcrumbs that match and recurse from each of them. From 5478af99a8ecbbff54503f3230f247bc06f56fdf Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 12:54:58 +0100 Subject: [PATCH 087/187] Improve selector integration tests --- .../tests/html-api/wpHtmlProcessor-select.php | 62 +++++++------- .../html-api/wpHtmlTagProcessor-select.php | 83 +++++++++---------- 2 files changed, 72 insertions(+), 73 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 733a7135f1b17..8515be63d83f8 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -26,54 +26,60 @@ public function test_select_miss() { * * @dataProvider data_selectors */ - public function test_select( string $html, string $selector ) { + public function test_select_all( string $html, string $selector, int $match_count ) { $processor = WP_HTML_Processor::create_full_parser( $html ); - $this->assertTrue( $processor->select( $selector ) ); - $this->assertTrue( $processor->get_attribute( 'match' ) ); + $count = 0; + foreach ( $processor->select_all( $selector ) as $_ ) { + $breadcrumb_string = implode( ', ', $processor->get_breadcrumbs() ); + $this->assertTrue( + $processor->get_attribute( 'match' ), + "Matched unexpected tag {$processor->get_tag()} @ {$breadcrumb_string}" + ); + ++$count; + } + $this->assertSame( $match_count, $count, 'Did not match expected number of tags.' ); } /** * Data provider. * + * Most selectors are covered by the tag processor selector tests. + * This suite should focus on complex selectors. + * * @return array */ public static function data_selectors(): array { return array( - 'simple type' => array( '
', 'div' ), - 'any type' => array( '', '*' ), - 'simple class' => array( '
', '.x' ), - 'simple id' => array( '
', '#x' ), - 'simple attribute' => array( '
', '[att]' ), - 'attribute value' => array( '
', '[att=val]' ), - 'attribute quoted value' => array( '
', '[att="::"]' ), - 'complex any descendant' => array( '
', 'section *' ), - 'complex any child' => array( '
', 'section > *' ), - - 'list' => array( '

', 'a, p' ), - 'compound' => array( '

', 'section[att~="bar"]' ), + 'any descendant' => array( '

', 'section *', 4 ), + 'any child 1' => array( '

', 'section > *', 2 ), + 'any child 2' => array( '

', 'div > *', 1 ), ); } /** * @ticket TBD + * + * @expectedIncorrectUsage WP_HTML_Processor::select_all + * + * @dataProvider data_invalid_selectors */ - public function test_select_all() { - $processor = WP_HTML_Processor::create_full_parser( '

' ); - $count = 0; - foreach ( $processor->select_all( 'div, .x, svg>rect, #y' ) as $_ ) { - ++$count; - $this->assertTrue( $processor->get_attribute( 'match' ) ); - } - $this->assertSame( 4, $count ); + public function test_invalid_selector( string $selector ) { + $processor = WP_HTML_Processor::create_fragment( 'irrelevant' ); + $this->assertFalse( $processor->select( $selector ) ); } /** - * @ticket TBD + * Data provider. * - * @expectedIncorrectUsage WP_HTML_Processor::select_all + * @return array */ - public function test_invalid_selector() { - $processor = WP_HTML_Processor::create_fragment( 'irrelevant' ); - $this->assertFalse( $processor->select( '[invalid!selector]' ) ); + public static function data_invalid_selectors(): array { + return array( + 'invalid selector' => array( '[invalid!selector]' ), + + // The class selectors below are not allowed in non-final position. + 'unsupported child selector' => array( '.parent > .child' ), + 'unsupported descendant selector' => array( '.ancestor .descendant' ), + ); } } diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 66f32f905c04f..6bc6ba1e6edbc 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -26,10 +26,17 @@ public function test_select_miss() { * * @dataProvider data_selectors */ - public function test_select( string $html, string $selector ) { + public function test_select( string $html, string $selector, int $match_count ) { $processor = new WP_HTML_Tag_Processor( $html ); - $this->assertTrue( $processor->select( $selector ) ); - $this->assertTrue( $processor->get_attribute( 'match' ) ); + $count = 0; + foreach ( $processor->select_all( $selector ) as $_ ) { + $this->assertTrue( + $processor->get_attribute( 'match' ), + "Matched unexpected tag {$processor->get_tag()}" + ); + ++$count; + } + $this->assertSame( $match_count, $count, 'Did not match expected number of tags.' ); } /** @@ -39,58 +46,44 @@ public function test_select( string $html, string $selector ) { */ public static function data_selectors(): array { return array( - 'simple type' => array( '

', 'div' ), - 'any type' => array( '
', '*' ), - 'simple class' => array( '
', '.x' ), - 'simple id' => array( '
', '#x' ), - 'boolean attribute' => array( '
', '[att]' ), - 'boolean attribute with string match' => array( '
', '[att=""]' ), + 'simple type' => array( '
', 'div', 2 ), + 'any type' => array( '
', '*', 2 ), + 'simple class' => array( '
', '.x', 2 ), + 'simple id' => array( '
', '#x', 2 ), - 'attribute value' => array( '
', '[att=val]' ), - 'attribute quoted value' => array( '
', '[att="::"]' ), - 'attribute case insensitive' => array( '
', '[att="VAL"i]' ), - 'attribute case sensitive mod' => array( '
', '[att="val"s]' ), + 'attribute presence' => array( '
', '[att]', 2 ), + 'attribute empty string match' => array( '
', '[att=""]', 2 ), + 'attribute value' => array( '

', '[att=val]', 2 ), + 'attribute quoted value' => array( '

', '[att="::"]', 2 ), + 'attribute case insensitive' => array( '

', '[att="VAL"i]', 2 ), + 'attribute case sensitive mod' => array( '

', '[att="val"s]', 2 ), - 'attribute one of' => array( '

', '[att~="b"]' ), - 'attribute one of insensitive' => array( '
', '[att~="b"i]' ), - 'attribute one of mod sensitive' => array( '
', '[att~="b"s]' ), - 'attribute one of whitespace cases' => array( "
", '[att~="b"]' ), + 'attribute one of' => array( '

', '[att~="b"]', 3 ), + 'attribute one of insensitive' => array( '

', '[att~="b"i]', 1 ), + 'attribute one of mod sensitive' => array( '
', '[att~="b"s]', 1 ), + 'attribute one of whitespace cases' => array( "
", '[att~="b"]', 1 ), - 'attribute with-hyphen (no hyphen)' => array( '

', '[att|="special"]' ), - 'attribute with-hyphen (hyphen prefix)' => array( '

', '[att|="special"]' ), - 'attribute with-hyphen insensitive' => array( '

', '[att|="special"i]' ), - 'attribute with-hyphen sensitive mod' => array( '

', '[att|="special"s]' ), + 'attribute with-hyphen' => array( '

', '[att|="special"]', 2 ), + 'attribute with-hyphen insensitive' => array( '

', '[att|="special" i]', 2 ), + 'attribute with-hyphen sensitive mod' => array( '

', '[att|="special"s]', 1 ), - 'attribute prefixed' => array( '

', '[att^="p"]' ), - 'attribute prefixed insensitive' => array( '

', '[att^="p"i]' ), - 'attribute prefixed sensitive mod' => array( '

', '[att^="p"s]' ), + 'attribute prefixed' => array( '

', '[att^="p"]', 2 ), + 'attribute prefixed insensitive' => array( '

', '[att^="p"i]', 1 ), + 'attribute prefixed sensitive mod' => array( '

', '[att^="p"s]', 1 ), - 'attribute suffixed' => array( '

', '[att$="x"]' ), - 'attribute suffixed insensitive' => array( '

', '[att$="x"i]' ), - 'attribute suffixed sensitive mod' => array( '

', '[att$="x"s]' ), + 'attribute suffixed' => array( '

', '[att$="x"]', 2 ), + 'attribute suffixed insensitive' => array( '

', '[att$="x"i]', 1 ), + 'attribute suffixed sensitive mod' => array( '

', '[att$="x"s]', 1 ), - 'attribute contains' => array( '

', '[att*="x"]' ), - 'attribute contains insensitive' => array( '

', '[att*="x"i]' ), - 'attribute contains sensitive mod' => array( '

', '[att*="x"s]' ), + 'attribute contains' => array( '

', '[att*="x"]', 2 ), + 'attribute contains insensitive' => array( '

', '[att*="x"i]', 1 ), + 'attribute contains sensitive mod' => array( '

', '[att*="x"s]', 1 ), - 'list' => array( '

', 'a, p' ), - 'compound' => array( '

', 'section[att="bar"]' ), + 'list' => array( '

', 'a, p, .class, #id, [att]', 2 ), + 'compound' => array( '

', 'custom-el[att="bar"][ fruit ~= "banana" i]', 1 ), ); } - /** - * @ticket TBD - */ - public function test_select_all() { - $processor = new WP_HTML_Tag_Processor( '

' ); - $count = 0; - foreach ( $processor->select_all( 'div, .x, rect, #y' ) as $_ ) { - ++$count; - $this->assertTrue( $processor->get_attribute( 'match' ) ); - } - $this->assertSame( 4, $count ); - } - /** * @ticket TBD * From 4f6bf948404cae07425b676048109be3a52d8853 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 13:13:03 +0100 Subject: [PATCH 088/187] Try abstract class instead of interface --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-class-selector.php | 2 +- .../html-api/class-wp-css-complex-selector-list.php | 2 +- src/wp-includes/html-api/class-wp-css-complex-selector.php | 2 +- .../html-api/class-wp-css-compound-selector-list.php | 2 +- src/wp-includes/html-api/class-wp-css-compound-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-id-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-type-selector.php | 2 +- .../html-api/interface-wp-css-html-processor-matcher.php | 4 ++-- .../html-api/interface-wp-css-html-tag-processor-matcher.php | 4 ++-- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 17787dd70815b..4cf554c10eca9 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -1,6 +1,6 @@ has_class( $this->ident ); } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 0413b8dea426a..669139097fa75 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -32,7 +32,7 @@ * * @access private */ -class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Processor_Matcher { +class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List { /** * Takes a CSS selector string and returns an instance of itself or `null` if the selector * string is invalid or unsupported. diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index ed4d2e7a6e662..4f83476898ec0 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -5,7 +5,7 @@ * * > = [ ? ] * */ -final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { +final class WP_CSS_Complex_Selector extends WP_CSS_HTML_Processor_Matcher { public function matches( WP_HTML_Processor $processor ): bool { // First selector must match this location. if ( ! $this->selectors[0]->matches( $processor ) ) { diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index a41b0ac9cd530..0095b22977b0a 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -76,7 +76,7 @@ * @link https://www.w3.org/TR/selectors-api2/ * @link https://www.w3.org/TR/selectors-4/ */ -class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher { +class WP_CSS_Compound_Selector_List extends WP_CSS_HTML_Tag_Processor_Matcher { /** * @param WP_HTML_Tag_Processor $processor * @return bool diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index e64695abe9ab3..3340515569bdd 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -5,7 +5,7 @@ * * > = [ ? * ]! */ -final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_Compound_Selector extends WP_CSS_HTML_Tag_Processor_Matcher { public function matches( WP_HTML_Tag_Processor $processor ): bool { if ( $this->type_selector ) { if ( ! $this->type_selector->matches( $processor ) ) { diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 83339ff839317..15cb2745ede9e 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -1,6 +1,6 @@ get_tag(); if ( null === $tag_name ) { diff --git a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php index 2ae29413b35d2..aa280ddefa696 100644 --- a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php +++ b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php @@ -1,8 +1,8 @@ Date: Thu, 5 Dec 2024 13:13:06 +0100 Subject: [PATCH 089/187] Revert "Try abstract class instead of interface" This reverts commit 74881651faf991eabceb090707ce8b43c2a25316. --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-class-selector.php | 2 +- .../html-api/class-wp-css-complex-selector-list.php | 2 +- src/wp-includes/html-api/class-wp-css-complex-selector.php | 2 +- .../html-api/class-wp-css-compound-selector-list.php | 2 +- src/wp-includes/html-api/class-wp-css-compound-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-id-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-type-selector.php | 2 +- .../html-api/interface-wp-css-html-processor-matcher.php | 4 ++-- .../html-api/interface-wp-css-html-tag-processor-matcher.php | 4 ++-- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 4cf554c10eca9..17787dd70815b 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -1,6 +1,6 @@ has_class( $this->ident ); } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 669139097fa75..0413b8dea426a 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -32,7 +32,7 @@ * * @access private */ -class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List { +class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Processor_Matcher { /** * Takes a CSS selector string and returns an instance of itself or `null` if the selector * string is invalid or unsupported. diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 4f83476898ec0..ed4d2e7a6e662 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -5,7 +5,7 @@ * * > = [ ? ] * */ -final class WP_CSS_Complex_Selector extends WP_CSS_HTML_Processor_Matcher { +final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { public function matches( WP_HTML_Processor $processor ): bool { // First selector must match this location. if ( ! $this->selectors[0]->matches( $processor ) ) { diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 0095b22977b0a..a41b0ac9cd530 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -76,7 +76,7 @@ * @link https://www.w3.org/TR/selectors-api2/ * @link https://www.w3.org/TR/selectors-4/ */ -class WP_CSS_Compound_Selector_List extends WP_CSS_HTML_Tag_Processor_Matcher { +class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher { /** * @param WP_HTML_Tag_Processor $processor * @return bool diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 3340515569bdd..e64695abe9ab3 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -5,7 +5,7 @@ * * > = [ ? * ]! */ -final class WP_CSS_Compound_Selector extends WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { public function matches( WP_HTML_Tag_Processor $processor ): bool { if ( $this->type_selector ) { if ( ! $this->type_selector->matches( $processor ) ) { diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 15cb2745ede9e..83339ff839317 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -1,6 +1,6 @@ get_tag(); if ( null === $tag_name ) { diff --git a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php index aa280ddefa696..2ae29413b35d2 100644 --- a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php +++ b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php @@ -1,8 +1,8 @@ Date: Thu, 5 Dec 2024 14:51:39 +0100 Subject: [PATCH 090/187] Clean up and document attribute selector --- .../class-wp-css-attribute-selector.php | 214 ++++++++++-------- 1 file changed, 122 insertions(+), 92 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 17787dd70815b..7036dd3775cc1 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -1,96 +1,23 @@ get_attribute( $this->name ); - if ( null === $att_value ) { - return false; - } - - if ( null === $this->value ) { - return true; - } - - if ( true === $att_value ) { - $att_value = ''; - } - - $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; - - switch ( $this->matcher ) { - case self::MATCH_EXACT: - return $case_insensitive - ? 0 === strcasecmp( $att_value, $this->value ) - : $att_value === $this->value; - - case self::MATCH_ONE_OF_EXACT: - foreach ( $this->whitespace_delimited_list( $att_value ) as $val ) { - if ( - $case_insensitive - ? 0 === strcasecmp( $val, $this->value ) - : $val === $this->value - ) { - return true; - } - } - return false; - - case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: - // Attempt the full match first - if ( - $case_insensitive - ? 0 === strcasecmp( $att_value, $this->value ) - : $att_value === $this->value - ) { - return true; - } - - // Partial match - if ( strlen( $att_value ) < strlen( $this->value ) + 1 ) { - return false; - } - - $starts_with = "{$this->value}-"; - return 0 === substr_compare( $att_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); - - case self::MATCH_PREFIXED_BY: - return 0 === substr_compare( $att_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); - - case self::MATCH_SUFFIXED_BY: - return 0 === substr_compare( $att_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); - - case self::MATCH_CONTAINS: - return false !== ( - $case_insensitive - ? stripos( $att_value, $this->value ) - : strpos( $att_value, $this->value ) - ); - } - } - - /** - * @param string $input - * - * @return Generator - */ - private function whitespace_delimited_list( string $input ): Generator { - // Start by skipping whitespace. - $offset = strspn( $input, self::WHITESPACE_CHARACTERS ); - - while ( $offset < strlen( $input ) ) { - // Find the byte length until the next boundary. - $length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset ); - $value = substr( $input, $offset, $length ); - - // Move past trailing whitespace. - $offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length ); - - yield $value; - } - } - /** * [att=val] * Represents an element with the att attribute whose value is exactly "val". @@ -145,11 +72,11 @@ private function whitespace_delimited_list( string $input ): Generator { */ const MODIFIER_CASE_INSENSITIVE = 'case-insensitive'; - /** * The attribute name. * * @var string + * @readonly */ public $name; @@ -157,6 +84,7 @@ private function whitespace_delimited_list( string $input ): Generator { * The attribute matcher. * * @var null|self::MATCH_* + * @readonly */ public $matcher; @@ -164,6 +92,7 @@ private function whitespace_delimited_list( string $input ): Generator { * The attribute value. * * @var string|null + * @readonly */ public $value; @@ -171,10 +100,13 @@ private function whitespace_delimited_list( string $input ): Generator { * The attribute modifier. * * @var null|self::MODIFIER_* + * @readonly */ public $modifier; /** + * Constructor. + * * @param string $name * @param null|self::MATCH_* $matcher * @param null|string $value @@ -186,4 +118,102 @@ public function __construct( string $name, ?string $matcher = null, ?string $val $this->value = $value; $this->modifier = $modifier; } + + /** + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Tag_Processor $processor + * @return bool True if the processor's current position matches the selector. + */ + public function matches( WP_HTML_Tag_Processor $processor ): bool { + $att_value = $processor->get_attribute( $this->name ); + if ( null === $att_value ) { + return false; + } + + if ( null === $this->value ) { + return true; + } + + if ( true === $att_value ) { + $att_value = ''; + } + + $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; + + switch ( $this->matcher ) { + case self::MATCH_EXACT: + return $case_insensitive + ? 0 === strcasecmp( $att_value, $this->value ) + : $att_value === $this->value; + + case self::MATCH_ONE_OF_EXACT: + foreach ( $this->whitespace_delimited_list( $att_value ) as $val ) { + if ( + $case_insensitive + ? 0 === strcasecmp( $val, $this->value ) + : $val === $this->value + ) { + return true; + } + } + return false; + + case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: + // Attempt the full match first + if ( + $case_insensitive + ? 0 === strcasecmp( $att_value, $this->value ) + : $att_value === $this->value + ) { + return true; + } + + // Partial match + if ( strlen( $att_value ) < strlen( $this->value ) + 1 ) { + return false; + } + + $starts_with = "{$this->value}-"; + return 0 === substr_compare( $att_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); + + case self::MATCH_PREFIXED_BY: + return 0 === substr_compare( $att_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); + + case self::MATCH_SUFFIXED_BY: + return 0 === substr_compare( $att_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); + + case self::MATCH_CONTAINS: + return false !== ( + $case_insensitive + ? stripos( $att_value, $this->value ) + : strpos( $att_value, $this->value ) + ); + } + } + + /** + * Splits a string into a list of whitespace delimited values. + * + * This is useful for the {@see WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT} matcher. + * + * @param string $input + * + * @return Generator + */ + private function whitespace_delimited_list( string $input ): Generator { + // Start by skipping whitespace. + $offset = strspn( $input, " \t\r\n\f" ); + + while ( $offset < strlen( $input ) ) { + // Find the byte length until the next boundary. + $length = strcspn( $input, " \t\r\n\f", $offset ); + $value = substr( $input, $offset, $length ); + + // Move past trailing whitespace. + $offset += $length + strspn( $input, " \t\r\n\f", $offset + $length ); + + yield $value; + } + } } From 32ee2a71197572ea713b6a9a3ee1a9e6b53c0d09 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 19:43:08 +0100 Subject: [PATCH 091/187] Update ticket number in tests --- .../html-api/wpCssComplexSelectorList.php | 16 ++++++------ .../html-api/wpCssCompoundSelectorList.php | 26 +++++++++---------- .../tests/html-api/wpHtmlProcessor-select.php | 6 ++--- .../html-api/wpHtmlTagProcessor-select.php | 6 ++--- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 5cceddbdddd30..0b17e57847662 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -27,7 +27,7 @@ public static function test_parse_complex_selector( string $input, int &$offset } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_complex_selector() { $input = 'el1 > .child#bar[baz=quux] , rest'; @@ -50,7 +50,7 @@ public function test_parse_complex_selector() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_invalid_complex_selector() { $input = 'el.foo#bar[baz=quux] > , rest'; @@ -60,7 +60,7 @@ public function test_parse_invalid_complex_selector() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_invalid_complex_selector_nonfinal_subclass() { $input = 'el.foo#bar[baz=quux] > final, rest'; @@ -70,7 +70,7 @@ public function test_parse_invalid_complex_selector_nonfinal_subclass() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_empty_complex_selector() { $input = ''; @@ -80,7 +80,7 @@ public function test_parse_empty_complex_selector() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_complex_selector_list() { $input = 'el1 el2 el.foo#bar[baz=quux], second > selector'; @@ -89,7 +89,7 @@ public function test_parse_complex_selector_list() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_invalid_selector_list() { $input = 'el,,'; @@ -98,7 +98,7 @@ public function test_parse_invalid_selector_list() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_invalid_selector_list2() { $input = 'el!'; @@ -107,7 +107,7 @@ public function test_parse_invalid_selector_list2() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_empty_selector_list() { $input = " \t \t\n\r\f"; diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 2a20e317338bd..b5a2d9956679d 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -114,7 +114,7 @@ public static function data_idents(): array { } /** - * @ticket TBD + * @ticket 62653 */ public function test_is_ident_and_is_ident_start() { $this->assertFalse( $this->test_class::test_is_ident_codepoint( '[', 0 ) ); @@ -124,7 +124,7 @@ public function test_is_ident_and_is_ident_start() { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_idents */ @@ -141,7 +141,7 @@ public function test_parse_ident( string $input, ?string $expected = null, ?stri } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_strings */ @@ -192,7 +192,7 @@ public static function data_strings(): array { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_id_selectors */ @@ -226,7 +226,7 @@ public static function data_id_selectors(): array { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_class_selectors */ @@ -260,7 +260,7 @@ public static function data_class_selectors(): array { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_type_selectors */ @@ -296,7 +296,7 @@ public static function data_type_selectors(): array { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_attribute_selectors */ @@ -371,7 +371,7 @@ public static function data_attribute_selectors(): array { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_selector() { $input = 'el.foo#bar[baz=quux] > .child'; @@ -389,7 +389,7 @@ public function test_parse_selector() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_empty_selector() { $input = ''; @@ -400,7 +400,7 @@ public function test_parse_empty_selector() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_selector_list() { $input = 'el1, el2, el.foo#bar[baz=quux]'; @@ -409,7 +409,7 @@ public function test_parse_selector_list() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_invalid_selector_list() { $input = 'el,,'; @@ -418,7 +418,7 @@ public function test_parse_invalid_selector_list() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_invalid_selector_list2() { $input = 'el!'; @@ -427,7 +427,7 @@ public function test_parse_invalid_selector_list2() { } /** - * @ticket TBD + * @ticket 62653 */ public function test_parse_empty_selector_list() { $input = " \t \t\n\r\f"; diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 8515be63d83f8..40e1d96978afe 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -14,7 +14,7 @@ */ class Tests_HtmlApi_WpHtmlProcessor_Select extends WP_UnitTestCase { /** - * @ticket TBD + * @ticket 62653 */ public function test_select_miss() { $processor = WP_HTML_Processor::create_full_parser( '' ); @@ -22,7 +22,7 @@ public function test_select_miss() { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_selectors */ @@ -57,7 +57,7 @@ public static function data_selectors(): array { } /** - * @ticket TBD + * @ticket 62653 * * @expectedIncorrectUsage WP_HTML_Processor::select_all * diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 6bc6ba1e6edbc..586e38b4bafb2 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -14,7 +14,7 @@ */ class Tests_HtmlApi_WpHtmlTagProcessor_Select extends WP_UnitTestCase { /** - * @ticket TBD + * @ticket 62653 */ public function test_select_miss() { $processor = new WP_HTML_Tag_Processor( '' ); @@ -22,7 +22,7 @@ public function test_select_miss() { } /** - * @ticket TBD + * @ticket 62653 * * @dataProvider data_selectors */ @@ -85,7 +85,7 @@ public static function data_selectors(): array { } /** - * @ticket TBD + * @ticket 62653 * * @expectedIncorrectUsage WP_HTML_Tag_Processor::select_all * From 5922494030b000bf4d229975a5fd1968c14b20fc Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 21:28:24 +0100 Subject: [PATCH 092/187] Improve some types --- .../html-api/class-wp-css-complex-selector.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index ed4d2e7a6e662..a4cfd46622560 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -16,7 +16,7 @@ public function matches( WP_HTML_Processor $processor ): bool { return true; } - /** @var array $breadcrumbs */ + /** @var string[] */ $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); $selectors = array_slice( $this->selectors, 1 ); return $this->explore_matches( $selectors, $breadcrumbs ); @@ -26,7 +26,7 @@ public function matches( WP_HTML_Processor $processor ): bool { * This only looks at breadcrumbs and can therefore only support type selectors. * * @param array $selectors - * @param array $breadcrumbs + * @param string[] $breadcrumbs */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { if ( array() === $selectors ) { @@ -36,9 +36,9 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return false; } - /** @var self::COMBINATOR_* $combinator */ + /** @var self::COMBINATOR_* */ $combinator = $selectors[0]; - /** @var WP_CSS_Compound_Selector $selector */ + /** @var WP_CSS_Compound_Selector */ $selector = $selectors[1]; switch ( $combinator ) { From e492aa60e2db167ec87a048f64fab13378ec4694 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 22:16:57 +0100 Subject: [PATCH 093/187] Fix and improve string token parsing --- .../class-wp-css-compound-selector-list.php | 19 +++++++++++++------ .../html-api/wpCssCompoundSelectorList.php | 9 ++++++--- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index a41b0ac9cd530..8cca2e27c9ec3 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -548,7 +548,7 @@ final protected static function parse_ident( string $input, int &$offset ): ?str * @return string|null */ final protected static function parse_string( string $input, int &$offset ): ?string { - if ( $offset + 1 >= strlen( $input ) ) { + if ( $offset >= strlen( $input ) ) { return null; } @@ -559,8 +559,19 @@ final protected static function parse_string( string $input, int &$offset ): ?st $string_token = ''; - $updated_offset = $offset + 1; + $updated_offset = $offset + 1; + $anything_else_mask = "\\\n{$ending_code_point}"; while ( $updated_offset < strlen( $input ) ) { + $anything_else_length = strcspn( $input, $anything_else_mask, $updated_offset ); + if ( $anything_else_length > 0 ) { + $string_token .= substr( $input, $updated_offset, $anything_else_length ); + $updated_offset += $anything_else_length; + + if ( $updated_offset >= strlen( $input ) ) { + break; + } + } + switch ( $input[ $updated_offset ] ) { case '\\': ++$updated_offset; @@ -587,10 +598,6 @@ final protected static function parse_string( string $input, int &$offset ): ?st case $ending_code_point: ++$updated_offset; break 2; - - default: - $string_token .= $input[ $updated_offset ]; - ++$updated_offset; } } diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index b5a2d9956679d..715e0e26bc9cd 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -181,13 +181,16 @@ public static function data_strings(): array { "'foo\\" => array( "'foo\\", 'foo', '' ), + '"' => array( '"', '', '' ), + '"\\"' => array( '"\\"', '"', '' ), + '"missing close' => array( '"missing close', 'missing close', '' ), + // Invalid 'Invalid: (empty string)' => array( '' ), - "Invalid: 'newline\\n'" => array( "'newline\n'" ), - 'Invalid: foo' => array( 'foo' ), - 'Invalid: \\"' => array( '\\"' ), 'Invalid: .foo' => array( '.foo' ), 'Invalid: #foo' => array( '#foo' ), + "Invalid: 'newline\\n'" => array( "'newline\n'" ), + 'Invalid: foo' => array( 'foo' ), ); } From 81c67582deef44766e188482586538cdbe84272d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 22:17:11 +0100 Subject: [PATCH 094/187] Update attribute selector tests --- .../html-api/wpCssCompoundSelectorList.php | 82 ++++++++++--------- 1 file changed, 45 insertions(+), 37 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 715e0e26bc9cd..6d1b142c17ea9 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -331,45 +331,53 @@ public function test_parse_attribute( */ public static function data_attribute_selectors(): array { return array( - '[href]' => array( '[href]', 'href', null, null, null, '' ), - '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), - '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), - '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), - '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), - '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), - '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), - '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), - '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), - - '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - - '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), - "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), - "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - - '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), - '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), + '[href]' => array( '[href]', 'href', null, null, null, '' ), + '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), + '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), + '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), + '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), + '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), + '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), + '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), + '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), + + '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), + "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), + "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), + '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), + + 'Unterminated: [att' => array( '[att', 'att', null, null, null, '' ), + 'Unterminated: [att="' => array( '[att="', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, '', null, '' ), + 'Unterminated: [att="\\"' => array( '[att="\\"', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, '"', null, '' ), + 'Unterminated: [att="x"' => array( '[att="x"', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x', null, '' ), + 'Unterminated: [att="x\\"i]' => array( '[att="x\\"i]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x"i]', null, '' ), + 'Unterminated: [att="x" i' => array( '[att="x" i', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + 'Unterminated: [att = x i' => array( '[att = x i', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: foo' => array( 'foo' ), - 'Invalid: [foo' => array( '[foo' ), - 'Invalid: [#foo]' => array( '[#foo]' ), - 'Invalid: [*|*]' => array( '[*|*]' ), - 'Invalid: [ns|*]' => array( '[ns|*]' ), - 'Invalid: [* |att]' => array( '[* |att]' ), - 'Invalid: [*| att]' => array( '[*| att]' ), - 'Invalid: [att * =]' => array( '[att * =]' ), - 'Invalid: [att+=val]' => array( '[att+=val]' ), - 'Invalid: [att=val ' => array( '[att=val ' ), - 'Invalid: [att i]' => array( '[att i]' ), - 'Invalid: [att s]' => array( '[att s]' ), - "Invalid: [att='val\\n']" => array( "[att='val\n']" ), - 'Invalid: [att=val i ' => array( '[att=val i ' ), - 'Invalid: [att="val"ix' => array( '[att="val"ix' ), + 'Invalid: (empty string)' => array( '' ), + 'Invalid: foo' => array( 'foo' ), + 'Invalid: [foo' => array( '[foo' ), + 'Invalid: [#foo]' => array( '[#foo]' ), + 'Invalid: [*|*]' => array( '[*|*]' ), + 'Invalid: [ns|*]' => array( '[ns|*]' ), + 'Invalid: [* |att]' => array( '[* |att]' ), + 'Invalid: [*| att]' => array( '[*| att]' ), + 'Invalid: [att * =]' => array( '[att * =]' ), + 'Invalid: [att+=val]' => array( '[att+=val]' ), + 'Invalid: [att=val ' => array( '[att=val ' ), + 'Invalid: [att i]' => array( '[att i]' ), + 'Invalid: [att s]' => array( '[att s]' ), + "Invalid: [att='val\\n']" => array( "[att='val\n']" ), + 'Invalid: [att=val i ' => array( '[att=val i ' ), + 'Invalid: [att="val"ix' => array( '[att="val"ix' ), ); } From 7bccf3eada582c8b66ec24781dc151a1afbfe9b6 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 22:36:26 +0100 Subject: [PATCH 095/187] Revert "Update attribute selector tests" This reverts commit 7df9ed91a1360d80c1dcb87980af941010b926ba. --- .../html-api/wpCssCompoundSelectorList.php | 82 +++++++++---------- 1 file changed, 37 insertions(+), 45 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 6d1b142c17ea9..715e0e26bc9cd 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -331,53 +331,45 @@ public function test_parse_attribute( */ public static function data_attribute_selectors(): array { return array( - '[href]' => array( '[href]', 'href', null, null, null, '' ), - '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), - '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), - '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), - '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), - '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), - '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), - '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), - '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), - - '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - - '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), - "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), - "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - - '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), - '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), - - 'Unterminated: [att' => array( '[att', 'att', null, null, null, '' ), - 'Unterminated: [att="' => array( '[att="', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, '', null, '' ), - 'Unterminated: [att="\\"' => array( '[att="\\"', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, '"', null, '' ), - 'Unterminated: [att="x"' => array( '[att="x"', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x', null, '' ), - 'Unterminated: [att="x\\"i]' => array( '[att="x\\"i]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x"i]', null, '' ), - 'Unterminated: [att="x" i' => array( '[att="x" i', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - 'Unterminated: [att = x i' => array( '[att = x i', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'x', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[href]' => array( '[href]', 'href', null, null, null, '' ), + '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), + '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), + '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), + '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), + '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), + '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), + '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), + '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), + + '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), + "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), + "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), + '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: foo' => array( 'foo' ), - 'Invalid: [foo' => array( '[foo' ), - 'Invalid: [#foo]' => array( '[#foo]' ), - 'Invalid: [*|*]' => array( '[*|*]' ), - 'Invalid: [ns|*]' => array( '[ns|*]' ), - 'Invalid: [* |att]' => array( '[* |att]' ), - 'Invalid: [*| att]' => array( '[*| att]' ), - 'Invalid: [att * =]' => array( '[att * =]' ), - 'Invalid: [att+=val]' => array( '[att+=val]' ), - 'Invalid: [att=val ' => array( '[att=val ' ), - 'Invalid: [att i]' => array( '[att i]' ), - 'Invalid: [att s]' => array( '[att s]' ), - "Invalid: [att='val\\n']" => array( "[att='val\n']" ), - 'Invalid: [att=val i ' => array( '[att=val i ' ), - 'Invalid: [att="val"ix' => array( '[att="val"ix' ), + 'Invalid: (empty string)' => array( '' ), + 'Invalid: foo' => array( 'foo' ), + 'Invalid: [foo' => array( '[foo' ), + 'Invalid: [#foo]' => array( '[#foo]' ), + 'Invalid: [*|*]' => array( '[*|*]' ), + 'Invalid: [ns|*]' => array( '[ns|*]' ), + 'Invalid: [* |att]' => array( '[* |att]' ), + 'Invalid: [*| att]' => array( '[*| att]' ), + 'Invalid: [att * =]' => array( '[att * =]' ), + 'Invalid: [att+=val]' => array( '[att+=val]' ), + 'Invalid: [att=val ' => array( '[att=val ' ), + 'Invalid: [att i]' => array( '[att i]' ), + 'Invalid: [att s]' => array( '[att s]' ), + "Invalid: [att='val\\n']" => array( "[att='val\n']" ), + 'Invalid: [att=val i ' => array( '[att=val i ' ), + 'Invalid: [att="val"ix' => array( '[att="val"ix' ), ); } From 3949cc53b4bebdc8324a07a8ce49bd6ede291e53 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 5 Dec 2024 22:51:04 +0100 Subject: [PATCH 096/187] Improve some complex selector match tests --- .../tests/html-api/wpHtmlProcessor-select.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 40e1d96978afe..d94190ff91077 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -43,16 +43,18 @@ public function test_select_all( string $html, string $selector, int $match_coun /** * Data provider. * - * Most selectors are covered by the tag processor selector tests. - * This suite should focus on complex selectors. - * * @return array */ public static function data_selectors(): array { return array( - 'any descendant' => array( '

', 'section *', 4 ), - 'any child 1' => array( '

', 'section > *', 2 ), - 'any child 2' => array( '

', 'div > *', 1 ), + 'any' => array( '

', '*', 5 ), + 'quirks mode ID' => array( '

In quirks mode, ID matching is case-insensitive.', '#id', 2 ), + 'quirks mode class' => array( '

In quirks mode, class matching is case-insensitive.', '.c', 2 ), + 'no-quirks mode ID' => array( '

In no-quirks mode, ID matching is case-sensitive.', '#id', 1 ), + 'no-quirks mode class' => array( '

In no-quirks mode, class matching is case-sensitive.', '.c', 1 ), + 'any descendant' => array( '

', 'section *', 4 ), + 'any child 1' => array( '

', 'section > *', 2 ), + 'any child 2' => array( '

', 'div > *', 1 ), ); } From c696889197fab2308490cab7b47bf654eed63a61 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 15:45:55 +0100 Subject: [PATCH 097/187] Add and use matches_tag type selector method --- .../html-api/class-wp-css-complex-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-type-selector.php | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index a4cfd46622560..a532e87ecc15d 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -43,7 +43,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { switch ( $combinator ) { case self::COMBINATOR_CHILD: - if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[0], $selector->type_selector->ident ) === 0 ) { + if ( $selector->type_selector->matches_tag( $breadcrumbs[0] ) ) { return $this->explore_matches( array_slice( $selectors, 2 ), array_slice( $breadcrumbs, 1 ) ); } return false; @@ -51,7 +51,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { case self::COMBINATOR_DESCENDANT: // Find _all_ the breadcrumbs that match and recurse from each of them. for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) { - if ( '*' === $selector->type_selector->ident || strcasecmp( $breadcrumbs[ $i ], $selector->type_selector->ident ) === 0 ) { + if ( $selector->type_selector->matches_tag( $breadcrumbs[ $i ] ) ) { $next_crumbs = array_slice( $breadcrumbs, $i + 1 ); if ( $this->explore_matches( array_slice( $selectors, 2 ), $next_crumbs ) ) { return true; diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index c65adce14047d..2a6bb952f5448 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -6,6 +6,14 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { if ( null === $tag_name ) { return false; } + return $this->matches_tag( $tag_name ); + } + + /** + * @param string $tag_name + * @return bool + */ + public function matches_tag( string $tag_name ): bool { if ( '*' === $this->ident ) { return true; } From c19355151ee667b055d3414c9272907e37069b82 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 16:00:36 +0100 Subject: [PATCH 098/187] Improve complex selector structure Separate the self selector from relative selectors --- .../class-wp-css-complex-selector-list.php | 50 ++++---- .../class-wp-css-complex-selector.php | 110 ++++++++++++------ .../class-wp-css-compound-selector.php | 2 +- .../html-api/wpCssComplexSelectorList.php | 25 ++-- .../tests/html-api/wpHtmlProcessor-select.php | 17 +-- 5 files changed, 123 insertions(+), 81 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 0413b8dea426a..4a9fc03f582f8 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -95,16 +95,18 @@ final protected static function parse_complex_selector( string $input, int &$off } $updated_offset = $offset; - $selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null === $selector ) { + $self_selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null === $self_selector ) { return null; } - - $selectors = array( $selector ); - $has_preceding_subclass_selector = null !== $selector->subclass_selectors; + /** @var array{WP_CSS_Compound_Selector, string}[] */ + $selectors = array(); $found_whitespace = self::parse_whitespace( $input, $updated_offset ); while ( $updated_offset < strlen( $input ) ) { + $combinator = null; + $next_selector = null; + if ( WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || @@ -114,42 +116,40 @@ final protected static function parse_complex_selector( string $input, int &$off ++$updated_offset; self::parse_whitespace( $input, $updated_offset ); - // Failure to find a selector here is a parse error - $selector = self::parse_compound_selector( $input, $updated_offset ); + // A combinator has been found, failure to find a selector here is a parse error. + $next_selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null === $next_selector ) { + return null; + } } elseif ( $found_whitespace ) { /* * Whitespace is ambiguous, it could be a descendant combinator or * insignificant whitespace. */ - $selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null === $selector ) { - break; + $next_selector = self::parse_compound_selector( $input, $updated_offset ); + if ( null !== $next_selector ) { + $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; } - $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; - } else { - break; } - if ( null === $selector ) { - return null; + if ( null === $next_selector ) { + break; } - /* - * Subclass selectors in non-final position is not supported: - * - `div > .className` is valid - * - `.className > div` is not - */ - if ( $has_preceding_subclass_selector ) { + // $self_selector will pass to a relative selector where only the type selector is allowed. + if ( null !== $self_selector->subclass_selectors || null === $self_selector->type_selector ) { return null; } - $has_preceding_subclass_selector = null !== $selector->subclass_selectors; - $selectors[] = $combinator; - $selectors[] = $selector; + /** @var array{WP_CSS_Compound_Selector, string} */ + $selector_pair = array( $self_selector->type_selector, $combinator ); + $selectors[] = $selector_pair; + $self_selector = $next_selector; $found_whitespace = self::parse_whitespace( $input, $updated_offset ); } $offset = $updated_offset; - return new WP_CSS_Complex_Selector( $selectors ); + + return new WP_CSS_Complex_Selector( $self_selector, array_reverse( $selectors ) ); } } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index a532e87ecc15d..9db2912d3ac16 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -6,26 +6,87 @@ * > = [ ? ] * */ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { + const COMBINATOR_CHILD = '>'; + const COMBINATOR_DESCENDANT = ' '; + const COMBINATOR_NEXT_SIBLING = '+'; + const COMBINATOR_SUBSEQUENT_SIBLING = '~'; + + /** + * This is the selector in the final position of the complex selector. This corresponds to the + * selected element. + * + * @example + * + * $self_selector + * ┏━━━━┻━━━━┓ + * .heading h1 > el.selected + * + * @readonly + * @var WP_CSS_Compound_Selector + */ + public $self_selector; + + /** + * This is the selector in the final position of the complex selector. This corresponds to the + * selected element. + * + * @example + * + * $relative_selectors + * ┏━━━━━━┻━━━━┓ + * .heading h1 > el.selected + * + * The example would have the following relative selectors (note that the order is reversed): + * + * @example + * + * array ( + * array( + * WP_CSS_Type_Selector( 'ident' => 'h1' ), + * '>', // WP_CSS_Complex_Selector::COMBINATOR_CHILD + * ), + * array( + * new WP_CSS_Type_Selector( 'header' ), + * ' ', // WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT + * ), + * ) + * + * @readonly + * @var array{WP_CSS_Type_Selector, string}[] + */ + public $relative_selectors; + + /** + * @param WP_CSS_Compound_Selector $self_selector + * @param array{WP_CSS_Type_Selector, string}[] $selectors + */ + public function __construct( + WP_CSS_Compound_Selector $self_selector, + ?array $relative_selectors + ) { + $this->self_selector = $self_selector; + $this->relative_selectors = $relative_selectors; + } + public function matches( WP_HTML_Processor $processor ): bool { // First selector must match this location. - if ( ! $this->selectors[0]->matches( $processor ) ) { + if ( ! $this->self_selector->matches( $processor ) ) { return false; } - if ( count( $this->selectors ) === 1 ) { + if ( null === $this->relative_selectors || array() === $this->relative_selectors ) { return true; } /** @var string[] */ $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); - $selectors = array_slice( $this->selectors, 1 ); - return $this->explore_matches( $selectors, $breadcrumbs ); + return $this->explore_matches( $this->relative_selectors, $breadcrumbs ); } /** * This only looks at breadcrumbs and can therefore only support type selectors. * - * @param array $selectors + * @param array{WP_CSS_Type_Selector, string}[] $selectors * @param string[] $breadcrumbs */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { @@ -36,24 +97,22 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return false; } - /** @var self::COMBINATOR_* */ - $combinator = $selectors[0]; - /** @var WP_CSS_Compound_Selector */ - $selector = $selectors[1]; + $selector = $selectors[0][0]; + $combinator = $selectors[0][1]; switch ( $combinator ) { case self::COMBINATOR_CHILD: - if ( $selector->type_selector->matches_tag( $breadcrumbs[0] ) ) { - return $this->explore_matches( array_slice( $selectors, 2 ), array_slice( $breadcrumbs, 1 ) ); + if ( $selector->matches_tag( $breadcrumbs[0] ) ) { + return $this->explore_matches( array_slice( $selectors, 1 ), array_slice( $breadcrumbs, 1 ) ); } return false; case self::COMBINATOR_DESCENDANT: // Find _all_ the breadcrumbs that match and recurse from each of them. for ( $i = 0; $i < count( $breadcrumbs ); $i++ ) { - if ( $selector->type_selector->matches_tag( $breadcrumbs[ $i ] ) ) { - $next_crumbs = array_slice( $breadcrumbs, $i + 1 ); - if ( $this->explore_matches( array_slice( $selectors, 2 ), $next_crumbs ) ) { + if ( $selector->matches_tag( $breadcrumbs[ $i ] ) ) { + $next_breadcrumbs = array_slice( $breadcrumbs, $i + 1 ); + if ( $this->explore_matches( array_slice( $selectors, 1 ), $next_breadcrumbs ) ) { return true; } } @@ -61,28 +120,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return false; default: - throw new Exception( "Combinator '{$combinator}' is not supported yet." ); + throw new Exception( "Unsupported combinator '{$combinator}' found." ); } } - - const COMBINATOR_CHILD = '>'; - const COMBINATOR_DESCENDANT = ' '; - const COMBINATOR_NEXT_SIBLING = '+'; - const COMBINATOR_SUBSEQUENT_SIBLING = '~'; - - /** - * even indexes are WP_CSS_Compound_Selector, odd indexes are string combinators. - * In reverse order to match the current element and then work up the tree. - * Any non-final selector is a type selector. - * - * @var array - */ - public $selectors = array(); - - /** - * @param array $selectors - */ - public function __construct( array $selectors ) { - $this->selectors = array_reverse( $selectors ); - } } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index e64695abe9ab3..2ef2051880936 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -25,7 +25,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { /** @var WP_CSS_Type_Selector|null */ public $type_selector; - /** @var array|null */ + /** @var (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null */ public $subclass_selectors; /** diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 0b17e57847662..795e230033cdb 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -20,7 +20,7 @@ public function __construct() { parent::__construct( array() ); } - public static function test_parse_complex_selector( string $input, int &$offset ) { + public static function test_parse_complex_selector( string $input, int &$offset ): ?WP_CSS_Complex_Selector { return self::parse_complex_selector( $input, $offset ); } }; @@ -30,21 +30,24 @@ public static function test_parse_complex_selector( string $input, int &$offset * @ticket 62653 */ public function test_parse_complex_selector() { - $input = 'el1 > .child#bar[baz=quux] , rest'; + $input = 'el1 el2 > .child#bar[baz=quux] , rest'; $offset = 0; - $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertSame( 3, count( $sel->selectors ) ); + /** @var WP_CSS_Complex_Selector|null */ + $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertSame( 'el1', $sel->selectors[2]->type_selector->ident ); - $this->assertNull( $sel->selectors[2]->subclass_selectors ); + $this->assertSame( 2, count( $sel->relative_selectors ) ); - $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->selectors[1] ); + // Relative selectors should be reverse ordered. + $this->assertSame( 'el2', $sel->relative_selectors[0][0]->ident ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->relative_selectors[0][1] ); - $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); - $this->assertNull( $sel->selectors[0]->type_selector ); - $this->assertSame( 3, count( $sel->selectors[0]->subclass_selectors ) ); - $this->assertSame( 'child', $sel->selectors[0]->subclass_selectors[0]->ident ); + $this->assertSame( 'el1', $sel->relative_selectors[1][0]->ident ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->relative_selectors[1][1] ); + + $this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) ); + $this->assertNull( $sel->self_selector->type_selector ); + $this->assertSame( 'child', $sel->self_selector->subclass_selectors[0]->ident ); $this->assertSame( ', rest', substr( $input, $offset ) ); } diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index d94190ff91077..21828faf42e80 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -47,14 +47,15 @@ public function test_select_all( string $html, string $selector, int $match_coun */ public static function data_selectors(): array { return array( - 'any' => array( '

', '*', 5 ), - 'quirks mode ID' => array( '

In quirks mode, ID matching is case-insensitive.', '#id', 2 ), - 'quirks mode class' => array( '

In quirks mode, class matching is case-insensitive.', '.c', 2 ), - 'no-quirks mode ID' => array( '

In no-quirks mode, ID matching is case-sensitive.', '#id', 1 ), - 'no-quirks mode class' => array( '

In no-quirks mode, class matching is case-sensitive.', '.c', 1 ), - 'any descendant' => array( '

', 'section *', 4 ), - 'any child 1' => array( '

', 'section > *', 2 ), - 'any child 2' => array( '

', 'div > *', 1 ), + 'any' => array( '

', '*', 5 ), + 'quirks mode ID' => array( '

In quirks mode, ID matching is case-insensitive.', '#id', 2 ), + 'quirks mode class' => array( '

In quirks mode, class matching is case-insensitive.', '.c', 2 ), + 'no-quirks mode ID' => array( '

In no-quirks mode, ID matching is case-sensitive.', '#id', 1 ), + 'no-quirks mode class' => array( '

In no-quirks mode, class matching is case-sensitive.', '.c', 1 ), + 'any descendant' => array( '

', 'section *', 4 ), + 'any child matches all children' => array( '

', 'section > *', 2 ), + + 'multiple complex selectors' => array( '

', 'section > div p > i', 1 ), ); } From 9dd811432a685b4efa15692a9d5d5dae43b475c0 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 16:10:05 +0100 Subject: [PATCH 099/187] Rework structure of complex_selector class --- .../class-wp-css-complex-selector.php | 32 ++++++++++++------- .../html-api/wpCssComplexSelectorList.php | 10 +++--- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 9db2912d3ac16..1f03f133c8806 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -12,7 +12,7 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { const COMBINATOR_SUBSEQUENT_SIBLING = '~'; /** - * This is the selector in the final position of the complex selector. This corresponds to the + * The "self selector" is the last element in a complex selector, it corresponds to the * selected element. * * @example @@ -27,12 +27,20 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { public $self_selector; /** - * This is the selector in the final position of the complex selector. This corresponds to the - * selected element. + * The "context selectors" are zero or more elements that provide additional constraints for + * the "self selector." + * + * In this example selector, and element like `` is selected iff: + * - it is a child of an `H1` element + * - *and* that `H1` element is a descendant of a `HEADING` element. + * + * The `H1` and `HEADING` parts of this selector are the "context selectors." Note that this + * terminology is used for purposes of this class but does not correspond to language in the + * CSS or selector specifications. * * @example * - * $relative_selectors + * $context_selectors * ┏━━━━━━┻━━━━┓ * .heading h1 > el.selected * @@ -52,20 +60,20 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { * ) * * @readonly - * @var array{WP_CSS_Type_Selector, string}[] + * @var array{WP_CSS_Type_Selector, string}[]|null */ - public $relative_selectors; + public $context_selectors; /** * @param WP_CSS_Compound_Selector $self_selector - * @param array{WP_CSS_Type_Selector, string}[] $selectors + * @param array{WP_CSS_Type_Selector, string}[]|null $selectors */ public function __construct( WP_CSS_Compound_Selector $self_selector, - ?array $relative_selectors + ?array $context_selectors ) { - $this->self_selector = $self_selector; - $this->relative_selectors = $relative_selectors; + $this->self_selector = $self_selector; + $this->context_selectors = $context_selectors; } public function matches( WP_HTML_Processor $processor ): bool { @@ -74,13 +82,13 @@ public function matches( WP_HTML_Processor $processor ): bool { return false; } - if ( null === $this->relative_selectors || array() === $this->relative_selectors ) { + if ( null === $this->context_selectors || array() === $this->context_selectors ) { return true; } /** @var string[] */ $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); - return $this->explore_matches( $this->relative_selectors, $breadcrumbs ); + return $this->explore_matches( $this->context_selectors, $breadcrumbs ); } /** diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 795e230033cdb..dc89869ea2e66 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -36,14 +36,14 @@ public function test_parse_complex_selector() { /** @var WP_CSS_Complex_Selector|null */ $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertSame( 2, count( $sel->relative_selectors ) ); + $this->assertSame( 2, count( $sel->context_selectors ) ); // Relative selectors should be reverse ordered. - $this->assertSame( 'el2', $sel->relative_selectors[0][0]->ident ); - $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->relative_selectors[0][1] ); + $this->assertSame( 'el2', $sel->context_selectors[0][0]->ident ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->context_selectors[0][1] ); - $this->assertSame( 'el1', $sel->relative_selectors[1][0]->ident ); - $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->relative_selectors[1][1] ); + $this->assertSame( 'el1', $sel->context_selectors[1][0]->ident ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->context_selectors[1][1] ); $this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) ); $this->assertNull( $sel->self_selector->type_selector ); From b134308e4017f53d40d55df4aa0b03842d51974f Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 16:54:08 +0100 Subject: [PATCH 100/187] Improve documentation --- .../html-api/class-wp-css-complex-selector.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 1f03f133c8806..2d4d0212b24f2 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -30,7 +30,11 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { * The "context selectors" are zero or more elements that provide additional constraints for * the "self selector." * - * In this example selector, and element like `` is selected iff: + * These selectors are represented as 2-tuples where the element at index 0 is the selector and + * the element at index 1 is the combinator string constant from this class, + * e.g. `WP_CSS_Complex_Selector::COMBINATOR_CHILD`. + * + * In the example selector below, an element like `` is selected iff: * - it is a child of an `H1` element * - *and* that `H1` element is a descendant of a `HEADING` element. * @@ -44,7 +48,7 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { * ┏━━━━━━┻━━━━┓ * .heading h1 > el.selected * - * The example would have the following relative selectors (note that the order is reversed): + * The example would have the following relative selectors: * * @example * @@ -59,6 +63,10 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { * ), * ) * + * Note that the order of context selectors is reversed. This is to match the self selector + * first and then match the context selectors beginning with the selector closest to the self + * selector. + * * @readonly * @var array{WP_CSS_Type_Selector, string}[]|null */ From 94c06ef32fd69eecd7ccddd40714edef1a79f493 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:11:55 +0100 Subject: [PATCH 101/187] Document complex selector class --- .../class-wp-css-complex-selector.php | 52 ++++++++++++++++--- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 2d4d0212b24f2..bd51884901d93 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -1,14 +1,47 @@ in the grammar. + * CSS complex selector. + * + * This class implements a CSS complex selector and is used to test for matching HTML tags + * in a {@see WP_HTML_Tag_Processor}. + * + * A complex selector is a selector with zero or more combinator-selector pairs. + * + * @since TBD * - * > = [ ? ] * + * @access private */ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { - const COMBINATOR_CHILD = '>'; - const COMBINATOR_DESCENDANT = ' '; - const COMBINATOR_NEXT_SIBLING = '+'; + /** + * Child combinator. + */ + const COMBINATOR_CHILD = '>'; + + /** + * Descendant combinator. + */ + const COMBINATOR_DESCENDANT = ' '; + + /** + * Next sibling combinator. + * + * This combinator is not currently supported. + */ + const COMBINATOR_NEXT_SIBLING = '+'; + + /** + * Subsequent sibling combinator. + * + * This combinator is not currently supported. + */ const COMBINATOR_SUBSEQUENT_SIBLING = '~'; /** @@ -84,6 +117,12 @@ public function __construct( $this->context_selectors = $context_selectors; } + /** + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Processor $processor The processor. + * @return bool True if the processor's current position matches the selector. + */ public function matches( WP_HTML_Processor $processor ): bool { // First selector must match this location. if ( ! $this->self_selector->matches( $processor ) ) { @@ -100,10 +139,11 @@ public function matches( WP_HTML_Processor $processor ): bool { } /** - * This only looks at breadcrumbs and can therefore only support type selectors. + * Checks for matches recursively comparing context selectors with breadcrumbs. * * @param array{WP_CSS_Type_Selector, string}[] $selectors * @param string[] $breadcrumbs + * @return bool True if a match is found, otherwise false. */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { if ( array() === $selectors ) { From f46fceda45dd38676191126761fb3c4c4439d0be Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:17:39 +0100 Subject: [PATCH 102/187] Document matches functions --- .../html-api/class-wp-css-attribute-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-class-selector.php | 6 ++++++ .../html-api/class-wp-css-compound-selector-list.php | 6 ++++-- src/wp-includes/html-api/class-wp-css-compound-selector.php | 6 ++++++ src/wp-includes/html-api/class-wp-css-id-selector.php | 6 ++++++ src/wp-includes/html-api/class-wp-css-type-selector.php | 6 ++++++ .../html-api/interface-wp-css-html-processor-matcher.php | 5 ++++- .../interface-wp-css-html-tag-processor-matcher.php | 5 ++++- 8 files changed, 37 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 7036dd3775cc1..dae71c4295348 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -122,7 +122,7 @@ public function __construct( string $name, ?string $matcher = null, ?string $val /** * Determines if the processor's current position matches the selector. * - * @param WP_HTML_Tag_Processor $processor + * @param WP_HTML_Tag_Processor $processor The processor. * @return bool True if the processor's current position matches the selector. */ public function matches( WP_HTML_Tag_Processor $processor ): bool { diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index c3e7ced008a6e..c9ab061578025 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -1,6 +1,12 @@ has_class( $this->ident ); } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 8cca2e27c9ec3..ce116a236e171 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -78,8 +78,10 @@ */ class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher { /** - * @param WP_HTML_Tag_Processor $processor - * @return bool + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Tag_Processor $processor The processor. + * @return bool True if the processor's current position matches the selector. */ public function matches( $processor ): bool { if ( $processor->get_token_type() !== '#tag' ) { diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 2ef2051880936..0ae507803c42f 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -6,6 +6,12 @@ * > = [ ? * ]! */ final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { + /** + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Tag_Processor $processor The processor. + * @return bool True if the processor's current position matches the selector. + */ public function matches( WP_HTML_Tag_Processor $processor ): bool { if ( $this->type_selector ) { if ( ! $this->type_selector->matches( $processor ) ) { diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 83339ff839317..7e64432430409 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -8,6 +8,12 @@ public function __construct( string $ident ) { $this->ident = $ident; } + /** + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Tag_Processor $processor The processor. + * @return bool True if the processor's current position matches the selector. + */ public function matches( WP_HTML_Tag_Processor $processor ): bool { $id = $processor->get_attribute( 'id' ); if ( ! is_string( $id ) ) { diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index 2a6bb952f5448..6bba9f7e2450e 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -1,6 +1,12 @@ get_tag(); if ( null === $tag_name ) { diff --git a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php index 2ae29413b35d2..b77ef40931d83 100644 --- a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php +++ b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php @@ -2,7 +2,10 @@ interface WP_CSS_HTML_Processor_Matcher { /** - * @return bool + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Processor $processor The processor. + * @return bool True if the processor's current position matches the selector. */ public function matches( WP_HTML_Processor $processor ): bool; } diff --git a/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php index 73d108150bb95..302ee8972a162 100644 --- a/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php +++ b/src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php @@ -2,7 +2,10 @@ interface WP_CSS_HTML_Tag_Processor_Matcher { /** - * @return bool + * Determines if the processor's current position matches the selector. + * + * @param WP_HTML_Tag_Processor $processor The processor. + * @return bool True if the processor's current position matches the selector. */ public function matches( WP_HTML_Tag_Processor $processor ): bool; } From 1bacfd71810f4e39bcb5fd0eb83688c82878ea4a Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:17:58 +0100 Subject: [PATCH 103/187] Simplify condition in compound::matches --- src/wp-includes/html-api/class-wp-css-compound-selector.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 0ae507803c42f..f281146110f30 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -13,10 +13,8 @@ final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matche * @return bool True if the processor's current position matches the selector. */ public function matches( WP_HTML_Tag_Processor $processor ): bool { - if ( $this->type_selector ) { - if ( ! $this->type_selector->matches( $processor ) ) { - return false; - } + if ( $this->type_selector && ! $this->type_selector->matches( $processor ) ) { + return false; } if ( null !== $this->subclass_selectors ) { foreach ( $this->subclass_selectors as $subclass_selector ) { From a274ea0ffaed3785d12909c657b91594b76b13f4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:20:19 +0100 Subject: [PATCH 104/187] Change class require order --- src/wp-settings.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/wp-settings.php b/src/wp-settings.php index b1f25042aa7d6..b52fe8ab6181c 100644 --- a/src/wp-settings.php +++ b/src/wp-settings.php @@ -267,10 +267,10 @@ require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php'; require ABSPATH . WPINC . '/html-api/interface-wp-css-html-tag-processor-matcher.php'; require ABSPATH . WPINC . '/html-api/interface-wp-css-html-processor-matcher.php'; +require ABSPATH . WPINC . '/html-api/class-wp-css-attribute-selector.php'; +require ABSPATH . WPINC . '/html-api/class-wp-css-class-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-id-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-type-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-class-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-attribute-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-compound-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-complex-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-compound-selector-list.php'; From 12a0a99d4c4e7e51fcb18cae4b384dfe41f137a2 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:21:12 +0100 Subject: [PATCH 105/187] Annotate matches processor argument type --- .../html-api/class-wp-css-compound-selector-list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index ce116a236e171..27900d40a238c 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -83,7 +83,7 @@ class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher * @param WP_HTML_Tag_Processor $processor The processor. * @return bool True if the processor's current position matches the selector. */ - public function matches( $processor ): bool { + public function matches( WP_HTML_Tag_Processor $processor ): bool { if ( $processor->get_token_type() !== '#tag' ) { return false; } From 0e2b34aba90e3dad4354c362efe363ec8bb63532 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:28:06 +0100 Subject: [PATCH 106/187] Document class selector and update class_name property --- .../html-api/class-wp-css-class-selector.php | 42 +++++++++++++++---- .../html-api/wpCssComplexSelectorList.php | 2 +- .../html-api/wpCssCompoundSelectorList.php | 4 +- 3 files changed, 37 insertions(+), 11 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index c9ab061578025..cdd38d951e45c 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -1,6 +1,39 @@ class_name = $class_name; + } + /** * Determines if the processor's current position matches the selector. * @@ -8,13 +41,6 @@ final class WP_CSS_Class_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { * @return bool True if the processor's current position matches the selector. */ public function matches( WP_HTML_Tag_Processor $processor ): bool { - return (bool) $processor->has_class( $this->ident ); - } - - /** @var string */ - public $ident; - - public function __construct( string $ident ) { - $this->ident = $ident; + return (bool) $processor->has_class( $this->class_name ); } } diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index dc89869ea2e66..1bf77f8c60317 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -47,7 +47,7 @@ public function test_parse_complex_selector() { $this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) ); $this->assertNull( $sel->self_selector->type_selector ); - $this->assertSame( 'child', $sel->self_selector->subclass_selectors[0]->ident ); + $this->assertSame( 'child', $sel->self_selector->subclass_selectors[0]->class_name ); $this->assertSame( ', rest', substr( $input, $offset ) ); } diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 715e0e26bc9cd..fa45ed767d5ca 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -239,7 +239,7 @@ public function test_parse_class( string $input, ?string $expected = null, ?stri if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $expected, $result->ident ); + $this->assertSame( $expected, $result->class_name ); $this->assertSame( $rest, substr( $input, $offset ) ); } } @@ -383,7 +383,7 @@ public function test_parse_selector() { $this->assertSame( 'el', $sel->type_selector->ident ); $this->assertSame( 3, count( $sel->subclass_selectors ) ); - $this->assertSame( 'foo', $sel->subclass_selectors[0]->ident, 'foo' ); + $this->assertSame( 'foo', $sel->subclass_selectors[0]->class_name, 'foo' ); $this->assertSame( 'bar', $sel->subclass_selectors[1]->ident, 'bar' ); $this->assertSame( 'baz', $sel->subclass_selectors[2]->name, 'baz' ); $this->assertSame( WP_CSS_Attribute_Selector::MATCH_EXACT, $sel->subclass_selectors[2]->matcher ); From dea10291c67b55512658af04bc483385965acc08 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:33:24 +0100 Subject: [PATCH 107/187] Document ID selector class, rename id property --- .../html-api/class-wp-css-id-selector.php | 38 ++++++++++++++++--- .../html-api/wpCssCompoundSelectorList.php | 4 +- 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 7e64432430409..5bb6438df6eb3 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -1,11 +1,37 @@ ident = $ident; + /** + * Constructor. + * + * @param string $id The ID to match. + */ + public function __construct( string $id ) { + $this->id = $id; } /** @@ -23,7 +49,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { $case_insensitive = $processor->is_quirks_mode(); return $case_insensitive - ? 0 === strcasecmp( $id, $this->ident ) - : $processor->get_attribute( 'id' ) === $this->ident; + ? 0 === strcasecmp( $id, $this->id ) + : $processor->get_attribute( 'id' ) === $this->id; } } diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index fa45ed767d5ca..8334ebd5a3a75 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -205,7 +205,7 @@ public function test_parse_id( string $input, ?string $expected = null, ?string if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $expected, $result->ident ); + $this->assertSame( $expected, $result->id ); $this->assertSame( $rest, substr( $input, $offset ) ); } } @@ -384,7 +384,7 @@ public function test_parse_selector() { $this->assertSame( 'el', $sel->type_selector->ident ); $this->assertSame( 3, count( $sel->subclass_selectors ) ); $this->assertSame( 'foo', $sel->subclass_selectors[0]->class_name, 'foo' ); - $this->assertSame( 'bar', $sel->subclass_selectors[1]->ident, 'bar' ); + $this->assertSame( 'bar', $sel->subclass_selectors[1]->id, 'bar' ); $this->assertSame( 'baz', $sel->subclass_selectors[2]->name, 'baz' ); $this->assertSame( WP_CSS_Attribute_Selector::MATCH_EXACT, $sel->subclass_selectors[2]->matcher ); $this->assertSame( 'quux', $sel->subclass_selectors[2]->value ); From d268f4cfe03a3872865c94b5e03c2e815f106576 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 18:38:47 +0100 Subject: [PATCH 108/187] Document type selector class and rename type property --- .../html-api/class-wp-css-type-selector.php | 49 ++++++++++++++----- .../html-api/wpCssComplexSelectorList.php | 4 +- .../html-api/wpCssCompoundSelectorList.php | 4 +- 3 files changed, 40 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index 6bba9f7e2450e..66d6a1f2db48f 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -1,6 +1,38 @@ type = $type; + } + /** * Determines if the processor's current position matches the selector. * @@ -16,24 +48,15 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { } /** + * Checks whether the selector matches the provided tag name. + * * @param string $tag_name * @return bool */ public function matches_tag( string $tag_name ): bool { - if ( '*' === $this->ident ) { + if ( '*' === $this->type ) { return true; } - return 0 === strcasecmp( $tag_name, $this->ident ); - } - - /** - * @var string - * - * The type identifier string or '*'. - */ - public $ident; - - public function __construct( string $ident ) { - $this->ident = $ident; + return 0 === strcasecmp( $tag_name, $this->type ); } } diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 1bf77f8c60317..076d5b6f65ee6 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -39,10 +39,10 @@ public function test_parse_complex_selector() { $this->assertSame( 2, count( $sel->context_selectors ) ); // Relative selectors should be reverse ordered. - $this->assertSame( 'el2', $sel->context_selectors[0][0]->ident ); + $this->assertSame( 'el2', $sel->context_selectors[0][0]->type ); $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->context_selectors[0][1] ); - $this->assertSame( 'el1', $sel->context_selectors[1][0]->ident ); + $this->assertSame( 'el1', $sel->context_selectors[1][0]->type ); $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->context_selectors[1][1] ); $this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) ); diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 8334ebd5a3a75..1dfdc79714e2c 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -273,7 +273,7 @@ public function test_parse_type( string $input, ?string $expected = null, ?strin if ( null === $expected ) { $this->assertNull( $result ); } else { - $this->assertSame( $expected, $result->ident ); + $this->assertSame( $expected, $result->type ); $this->assertSame( $rest, substr( $input, $offset ) ); } } @@ -381,7 +381,7 @@ public function test_parse_selector() { $offset = 0; $sel = $this->test_class::test_parse_compound_selector( $input, $offset ); - $this->assertSame( 'el', $sel->type_selector->ident ); + $this->assertSame( 'el', $sel->type_selector->type ); $this->assertSame( 3, count( $sel->subclass_selectors ) ); $this->assertSame( 'foo', $sel->subclass_selectors[0]->class_name, 'foo' ); $this->assertSame( 'bar', $sel->subclass_selectors[1]->id, 'bar' ); From d89fbd989d86fb16f2d34eb896031d32db817055 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:03:35 +0100 Subject: [PATCH 109/187] Document compound selector --- .../class-wp-css-compound-selector.php | 63 ++++++++++++++----- 1 file changed, 46 insertions(+), 17 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index f281146110f30..19aad862db7e2 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -1,11 +1,55 @@ in the grammar. + * CSS compound selector. + * + * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. + * + * A compound selector is a combination of: + * - An optional type selector. + * - Zero or more subclass selectors (ID, class, or attribute selectors). + * - At least one of the above. * - * > = [ ? * ]! + * @since TBD + * + * @access private */ final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { + /** + * The type selector. + * + * @var WP_CSS_Type_Selector|null + */ + public $type_selector; + + /** + * The subclass selectors. + * + * Subclass selectors are ID, class, or attribute selectors. + * + * @var (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null + */ + public $subclass_selectors; + + /** + * Constructor. + * + * @param WP_CSS_Type_Selector|null $type_selector The type selector or null. + * @param (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null $subclass_selectors + * The array of subclass selectors or null. + */ + public function __construct( ?WP_CSS_Type_Selector $type_selector, ?array $subclass_selectors ) { + $this->type_selector = $type_selector; + $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; + } + /** * Determines if the processor's current position matches the selector. * @@ -25,19 +69,4 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { } return true; } - - /** @var WP_CSS_Type_Selector|null */ - public $type_selector; - - /** @var (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null */ - public $subclass_selectors; - - /** - * @param WP_CSS_Type_Selector|null $type_selector - * @param array $subclass_selectors - */ - public function __construct( ?WP_CSS_Type_Selector $type_selector, array $subclass_selectors ) { - $this->type_selector = $type_selector; - $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; - } } From 8ced3aa2da7f1c77a12b344516c9dae8eaad9be5 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:03:59 +0100 Subject: [PATCH 110/187] Improve attribute selector docs and types --- .../class-wp-css-attribute-selector.php | 111 +++++++++++------- .../class-wp-css-compound-selector-list.php | 2 +- .../class-wp-css-compound-selector.php | 2 +- .../html-api/wpCssCompoundSelectorList.php | 2 +- 4 files changed, 73 insertions(+), 44 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index dae71c4295348..b64efea0bb45c 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -19,98 +19,127 @@ */ final class WP_CSS_Attribute_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { /** - * [att=val] - * Represents an element with the att attribute whose value is exactly "val". + * The attribute value is matched exactly. + * + * @example + * + * [att=val] */ - const MATCH_EXACT = 'MATCH_EXACT'; + const MATCH_EXACT = 'exact'; /** - * [attr~=value] - * Represents elements with an attribute name of attr whose value is a - * whitespace-separated list of words, one of which is exactly value. + * The attribute value matches any value in a whitespace separated list of words exactly. + * + * @example + * + * [attr~=value] */ - const MATCH_ONE_OF_EXACT = 'MATCH_ONE_OF_EXACT'; + const MATCH_ONE_OF_EXACT = 'one-of'; /** - * [attr|=value] - * Represents elements with an attribute name of attr whose value can be exactly value or - * can begin with value immediately followed by a hyphen, - (U+002D). It is often used for - * language subcode matches. + * The attribute value is matched exactly or matches the beginning of the attribute + * immediately followed by a hyphen. + * + * @example + * + * [attr|=value] */ - const MATCH_EXACT_OR_EXACT_WITH_HYPHEN = 'MATCH_EXACT_OR_EXACT_WITH_HYPHEN'; + const MATCH_EXACT_OR_HYPHEN_PREFIXED = 'exact-or-hyphen-prefixed'; /** - * [attr^=value] - * Represents elements with an attribute name of attr whose value is prefixed (preceded) - * by value. + * The attribute value matches the start of the attribute. + * + * @example + * + * [attr^=value] */ - const MATCH_PREFIXED_BY = 'MATCH_PREFIXED_BY'; + const MATCH_PREFIXED_BY = 'prefixed'; /** - * [attr$=value] - * Represents elements with an attribute name of attr whose value is suffixed (followed) - * by value. + * The attribute value matches the end of the attribute. + * + * @example + * + * [attr$=value] */ - const MATCH_SUFFIXED_BY = 'MATCH_SUFFIXED_BY'; + const MATCH_SUFFIXED_BY = 'suffixed'; /** - * [attr*=value] - * Represents elements with an attribute name of attr whose value contains at least one - * occurrence of value within the string. + * The attribute value is contained in the attribute. + * + * @example + * + * [attr*=value] */ - const MATCH_CONTAINS = 'MATCH_CONTAINS'; + const MATCH_CONTAINS = 'contains'; /** - * Modifier for case sensitive matching - * [attr=value s] + * Modifier for case sensitive matching. + * + * @example + * + * [attr=value s] */ const MODIFIER_CASE_SENSITIVE = 'case-sensitive'; /** - * Modifier for case insensitive matching - * [attr=value i] + * Modifier for case insensitive matching. + * + * @example + * + * [attr=value i] */ const MODIFIER_CASE_INSENSITIVE = 'case-insensitive'; /** - * The attribute name. + * The name of the attribute to match. * * @var string - * @readonly */ public $name; /** * The attribute matcher. * - * @var null|self::MATCH_* - * @readonly + * Allowed string values are the class constants: + * - {@see WP_CSS_Attribute_Selector::MATCH_EXACT} + * - {@see WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT} + * - {@see WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED} + * - {@see WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY} + * - {@see WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY} + * - {@see WP_CSS_Attribute_Selector::MATCH_CONTAINS} + * + * @var string|null */ public $matcher; /** - * The attribute value. + * The attribute value to match. * * @var string|null - * @readonly */ public $value; /** * The attribute modifier. * - * @var null|self::MODIFIER_* - * @readonly + * Allowed string values are the class constants: + * - {@see WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE} + * - {@see WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE} + * + * @var string|null */ public $modifier; /** * Constructor. * - * @param string $name - * @param null|self::MATCH_* $matcher - * @param null|string $value - * @param null|self::MODIFIER_* $modifier + * @param string $name The attribute name. + * @param string|null $matcher The attribute matcher. + * Must be one of the class MATCH_* constants or null. + * @param string|null $value The attribute value to match. + * @param string|null $modifier The attribute case modifier. + * Must be one of the class MODIFIER_* constants or null. */ public function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { $this->name = $name; @@ -159,7 +188,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { } return false; - case self::MATCH_EXACT_OR_EXACT_WITH_HYPHEN: + case self::MATCH_EXACT_OR_HYPHEN_PREFIXED: // Attempt the full match first if ( $case_insensitive diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 27900d40a238c..02a958e647ef1 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -294,7 +294,7 @@ final protected static function parse_attribute_selector( string $input, int &$o $updated_offset += 2; break; case '|': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN; + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED; $updated_offset += 2; break; case '^': diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 19aad862db7e2..414d36301ec5d 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -1,6 +1,6 @@ array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_EXACT_WITH_HYPHEN, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), From ca1a12973819a7d7b3ea05b4bff160ced33532dd Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:04:11 +0100 Subject: [PATCH 111/187] Update matches docs --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 3 +-- src/wp-includes/html-api/class-wp-css-class-selector.php | 3 +-- src/wp-includes/html-api/class-wp-css-id-selector.php | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index b64efea0bb45c..fbdef5ce930be 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -10,8 +10,7 @@ /** * CSS attribute selector. * - * This class implements a CSS attribute selector and is used to test for matching HTML tags - * in a {@see WP_HTML_Tag_Processor}. + * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * * @since TBD * diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index cdd38d951e45c..02410546a4b52 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -10,8 +10,7 @@ /** * CSS class selector. * - * This class implements a CSS class selector and is used to test for matching HTML tags - * in a {@see WP_HTML_Tag_Processor}. + * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * * @since TBD * diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 5bb6438df6eb3..ca61f00bb7e67 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -10,8 +10,7 @@ /** * CSS ID selector. * - * This class implements a CSS ID selector and is used to test for matching HTML tags - * in a {@see WP_HTML_Tag_Processor}. + * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * * @since TBD * From 71fd62aa9d5f8342ed221ec674c420753b838e14 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:15:27 +0100 Subject: [PATCH 112/187] Document complex selector class --- .../class-wp-css-complex-selector.php | 30 ++++++++++++------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index bd51884901d93..c6795254ea7b8 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -10,10 +10,10 @@ /** * CSS complex selector. * - * This class implements a CSS complex selector and is used to test for matching HTML tags - * in a {@see WP_HTML_Tag_Processor}. + * This class is used to test for matching HTML tags in a {@see WP_HTML_Processor}. * - * A complex selector is a selector with zero or more combinator-selector pairs. + * A compound selector is at least a single compound selector. There may be additional selectors + * with combinators. * * @since TBD * @@ -106,8 +106,10 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { public $context_selectors; /** - * @param WP_CSS_Compound_Selector $self_selector - * @param array{WP_CSS_Type_Selector, string}[]|null $selectors + * Constructor. + * + * @param WP_CSS_Compound_Selector $self_selector The selector in the final position. + * @param array{WP_CSS_Type_Selector, string}[]|null $selectors The context selectors. */ public function __construct( WP_CSS_Compound_Selector $self_selector, @@ -133,16 +135,15 @@ public function matches( WP_HTML_Processor $processor ): bool { return true; } - /** @var string[] */ $breadcrumbs = array_slice( array_reverse( $processor->get_breadcrumbs() ), 1 ); return $this->explore_matches( $this->context_selectors, $breadcrumbs ); } /** - * Checks for matches recursively comparing context selectors with breadcrumbs. + * Checks for matches by recursively comparing context selectors with breadcrumbs. * - * @param array{WP_CSS_Type_Selector, string}[] $selectors - * @param string[] $breadcrumbs + * @param array{WP_CSS_Type_Selector, string}[] $selectors Selectors to match. + * @param string[] $breadcrumbs Breadcrumbs. * @return bool True if a match is found, otherwise false. */ private function explore_matches( array $selectors, array $breadcrumbs ): bool { @@ -176,7 +177,16 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return false; default: - throw new Exception( "Unsupported combinator '{$combinator}' found." ); + _doing_it_wrong( + __METHOD__, + sprintf( + // translators: %s: A CSS selector combinator like ">" or "+". + __( 'Unsupported combinator "%s" found.' ), + $combinator + ), + '6.8.0' + ); + return false; } } } From 25dbb198cbfa081931b9a60dbda7e5f682d4b8d4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:23:28 +0100 Subject: [PATCH 113/187] PHP < 7.4 does not like this annotation --- .../html-api/class-wp-css-compound-selector-list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 02a958e647ef1..a74ffe0f45fc9 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -83,7 +83,7 @@ class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher * @param WP_HTML_Tag_Processor $processor The processor. * @return bool True if the processor's current position matches the selector. */ - public function matches( WP_HTML_Tag_Processor $processor ): bool { + public function matches( $processor ): bool { if ( $processor->get_token_type() !== '#tag' ) { return false; } From 70cf7f7584b15ac2934dc90a86b030a21e2ad2d4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:47:52 +0100 Subject: [PATCH 114/187] Update since annotations to 6.8.0 --- .../html-api/class-wp-css-attribute-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-class-selector.php | 4 ++-- .../html-api/class-wp-css-complex-selector-list.php | 6 +++--- src/wp-includes/html-api/class-wp-css-complex-selector.php | 4 ++-- .../html-api/class-wp-css-compound-selector-list.php | 6 +++--- src/wp-includes/html-api/class-wp-css-compound-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-id-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-type-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-html-processor.php | 4 ++-- src/wp-includes/html-api/class-wp-html-tag-processor.php | 4 ++-- tests/phpunit/tests/html-api/wpCssComplexSelectorList.php | 2 +- tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php | 2 +- tests/phpunit/tests/html-api/wpHtmlProcessor-select.php | 2 +- tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php | 2 +- 14 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index fbdef5ce930be..7543cb834e820 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since TBD + * @since 6.8.0 * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index 02410546a4b52..fa287cdf5c580 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since TBD + * @since 6.8.0 * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 4a9fc03f582f8..fcc6032589584 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -28,7 +28,7 @@ * - Next sibling (`el + el`) * - Subsequent sibling (`el ~ el`) * - * @since TBD + * @since 6.8.0 * * @access private */ @@ -37,7 +37,7 @@ class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List impleme * Takes a CSS selector string and returns an instance of itself or `null` if the selector * string is invalid or unsupported. * - * @since TBD + * @since 6.8.0 * * @param string $input CSS selectors. * @return static|null diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index c6795254ea7b8..4461e4d7d92f3 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -15,7 +15,7 @@ * A compound selector is at least a single compound selector. There may be additional selectors * with combinators. * - * @since TBD + * @since 6.8.0 * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index a74ffe0f45fc9..a2ff48e089f5d 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -67,7 +67,7 @@ * - `svg|*` to select all SVG elements * - `html|title` to select only HTML TITLE elements. * - * @since TBD + * @since 6.8.0 * * @access private * @@ -116,7 +116,7 @@ protected function __construct( array $selectors ) { * Takes a CSS selector string and returns an instance of itself or `null` if the selector * string is invalid or unsupported. * - * @since TBD + * @since 6.8.0 * * @param string $input CSS selectors. * @return static|null diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 414d36301ec5d..9596876685212 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -17,7 +17,7 @@ * - Zero or more subclass selectors (ID, class, or attribute selectors). * - At least one of the above. * - * @since TBD + * @since 6.8.0 * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index ca61f00bb7e67..2a600923fa2a2 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since TBD + * @since 6.8.0 * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index 66d6a1f2db48f..3f7671851c375 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since TBD + * @since 6.8.0 */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since TBD + * @since 6.8.0 * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 7ad65cb9d03d4..6685eaaf79aea 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -652,7 +652,7 @@ public function get_unsupported_exception() { * ); * } * - * @since TBD + * @since 6.8.0 * * @param string $selector_string Selector string. * @return Generator A generator pausing on each tag matching the selector. @@ -692,7 +692,7 @@ public function select_all( $selector_string ): Generator { * $processor->get_attribute( 'charset' ), // string(5) "utf-8" * ); * - * @since TBD + * @since 6.8.0 * * @param string $selector_string * @return bool True if a matching tag was found, otherwise false. diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php index a7633291b6bb2..8ea6e930f5b91 100644 --- a/src/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php @@ -877,7 +877,7 @@ public function change_parsing_namespace( string $new_namespace ): bool { * ); * } * - * @since TBD + * @since 6.8.0 * * @param string $selector_string Selector string. * @return Generator A generator pausing on each tag matching the selector. @@ -917,7 +917,7 @@ public function select_all( $selector_string ): Generator { * $processor->get_attribute( 'charset' ), // string(5) "utf-8" * ); * - * @since TBD + * @since 6.8.0 * * @param string $selector_string * @return bool True if a matching tag was found, otherwise false. diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 076d5b6f65ee6..829af95a55d5f 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since TBD + * @since 6.8.0 * * @group html-api */ diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 2c7a4695f679e..c112585e622c8 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since TBD + * @since 6.8.0 * * @group html-api */ diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 21828faf42e80..a8f6a7c949080 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -8,7 +8,7 @@ * @package WordPress * @subpackage HTML-API * - * @since TBD + * @since 6.8.0 * * @group html-api */ diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 586e38b4bafb2..28f88778629ce 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -8,7 +8,7 @@ * @package WordPress * @subpackage HTML-API * - * @since TBD + * @since 6.8.0 * * @group html-api */ From 355c9a24e0d983813ae73e8cacc59287833d2846 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Mon, 9 Dec 2024 19:53:48 +0100 Subject: [PATCH 115/187] Update attr-modifier to match selectors grammar --- .../html-api/class-wp-css-compound-selector-list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index a2ff48e089f5d..fa12519540cc5 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -36,7 +36,7 @@ * = '[' ']' | * '[' [ | ] ? ']' * = [ '~' | '|' | '^' | '$' | '*' ]? '=' - * = i | I | s | S + * = i | s * * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details. * From 3206e0b02f2d7f77cc52a0a3710f0d18ec73b9c3 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 18:25:36 +0100 Subject: [PATCH 116/187] Move parsing back to selector classes --- .../class-wp-css-attribute-selector.php | 122 ++- .../html-api/class-wp-css-class-selector.php | 28 +- .../class-wp-css-complex-selector-list.php | 96 +-- .../class-wp-css-complex-selector.php | 80 +- .../class-wp-css-compound-selector-list.php | 735 +----------------- .../class-wp-css-compound-selector.php | 60 +- .../html-api/class-wp-css-id-selector.php | 24 +- .../class-wp-css-selector-parser-matcher.php | 476 ++++++++++++ .../html-api/class-wp-css-type-selector.php | 30 +- ...nterface-wp-css-html-processor-matcher.php | 11 - ...face-wp-css-html-tag-processor-matcher.php | 11 - 11 files changed, 839 insertions(+), 834 deletions(-) create mode 100644 src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php delete mode 100644 src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php delete mode 100644 src/wp-includes/html-api/interface-wp-css-html-tag-processor-matcher.php diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 7543cb834e820..700a8cba9bb0c 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -16,7 +16,7 @@ * * @access private */ -final class WP_CSS_Attribute_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher { /** * The attribute value is matched exactly. * @@ -244,4 +244,124 @@ private function whitespace_delimited_list( string $input ): Generator { yield $value; } } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { + // Need at least 3 bytes [x] + if ( $offset + 2 >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + + if ( '[' !== $input[ $updated_offset ] ) { + return null; + } + ++$updated_offset; + + self::parse_whitespace( $input, $updated_offset ); + $attr_name = self::parse_ident( $input, $updated_offset ); + if ( null === $attr_name ) { + return null; + } + self::parse_whitespace( $input, $updated_offset ); + + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + + if ( ']' === $input[ $updated_offset ] ) { + $offset = $updated_offset + 1; + return new WP_CSS_Attribute_Selector( $attr_name ); + } + + // need to match at least `=x]` at this point + if ( $updated_offset + 3 >= strlen( $input ) ) { + return null; + } + + if ( '=' === $input[ $updated_offset ] ) { + ++$updated_offset; + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT; + } elseif ( '=' === $input[ $updated_offset + 1 ] ) { + switch ( $input[ $updated_offset ] ) { + case '~': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT; + $updated_offset += 2; + break; + case '|': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED; + $updated_offset += 2; + break; + case '^': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY; + $updated_offset += 2; + break; + case '$': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY; + $updated_offset += 2; + break; + case '*': + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_CONTAINS; + $updated_offset += 2; + break; + default: + return null; + } + } else { + return null; + } + + self::parse_whitespace( $input, $updated_offset ); + $attr_val = + self::parse_string( $input, $updated_offset ) ?? + self::parse_ident( $input, $updated_offset ); + + if ( null === $attr_val ) { + return null; + } + + self::parse_whitespace( $input, $updated_offset ); + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + + $attr_modifier = null; + switch ( $input[ $updated_offset ] ) { + case 'i': + case 'I': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; + ++$updated_offset; + break; + + case 's': + case 'S': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; + ++$updated_offset; + break; + } + + if ( null !== $attr_modifier ) { + self::parse_whitespace( $input, $updated_offset ); + if ( $updated_offset >= strlen( $input ) ) { + return null; + } + } + + if ( ']' === $input[ $updated_offset ] ) { + $offset = $updated_offset + 1; + return new self( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); + } + + return null; + } } diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index fa287cdf5c580..9abcb881ace49 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -16,7 +16,7 @@ * * @access private */ -final class WP_CSS_Class_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser_Matcher { /** * The class name to match. * @@ -42,4 +42,30 @@ public function __construct( string $class_name ) { public function matches( WP_HTML_Tag_Processor $processor ): bool { return (bool) $processor->has_class( $this->class_name ); } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { + if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { + return null; + } + + $updated_offset = $offset + 1; + $result = self::parse_ident( $input, $updated_offset ); + + if ( null === $result ) { + return null; + } + + $offset = $updated_offset; + return new self( $result ); + } } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index fcc6032589584..10af613174a35 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -32,17 +32,18 @@ * * @access private */ -class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Processor_Matcher { +class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List { /** - * Takes a CSS selector string and returns an instance of itself or `null` if the selector - * string is invalid or unsupported. + * Parses a selector string to create a selector instance. * - * @since 6.8.0 + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. * - * @param string $input CSS selectors. - * @return static|null + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function from_selectors( string $input ) { + public static function parse( string $input, int &$offset ): ?static { $input = self::normalize_selector_input( $input ); if ( '' === $input ) { @@ -51,7 +52,7 @@ public static function from_selectors( string $input ) { $offset = 0; - $selector = self::parse_complex_selector( $input, $offset ); + $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; } @@ -65,7 +66,7 @@ public static function from_selectors( string $input ) { } ++$offset; self::parse_whitespace( $input, $offset ); - $selector = self::parse_complex_selector( $input, $offset ); + $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; } @@ -75,81 +76,4 @@ public static function from_selectors( string $input ) { return new self( $selectors ); } - - /* - * ------------------------------ - * Selector parsing functionality - * ------------------------------ - */ - - /** - * Parses a complex selector. - * - * > = [ ? ]* - * - * @return WP_CSS_Complex_Selector|null - */ - final protected static function parse_complex_selector( string $input, int &$offset ): ?WP_CSS_Complex_Selector { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - $self_selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null === $self_selector ) { - return null; - } - /** @var array{WP_CSS_Compound_Selector, string}[] */ - $selectors = array(); - - $found_whitespace = self::parse_whitespace( $input, $updated_offset ); - while ( $updated_offset < strlen( $input ) ) { - $combinator = null; - $next_selector = null; - - if ( - WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || - WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || - WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] - ) { - $combinator = $input[ $updated_offset ]; - ++$updated_offset; - self::parse_whitespace( $input, $updated_offset ); - - // A combinator has been found, failure to find a selector here is a parse error. - $next_selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null === $next_selector ) { - return null; - } - } elseif ( $found_whitespace ) { - /* - * Whitespace is ambiguous, it could be a descendant combinator or - * insignificant whitespace. - */ - $next_selector = self::parse_compound_selector( $input, $updated_offset ); - if ( null !== $next_selector ) { - $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; - } - } - - if ( null === $next_selector ) { - break; - } - - // $self_selector will pass to a relative selector where only the type selector is allowed. - if ( null !== $self_selector->subclass_selectors || null === $self_selector->type_selector ) { - return null; - } - - /** @var array{WP_CSS_Compound_Selector, string} */ - $selector_pair = array( $self_selector->type_selector, $combinator ); - $selectors[] = $selector_pair; - $self_selector = $next_selector; - - $found_whitespace = self::parse_whitespace( $input, $updated_offset ); - } - $offset = $updated_offset; - - return new WP_CSS_Complex_Selector( $self_selector, array_reverse( $selectors ) ); - } } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 4461e4d7d92f3..7c997c62a80f7 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -19,7 +19,7 @@ * * @access private */ -final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { +final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser_Matcher { /** * Child combinator. */ @@ -111,7 +111,7 @@ final class WP_CSS_Complex_Selector implements WP_CSS_HTML_Processor_Matcher { * @param WP_CSS_Compound_Selector $self_selector The selector in the final position. * @param array{WP_CSS_Type_Selector, string}[]|null $selectors The context selectors. */ - public function __construct( + private function __construct( WP_CSS_Compound_Selector $self_selector, ?array $context_selectors ) { @@ -125,7 +125,7 @@ public function __construct( * @param WP_HTML_Processor $processor The processor. * @return bool True if the processor's current position matches the selector. */ - public function matches( WP_HTML_Processor $processor ): bool { + public function matches( $processor ): bool { // First selector must match this location. if ( ! $this->self_selector->matches( $processor ) ) { return false; @@ -189,4 +189,78 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { return false; } } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $self_selector = WP_CSS_Compound_Selector::parse( $input, $updated_offset ); + if ( null === $self_selector ) { + return null; + } + /** @var array{WP_CSS_Compound_Selector, string}[] */ + $selectors = array(); + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + while ( $updated_offset < strlen( $input ) ) { + $combinator = null; + $next_selector = null; + + if ( + WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || + WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || + WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] + ) { + $combinator = $input[ $updated_offset ]; + ++$updated_offset; + self::parse_whitespace( $input, $updated_offset ); + + // A combinator has been found, failure to find a selector here is a parse error. + $next_selector = WP_CSS_Compound_Selector::parse( $input, $updated_offset ); + if ( null === $next_selector ) { + return null; + } + } elseif ( $found_whitespace ) { + /* + * Whitespace is ambiguous, it could be a descendant combinator or + * insignificant whitespace. + */ + $next_selector = WP_CSS_Compound_Selector::parse( $input, $updated_offset ); + if ( null !== $next_selector ) { + $combinator = WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT; + } + } + + if ( null === $next_selector ) { + break; + } + + // $self_selector will pass to a relative selector where only the type selector is allowed. + if ( null !== $self_selector->subclass_selectors || null === $self_selector->type_selector ) { + return null; + } + + /** @var array{WP_CSS_Compound_Selector, string} */ + $selector_pair = array( $self_selector->type_selector, $combinator ); + $selectors[] = $selector_pair; + $self_selector = $next_selector; + + $found_whitespace = self::parse_whitespace( $input, $updated_offset ); + } + $offset = $updated_offset; + + return new self( $self_selector, array_reverse( $selectors ) ); + } } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index fa12519540cc5..a6f3b87409ff6 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -76,7 +76,7 @@ * @link https://www.w3.org/TR/selectors-api2/ * @link https://www.w3.org/TR/selectors-4/ */ -class WP_CSS_Compound_Selector_List implements WP_CSS_HTML_Tag_Processor_Matcher { +class WP_CSS_Compound_Selector_List extends WP_CSS_Selector_Parser_Matcher { /** * Determines if the processor's current position matches the selector. * @@ -121,7 +121,22 @@ protected function __construct( array $selectors ) { * @param string $input CSS selectors. * @return static|null */ - public static function from_selectors( string $input ) { + public static function from_selectors( string $input ): ?static { + $offset = 0; + return static::parse( $input, $offset ); + } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { $input = self::normalize_selector_input( $input ); if ( '' === $input ) { @@ -130,7 +145,7 @@ public static function from_selectors( string $input ) { $offset = 0; - $selector = self::parse_compound_selector( $input, $offset ); + $selector = WP_CSS_Compound_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; } @@ -144,7 +159,7 @@ public static function from_selectors( string $input ) { } ++$offset; self::parse_whitespace( $input, $offset ); - $selector = self::parse_compound_selector( $input, $offset ); + $selector = WP_CSS_Compound_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; } @@ -154,716 +169,4 @@ public static function from_selectors( string $input ) { return new self( $selectors ); } - - /* - * ------------------------------ - * Selector parsing functionality - * ------------------------------ - */ - - /** - * Parse an ID selector - * - * > = - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return WP_CSS_ID_Selector|null - */ - final protected static function parse_id_selector( string $input, int &$offset ): ?WP_CSS_ID_Selector { - $ident = self::parse_hash_token( $input, $offset ); - if ( null === $ident ) { - return null; - } - return new WP_CSS_ID_Selector( $ident ); - } - - /** - * Parse a class selector - * - * > = '.' - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return WP_CSS_Class_Selector|null - */ - final protected static function parse_class_selector( string $input, int &$offset ): ?WP_CSS_Class_Selector { - if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { - return null; - } - - $updated_offset = $offset + 1; - $result = self::parse_ident( $input, $updated_offset ); - - if ( null === $result ) { - return null; - } - - $offset = $updated_offset; - return new WP_CSS_Class_Selector( $result ); - } - - /** - * Parse a type selector - * - * > = | ? '*' - * > = [ | '*' ]? '|' - * > = ? - * - * Namespaces (e.g. |div, *|div, or namespace|div) are not supported, - * so this selector effectively matches * or ident. - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return WP_CSS_Type_Selector|null - */ - final protected static function parse_type_selector( string $input, int &$offset ): ?WP_CSS_Type_Selector { - if ( $offset >= strlen( $input ) ) { - return null; - } - - if ( '*' === $input[ $offset ] ) { - ++$offset; - return new WP_CSS_Type_Selector( '*' ); - } - - $result = self::parse_ident( $input, $offset ); - if ( null === $result ) { - return null; - } - - return new WP_CSS_Type_Selector( $result ); - } - - /** - * Parse an attribute selector - * - * > = '[' ']' | - * > '[' [ | ] ? ']' - * > = [ '~' | '|' | '^' | '$' | '*' ]? '=' - * > = i | s - * > = ? - * - * Namespaces are not supported, so attribute names are effectively identifiers. - * - * https://www.w3.org/TR/selectors/#grammar - * - * @return WP_CSS_Attribute_Selector|null - */ - final protected static function parse_attribute_selector( string $input, int &$offset ): ?WP_CSS_Attribute_Selector { - // Need at least 3 bytes [x] - if ( $offset + 2 >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - - if ( '[' !== $input[ $updated_offset ] ) { - return null; - } - ++$updated_offset; - - self::parse_whitespace( $input, $updated_offset ); - $attr_name = self::parse_ident( $input, $updated_offset ); - if ( null === $attr_name ) { - return null; - } - self::parse_whitespace( $input, $updated_offset ); - - if ( $updated_offset >= strlen( $input ) ) { - return null; - } - - if ( ']' === $input[ $updated_offset ] ) { - $offset = $updated_offset + 1; - return new WP_CSS_Attribute_Selector( $attr_name ); - } - - // need to match at least `=x]` at this point - if ( $updated_offset + 3 >= strlen( $input ) ) { - return null; - } - - if ( '=' === $input[ $updated_offset ] ) { - ++$updated_offset; - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT; - } elseif ( '=' === $input[ $updated_offset + 1 ] ) { - switch ( $input[ $updated_offset ] ) { - case '~': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT; - $updated_offset += 2; - break; - case '|': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED; - $updated_offset += 2; - break; - case '^': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY; - $updated_offset += 2; - break; - case '$': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY; - $updated_offset += 2; - break; - case '*': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_CONTAINS; - $updated_offset += 2; - break; - default: - return null; - } - } else { - return null; - } - - self::parse_whitespace( $input, $updated_offset ); - $attr_val = - self::parse_string( $input, $updated_offset ) ?? - self::parse_ident( $input, $updated_offset ); - - if ( null === $attr_val ) { - return null; - } - - self::parse_whitespace( $input, $updated_offset ); - if ( $updated_offset >= strlen( $input ) ) { - return null; - } - - $attr_modifier = null; - switch ( $input[ $updated_offset ] ) { - case 'i': - case 'I': - $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; - ++$updated_offset; - break; - - case 's': - case 'S': - $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; - ++$updated_offset; - break; - } - - if ( null !== $attr_modifier ) { - self::parse_whitespace( $input, $updated_offset ); - if ( $updated_offset >= strlen( $input ) ) { - return null; - } - } - - if ( ']' === $input[ $updated_offset ] ) { - $offset = $updated_offset + 1; - return new WP_CSS_Attribute_Selector( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); - } - - return null; - } - - /** - * Parses a compound selector. - * - * > = [ ? * ]! - * - * @return WP_CSS_Compound_Selector|null - */ - final protected static function parse_compound_selector( string $input, int &$offset ): ?WP_CSS_Compound_Selector { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $updated_offset = $offset; - $type_selector = self::parse_type_selector( $input, $updated_offset ); - - $subclass_selectors = array(); - $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); - while ( null !== $last_parsed_subclass_selector ) { - $subclass_selectors[] = $last_parsed_subclass_selector; - $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); - } - - if ( null !== $type_selector || array() !== $subclass_selectors ) { - $offset = $updated_offset; - return new WP_CSS_Compound_Selector( $type_selector, $subclass_selectors ); - } - return null; - } - - /** - * Parses a subclass selector. - * - * > = | | - * - * @return WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector|null - */ - private static function parse_subclass_selector( string $input, int &$offset ) { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $next_char = $input[ $offset ]; - return '.' === $next_char - ? self::parse_class_selector( $input, $offset ) - : ( - '#' === $next_char - ? self::parse_id_selector( $input, $offset ) - : ( '[' === $next_char - ? self::parse_attribute_selector( $input, $offset ) - : null - ) - ); - } - - - /* - * ------------------------ - * Selector partial parsing - * ------------------------ - * - * These functions consume parts of a selector string input when successful - * and return meaningful values to be used by selectors. - */ - - const UTF8_MAX_CODEPOINT_VALUE = 0x10FFFF; - const WHITESPACE_CHARACTERS = " \t\r\n\f"; - - final public static function parse_whitespace( string $input, int &$offset ): bool { - $length = strspn( $input, self::WHITESPACE_CHARACTERS, $offset ); - $advanced = $length > 0; - $offset += $length; - return $advanced; - } - - /** - * Tokenization of hash tokens - * - * > U+0023 NUMBER SIGN (#) - * > If the next input code point is an ident code point or the next two input code points are a valid escape, then: - * > 1. Create a . - * > 2. If the next 3 input code points would start an ident sequence, set the - * > ’s type flag to "id". - * > 3. Consume an ident sequence, and set the ’s value to the - * > returned string. - * > 4. Return the . - * > Otherwise, return a with its value set to the current input code point. - * - * This implementation is not interested in the , a '#' delim token is not relevant for selectors. - */ - final protected static function parse_hash_token( string $input, int &$offset ): ?string { - if ( $offset + 1 >= strlen( $input ) || '#' !== $input[ $offset ] ) { - return null; - } - - $updated_offset = $offset + 1; - $result = self::parse_ident( $input, $updated_offset ); - - if ( null === $result ) { - return null; - } - - $offset = $updated_offset; - return $result; - } - - /** - * Parse an ident token - * - * CAUTION: This method is _not_ for parsing and ID selector! - * - * > 4.3.11. Consume an ident sequence - * > This section describes how to consume an ident sequence from a stream of code points. It returns a string containing the largest name that can be formed from adjacent code points in the stream, starting from the first. - * > - * > Note: This algorithm does not do the verification of the first few code points that are necessary to ensure the returned code points would constitute an . If that is the intended use, ensure that the stream starts with an ident sequence before calling this algorithm. - * > - * > Let result initially be an empty string. - * > - * > Repeatedly consume the next input code point from the stream: - * > - * > ident code point - * > Append the code point to result. - * > the stream starts with a valid escape - * > Consume an escaped code point. Append the returned code point to result. - * > anything else - * > Reconsume the current input code point. Return result. - * - * https://www.w3.org/TR/css-syntax-3/#consume-name - * - * @return string|null - */ - final protected static function parse_ident( string $input, int &$offset ): ?string { - if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { - return null; - } - - $ident = ''; - - while ( $offset < strlen( $input ) ) { - if ( self::next_two_are_valid_escape( $input, $offset ) ) { - // Move past the `\` character. - ++$offset; - $ident .= self::consume_escaped_codepoint( $input, $offset ); - continue; - } elseif ( self::is_ident_codepoint( $input, $offset ) ) { - // @todo this should append and advance the correct number of bytes. - $ident .= $input[ $offset ]; - ++$offset; - continue; - } - break; - } - - return $ident; - } - - /** - * Parse a string token - * - * > 4.3.5. Consume a string token - * > This section describes how to consume a string token from a stream of code points. It returns either a or . - * > - * > This algorithm may be called with an ending code point, which denotes the code point that ends the string. If an ending code point is not specified, the current input code point is used. - * > - * > Initially create a with its value set to the empty string. - * > - * > Repeatedly consume the next input code point from the stream: - * > - * > ending code point - * > Return the . - * > EOF - * > This is a parse error. Return the . - * > newline - * > This is a parse error. Reconsume the current input code point, create a , and return it. - * > U+005C REVERSE SOLIDUS (\) - * > If the next input code point is EOF, do nothing. - * > Otherwise, if the next input code point is a newline, consume it. - * > Otherwise, (the stream starts with a valid escape) consume an escaped code point and append the returned code point to the ’s value. - * > - * > anything else - * > Append the current input code point to the ’s value. - * - * https://www.w3.org/TR/css-syntax-3/#consume-string-token - * - * This implementation will never return a because - * the is not a part of the selector grammar. That - * case is treated as failure to parse and null is returned. - * - * @return string|null - */ - final protected static function parse_string( string $input, int &$offset ): ?string { - if ( $offset >= strlen( $input ) ) { - return null; - } - - $ending_code_point = $input[ $offset ]; - if ( '"' !== $ending_code_point && "'" !== $ending_code_point ) { - return null; - } - - $string_token = ''; - - $updated_offset = $offset + 1; - $anything_else_mask = "\\\n{$ending_code_point}"; - while ( $updated_offset < strlen( $input ) ) { - $anything_else_length = strcspn( $input, $anything_else_mask, $updated_offset ); - if ( $anything_else_length > 0 ) { - $string_token .= substr( $input, $updated_offset, $anything_else_length ); - $updated_offset += $anything_else_length; - - if ( $updated_offset >= strlen( $input ) ) { - break; - } - } - - switch ( $input[ $updated_offset ] ) { - case '\\': - ++$updated_offset; - if ( $updated_offset >= strlen( $input ) ) { - break; - } - if ( "\n" === $input[ $updated_offset ] ) { - ++$updated_offset; - break; - } else { - $string_token .= self::consume_escaped_codepoint( $input, $updated_offset ); - } - break; - - /* - * This case would return a . - * The is not a part of the selector grammar - * so we do not return it and instead treat this as a - * failure to parse a string token. - */ - case "\n": - return null; - - case $ending_code_point: - ++$updated_offset; - break 2; - } - } - - $offset = $updated_offset; - return $string_token; - } - - /** - * Consume an escaped code point. - * - * > 4.3.7. Consume an escaped code point - * > This section describes how to consume an escaped code point. It assumes that the U+005C - * > REVERSE SOLIDUS (\) has already been consumed and that the next input code point has - * > already been verified to be part of a valid escape. It will return a code point. - * > - * > Consume the next input code point. - * > - * > hex digit - * > Consume as many hex digits as possible, but no more than 5. Note that this means 1-6 - * > hex digits have been consumed in total. If the next input code point is whitespace, - * > consume it as well. Interpret the hex digits as a hexadecimal number. If this number is - * > zero, or is for a surrogate, or is greater than the maximum allowed code point, return - * > U+FFFD REPLACEMENT CHARACTER (�). Otherwise, return the code point with that value. - * > EOF - * > This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�). - * > anything else - * > Return the current input code point. - * - * @param string $input - * @param int $offset - * @return string - */ - final protected static function consume_escaped_codepoint( $input, &$offset ): string { - $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); - if ( $hex_length > 0 ) { - /** - * The 6-character hex string has a maximum value of 0xFFFFFF. - * It is likely to fit in an int value and not be a float. - * - * @var int - */ - $codepoint_value = hexdec( substr( $input, $offset, $hex_length ) ); - - /* - * > A surrogate is a leading surrogate or a trailing surrogate. - * > A leading surrogate is a code point that is in the range U+D800 to U+DBFF, inclusive. - * > A trailing surrogate is a code point that is in the range U+DC00 to U+DFFF, inclusive. - * - * The surrogate ranges are adjacent, so the complete range is 0xD800 to 0xDFFF, inclusive. - */ - $codepoint_char = ( - 0 === $codepoint_value || - $codepoint_value > self::UTF8_MAX_CODEPOINT_VALUE || - ( 0xD800 <= $codepoint_value && $codepoint_value <= 0xDFFF ) - ) - ? "\u{FFFD}" - : mb_chr( $codepoint_value, 'UTF-8' ); - - $offset += $hex_length; - - // If the next input code point is whitespace, consume it as well. - if ( - strlen( $input ) > $offset && - ( - "\n" === $input[ $offset ] || - "\t" === $input[ $offset ] || - ' ' === $input[ $offset ] - ) - ) { - ++$offset; - } - return $codepoint_char; - } - - $codepoint_char = mb_substr( $input, $offset, 1, 'UTF-8' ); - $offset += strlen( $codepoint_char ); - return $codepoint_char; - } - - /* - * --------------------------- - * Selector parsing utiltities - * --------------------------- - * - * The following functions are used for parsing but do not consume any input. - */ - - /** - * Checks for two valid escape codepoints. - * - * > 4.3.8. Check if two code points are a valid escape - * > This section describes how to check if two code points are a valid escape. The algorithm described here can be called explicitly with two code points, or can be called with the input stream itself. In the latter case, the two code points in question are the current input code point and the next input code point, in that order. - * > - * > Note: This algorithm will not consume any additional code point. - * > - * > If the first code point is not U+005C REVERSE SOLIDUS (\), return false. - * > - * > Otherwise, if the second code point is a newline, return false. - * > - * > Otherwise, return true. - * - * https://www.w3.org/TR/css-syntax-3/#starts-with-a-valid-escape - * - * @todo this does not check whether the second codepoint is valid. - * - * @param string $input The input string. - * @param int $offset The byte offset in the string. - * @return bool True if the next two codepoints are a valid escape, otherwise false. - */ - final protected static function next_two_are_valid_escape( string $input, int $offset ): bool { - if ( $offset + 1 >= strlen( $input ) ) { - return false; - } - return '\\' === $input[ $offset ] && "\n" !== $input[ $offset + 1 ]; - } - - /** - * Checks if the next code point is an "ident start code point". - * - * Caution! This method does not do any bounds checking, it should not be passed - * a string with an offset that is out of bounds. - * - * > ident-start code point - * > A letter, a non-ASCII code point, or U+005F LOW LINE (_). - * > uppercase letter - * > A code point between U+0041 LATIN CAPITAL LETTER A (A) and U+005A LATIN CAPITAL LETTER Z (Z) inclusive. - * > lowercase letter - * > A code point between U+0061 LATIN SMALL LETTER A (a) and U+007A LATIN SMALL LETTER Z (z) inclusive. - * > letter - * > An uppercase letter or a lowercase letter. - * > non-ASCII code point - * > A code point with a value equal to or greater than U+0080 . - * - * @link https://www.w3.org/TR/css-syntax-3/#ident-start-code-point - * - * @param string $input The input string. - * @param int $offset The byte offset in the string. - * @return bool True if the next codepoint is an ident start code point, otherwise false. - */ - final protected static function is_ident_start_codepoint( string $input, int $offset ): bool { - return ( - '_' === $input[ $offset ] || - ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || - ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'Z' ) || - ord( $input[ $offset ] ) > 0x7F - ); - } - - /** - * Checks if the next code point is an "ident code point". - * - * Caution! This method does not do any bounds checking, it should not be passed - * a string with an offset that is out of bounds. - * - * > ident code point - * > An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-). - * > digit - * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. - * - * @link https://www.w3.org/TR/css-syntax-3/#ident-code-point - * - * @param string $input The input string. - * @param int $offset The byte offset in the string. - * @return bool True if the next codepoint is an ident code point, otherwise false. - */ - final protected static function is_ident_codepoint( string $input, int $offset ): bool { - return '-' === $input[ $offset ] || - ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || - self::is_ident_start_codepoint( $input, $offset ); - } - - /** - * Checks if three code points would start an ident sequence. - * - * > 4.3.9. Check if three code points would start an ident sequence - * > This section describes how to check if three code points would start an ident sequence. The algorithm described here can be called explicitly with three code points, or can be called with the input stream itself. In the latter case, the three code points in question are the current input code point and the next two input code points, in that order. - * > - * > Note: This algorithm will not consume any additional code points. - * > - * > Look at the first code point: - * > - * > U+002D HYPHEN-MINUS - * > If the second code point is an ident-start code point or a U+002D HYPHEN-MINUS, or the second and third code points are a valid escape, return true. Otherwise, return false. - * > ident-start code point - * > Return true. - * > U+005C REVERSE SOLIDUS (\) - * > If the first and second code points are a valid escape, return true. Otherwise, return false. - * > anything else - * > Return false. - * - * @link https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier - * - * @param string $input The input string. - * @param int $offset The byte offset in the string. - * @return bool True if the next three codepoints would start an ident sequence, otherwise false. - */ - final protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { - if ( $offset >= strlen( $input ) ) { - return false; - } - - // > U+005C REVERSE SOLIDUS (\) - if ( '\\' === $input[ $offset ] ) { - return self::next_two_are_valid_escape( $input, $offset ); - } - - // > U+002D HYPHEN-MINUS - if ( '-' === $input[ $offset ] ) { - $after_initial_hyphen_minus_offset = $offset + 1; - if ( $after_initial_hyphen_minus_offset >= strlen( $input ) ) { - return false; - } - - // > If the second code point is… U+002D HYPHEN-MINUS… return true - if ( '-' === $input[ $after_initial_hyphen_minus_offset ] ) { - return true; - } - - // > If the second and third code points are a valid escape… return true. - if ( self::next_two_are_valid_escape( $input, $after_initial_hyphen_minus_offset ) ) { - return true; - } - - // > If the second code point is an ident-start code point… return true. - if ( self::is_ident_start_codepoint( $input, $after_initial_hyphen_minus_offset ) ) { - return true; - } - - // > Otherwise, return false. - return false; - } - - // > ident-start code point - // > Return true. - // > anything else - // > Return false. - return self::is_ident_start_codepoint( $input, $offset ); - } - - /** - * @todo doc… - */ - final protected static function normalize_selector_input( string $input ): string { - /* - * > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… - * - * This list includes \f. - * A later step would normalize it to a known whitespace character, but it can be trimmed here as well. - */ - $input = trim( $input, " \t\r\n\r\f" ); - - /* - * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. - * > - * > To filter code points from a stream of (unfiltered) code points input: - * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. - * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). - * - * https://www.w3.org/TR/css-syntax-3/#input-preprocessing - */ - $input = str_replace( array( "\r\n" ), "\n", $input ); - $input = str_replace( array( "\r", "\f" ), "\n", $input ); - $input = str_replace( "\0", "\u{FFFD}", $input ); - - return $input; - } } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 9596876685212..68aca4d880e0d 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -21,7 +21,7 @@ * * @access private */ -final class WP_CSS_Compound_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_Compound_Selector extends WP_CSS_Selector_Parser_Matcher { /** * The type selector. * @@ -69,4 +69,62 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { } return true; } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $updated_offset = $offset; + $type_selector = WP_CSS_Type_Selector::parse( $input, $updated_offset ); + + $subclass_selectors = array(); + $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); + while ( null !== $last_parsed_subclass_selector ) { + $subclass_selectors[] = $last_parsed_subclass_selector; + $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); + } + + // @todo invert this condition + if ( null !== $type_selector || array() !== $subclass_selectors ) { + $offset = $updated_offset; + return new self( $type_selector, $subclass_selectors ); + } + return null; + } + + /** + * Parses a subclass selector. + * + * > = | | + * + * @return WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector|null + */ + private static function parse_subclass_selector( string $input, int &$offset ) { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $next_char = $input[ $offset ]; + return '.' === $next_char + ? WP_CSS_Class_Selector::parse( $input, $offset ) + : ( + '#' === $next_char + ? WP_CSS_ID_Selector::parse( $input, $offset ) + : ( '[' === $next_char + ? WP_CSS_Attribute_Selector::parse( $input, $offset ) + : null + ) + ); + } } diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 2a600923fa2a2..de854c37eea9f 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -16,7 +16,7 @@ * * @access private */ -final class WP_CSS_ID_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser_Matcher { /** * The ID to match. * @@ -48,7 +48,25 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { $case_insensitive = $processor->is_quirks_mode(); return $case_insensitive - ? 0 === strcasecmp( $id, $this->id ) - : $processor->get_attribute( 'id' ) === $this->id; + ? 0 === strcasecmp( $id, $this->id ) + : $processor->get_attribute( 'id' ) === $this->id; + } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { + $ident = self::parse_hash_token( $input, $offset ); + if ( null === $ident ) { + return null; + } + return new self( $ident ); } } diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php new file mode 100644 index 0000000000000..8820115f03cfb --- /dev/null +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -0,0 +1,476 @@ + 0; + $offset += $length; + return $advanced; + } + + /** + * Tokenization of hash tokens + * + * > U+0023 NUMBER SIGN (#) + * > If the next input code point is an ident code point or the next two input code points are a valid escape, then: + * > 1. Create a . + * > 2. If the next 3 input code points would start an ident sequence, set the + * > ’s type flag to "id". + * > 3. Consume an ident sequence, and set the ’s value to the + * > returned string. + * > 4. Return the . + * > Otherwise, return a with its value set to the current input code point. + * + * This implementation is not interested in the , a '#' delim token is not relevant for selectors. + */ + final protected static function parse_hash_token( string $input, int &$offset ): ?string { + if ( $offset + 1 >= strlen( $input ) || '#' !== $input[ $offset ] ) { + return null; + } + + $updated_offset = $offset + 1; + $result = self::parse_ident( $input, $updated_offset ); + + if ( null === $result ) { + return null; + } + + $offset = $updated_offset; + return $result; + } + + /** + * Parse a string token + * + * > 4.3.5. Consume a string token + * > This section describes how to consume a string token from a stream of code points. It returns either a or . + * > + * > This algorithm may be called with an ending code point, which denotes the code point that ends the string. If an ending code point is not specified, the current input code point is used. + * > + * > Initially create a with its value set to the empty string. + * > + * > Repeatedly consume the next input code point from the stream: + * > + * > ending code point + * > Return the . + * > EOF + * > This is a parse error. Return the . + * > newline + * > This is a parse error. Reconsume the current input code point, create a , and return it. + * > U+005C REVERSE SOLIDUS (\) + * > If the next input code point is EOF, do nothing. + * > Otherwise, if the next input code point is a newline, consume it. + * > Otherwise, (the stream starts with a valid escape) consume an escaped code point and append the returned code point to the ’s value. + * > + * > anything else + * > Append the current input code point to the ’s value. + * + * https://www.w3.org/TR/css-syntax-3/#consume-string-token + * + * This implementation will never return a because + * the is not a part of the selector grammar. That + * case is treated as failure to parse and null is returned. + * + * @return string|null + */ + final protected static function parse_string( string $input, int &$offset ): ?string { + if ( $offset >= strlen( $input ) ) { + return null; + } + + $ending_code_point = $input[ $offset ]; + if ( '"' !== $ending_code_point && "'" !== $ending_code_point ) { + return null; + } + + $string_token = ''; + + $updated_offset = $offset + 1; + $anything_else_mask = "\\\n{$ending_code_point}"; + while ( $updated_offset < strlen( $input ) ) { + $anything_else_length = strcspn( $input, $anything_else_mask, $updated_offset ); + if ( $anything_else_length > 0 ) { + $string_token .= substr( $input, $updated_offset, $anything_else_length ); + $updated_offset += $anything_else_length; + + if ( $updated_offset >= strlen( $input ) ) { + break; + } + } + + switch ( $input[ $updated_offset ] ) { + case '\\': + ++$updated_offset; + if ( $updated_offset >= strlen( $input ) ) { + break; + } + if ( "\n" === $input[ $updated_offset ] ) { + ++$updated_offset; + break; + } else { + $string_token .= self::consume_escaped_codepoint( $input, $updated_offset ); + } + break; + + /* + * This case would return a . + * The is not a part of the selector grammar + * so we do not return it and instead treat this as a + * failure to parse a string token. + */ + case "\n": + return null; + + case $ending_code_point: + ++$updated_offset; + break 2; + } + } + + $offset = $updated_offset; + return $string_token; + } + + /** + * Consume an escaped code point. + * + * > 4.3.7. Consume an escaped code point + * > This section describes how to consume an escaped code point. It assumes that the U+005C + * > REVERSE SOLIDUS (\) has already been consumed and that the next input code point has + * > already been verified to be part of a valid escape. It will return a code point. + * > + * > Consume the next input code point. + * > + * > hex digit + * > Consume as many hex digits as possible, but no more than 5. Note that this means 1-6 + * > hex digits have been consumed in total. If the next input code point is whitespace, + * > consume it as well. Interpret the hex digits as a hexadecimal number. If this number is + * > zero, or is for a surrogate, or is greater than the maximum allowed code point, return + * > U+FFFD REPLACEMENT CHARACTER (�). Otherwise, return the code point with that value. + * > EOF + * > This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�). + * > anything else + * > Return the current input code point. + * + * @param string $input + * @param int $offset + * @return string + */ + final protected static function consume_escaped_codepoint( $input, &$offset ): string { + $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); + if ( $hex_length > 0 ) { + /** + * The 6-character hex string has a maximum value of 0xFFFFFF. + * It is likely to fit in an int value and not be a float. + * + * @var int + */ + $codepoint_value = hexdec( substr( $input, $offset, $hex_length ) ); + + /* + * > A surrogate is a leading surrogate or a trailing surrogate. + * > A leading surrogate is a code point that is in the range U+D800 to U+DBFF, inclusive. + * > A trailing surrogate is a code point that is in the range U+DC00 to U+DFFF, inclusive. + * + * The surrogate ranges are adjacent, so the complete range is 0xD800 to 0xDFFF, inclusive. + */ + $codepoint_char = ( + 0 === $codepoint_value || + $codepoint_value > self::UTF8_MAX_CODEPOINT_VALUE || + ( 0xD800 <= $codepoint_value && $codepoint_value <= 0xDFFF ) + ) + ? "\u{FFFD}" + : mb_chr( $codepoint_value, 'UTF-8' ); + + $offset += $hex_length; + + // If the next input code point is whitespace, consume it as well. + if ( + strlen( $input ) > $offset && + ( + "\n" === $input[ $offset ] || + "\t" === $input[ $offset ] || + ' ' === $input[ $offset ] + ) + ) { + ++$offset; + } + return $codepoint_char; + } + + $codepoint_char = mb_substr( $input, $offset, 1, 'UTF-8' ); + $offset += strlen( $codepoint_char ); + return $codepoint_char; + } + + /** + * Parse an ident token + * + * CAUTION: This method is _not_ for parsing and ID selector! + * + * > 4.3.11. Consume an ident sequence + * > This section describes how to consume an ident sequence from a stream of code points. It returns a string containing the largest name that can be formed from adjacent code points in the stream, starting from the first. + * > + * > Note: This algorithm does not do the verification of the first few code points that are necessary to ensure the returned code points would constitute an . If that is the intended use, ensure that the stream starts with an ident sequence before calling this algorithm. + * > + * > Let result initially be an empty string. + * > + * > Repeatedly consume the next input code point from the stream: + * > + * > ident code point + * > Append the code point to result. + * > the stream starts with a valid escape + * > Consume an escaped code point. Append the returned code point to result. + * > anything else + * > Reconsume the current input code point. Return result. + * + * https://www.w3.org/TR/css-syntax-3/#consume-name + * + * @return string|null + */ + final protected static function parse_ident( string $input, int &$offset ): ?string { + if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { + return null; + } + + $ident = ''; + + while ( $offset < strlen( $input ) ) { + if ( self::next_two_are_valid_escape( $input, $offset ) ) { + // Move past the `\` character. + ++$offset; + $ident .= self::consume_escaped_codepoint( $input, $offset ); + continue; + } elseif ( self::is_ident_codepoint( $input, $offset ) ) { + // @todo this should append and advance the correct number of bytes. + $ident .= $input[ $offset ]; + ++$offset; + continue; + } + break; + } + + return $ident; + } + + /* + * -------------------------- + * Selector parsing utilities + * -------------------------- + * + * The following functions are used for parsing but do not consume any input. + */ + + /** + * Checks for two valid escape codepoints. + * + * > 4.3.8. Check if two code points are a valid escape + * > This section describes how to check if two code points are a valid escape. The algorithm described here can be called explicitly with two code points, or can be called with the input stream itself. In the latter case, the two code points in question are the current input code point and the next input code point, in that order. + * > + * > Note: This algorithm will not consume any additional code point. + * > + * > If the first code point is not U+005C REVERSE SOLIDUS (\), return false. + * > + * > Otherwise, if the second code point is a newline, return false. + * > + * > Otherwise, return true. + * + * https://www.w3.org/TR/css-syntax-3/#starts-with-a-valid-escape + * + * @todo this does not check whether the second codepoint is valid. + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next two codepoints are a valid escape, otherwise false. + */ + final protected static function next_two_are_valid_escape( string $input, int $offset ): bool { + if ( $offset + 1 >= strlen( $input ) ) { + return false; + } + return '\\' === $input[ $offset ] && "\n" !== $input[ $offset + 1 ]; + } + + /** + * Checks if the next code point is an "ident start code point". + * + * Caution! This method does not do any bounds checking, it should not be passed + * a string with an offset that is out of bounds. + * + * > ident-start code point + * > A letter, a non-ASCII code point, or U+005F LOW LINE (_). + * > uppercase letter + * > A code point between U+0041 LATIN CAPITAL LETTER A (A) and U+005A LATIN CAPITAL LETTER Z (Z) inclusive. + * > lowercase letter + * > A code point between U+0061 LATIN SMALL LETTER A (a) and U+007A LATIN SMALL LETTER Z (z) inclusive. + * > letter + * > An uppercase letter or a lowercase letter. + * > non-ASCII code point + * > A code point with a value equal to or greater than U+0080 . + * + * @link https://www.w3.org/TR/css-syntax-3/#ident-start-code-point + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next codepoint is an ident start code point, otherwise false. + */ + final protected static function is_ident_start_codepoint( string $input, int $offset ): bool { + return ( + '_' === $input[ $offset ] || + ( 'a' <= $input[ $offset ] && $input[ $offset ] <= 'z' ) || + ( 'A' <= $input[ $offset ] && $input[ $offset ] <= 'Z' ) || + ord( $input[ $offset ] ) > 0x7F + ); + } + + /** + * Checks if the next code point is an "ident code point". + * + * Caution! This method does not do any bounds checking, it should not be passed + * a string with an offset that is out of bounds. + * + * > ident code point + * > An ident-start code point, a digit, or U+002D HYPHEN-MINUS (-). + * > digit + * > A code point between U+0030 DIGIT ZERO (0) and U+0039 DIGIT NINE (9) inclusive. + * + * @link https://www.w3.org/TR/css-syntax-3/#ident-code-point + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next codepoint is an ident code point, otherwise false. + */ + final protected static function is_ident_codepoint( string $input, int $offset ): bool { + return '-' === $input[ $offset ] || + ( '0' <= $input[ $offset ] && $input[ $offset ] <= '9' ) || + self::is_ident_start_codepoint( $input, $offset ); + } + + /** + * Checks if three code points would start an ident sequence. + * + * > 4.3.9. Check if three code points would start an ident sequence + * > This section describes how to check if three code points would start an ident sequence. The algorithm described here can be called explicitly with three code points, or can be called with the input stream itself. In the latter case, the three code points in question are the current input code point and the next two input code points, in that order. + * > + * > Note: This algorithm will not consume any additional code points. + * > + * > Look at the first code point: + * > + * > U+002D HYPHEN-MINUS + * > If the second code point is an ident-start code point or a U+002D HYPHEN-MINUS, or the second and third code points are a valid escape, return true. Otherwise, return false. + * > ident-start code point + * > Return true. + * > U+005C REVERSE SOLIDUS (\) + * > If the first and second code points are a valid escape, return true. Otherwise, return false. + * > anything else + * > Return false. + * + * @link https://www.w3.org/TR/css-syntax-3/#would-start-an-identifier + * + * @param string $input The input string. + * @param int $offset The byte offset in the string. + * @return bool True if the next three codepoints would start an ident sequence, otherwise false. + */ + final protected static function check_if_three_code_points_would_start_an_ident_sequence( string $input, int $offset ): bool { + if ( $offset >= strlen( $input ) ) { + return false; + } + + // > U+005C REVERSE SOLIDUS (\) + if ( '\\' === $input[ $offset ] ) { + return self::next_two_are_valid_escape( $input, $offset ); + } + + // > U+002D HYPHEN-MINUS + if ( '-' === $input[ $offset ] ) { + $after_initial_hyphen_minus_offset = $offset + 1; + if ( $after_initial_hyphen_minus_offset >= strlen( $input ) ) { + return false; + } + + // > If the second code point is… U+002D HYPHEN-MINUS… return true + if ( '-' === $input[ $after_initial_hyphen_minus_offset ] ) { + return true; + } + + // > If the second and third code points are a valid escape… return true. + if ( self::next_two_are_valid_escape( $input, $after_initial_hyphen_minus_offset ) ) { + return true; + } + + // > If the second code point is an ident-start code point… return true. + if ( self::is_ident_start_codepoint( $input, $after_initial_hyphen_minus_offset ) ) { + return true; + } + + // > Otherwise, return false. + return false; + } + + // > ident-start code point + // > Return true. + // > anything else + // > Return false. + return self::is_ident_start_codepoint( $input, $offset ); + } + + /** + * @todo doc… + */ + final protected static function normalize_selector_input( string $input ): string { + /* + * > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… + * + * This list includes \f. + * A later step would normalize it to a known whitespace character, but it can be trimmed here as well. + */ + $input = trim( $input, " \t\r\n\r\f" ); + + /* + * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. + * > + * > To filter code points from a stream of (unfiltered) code points input: + * > Replace any U+000D CARRIAGE RETURN (CR) code points, U+000C FORM FEED (FF) code points, or pairs of U+000D CARRIAGE RETURN (CR) followed by U+000A LINE FEED (LF) in input by a single U+000A LINE FEED (LF) code point. + * > Replace any U+0000 NULL or surrogate code points in input with U+FFFD REPLACEMENT CHARACTER (�). + * + * https://www.w3.org/TR/css-syntax-3/#input-preprocessing + */ + $input = str_replace( array( "\r\n" ), "\n", $input ); + $input = str_replace( array( "\r", "\f" ), "\n", $input ); + $input = str_replace( "\0", "\u{FFFD}", $input ); + + return $input; + } +} diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index 3f7671851c375..492569ee51d65 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -16,7 +16,7 @@ * * @access private */ -final class WP_CSS_Type_Selector implements WP_CSS_HTML_Tag_Processor_Matcher { +final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser_Matcher { /** * The element type (tag name) to match or '*' to match any element. * @@ -59,4 +59,32 @@ public function matches_tag( string $tag_name ): bool { } return 0 === strcasecmp( $tag_name, $this->type ); } + + /** + * Parses a selector string to create a selector instance. + * + * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and + * will be updated if the parse is successful. + * @return static|null The selector instance, or null if the parse was unsuccessful. + */ + public static function parse( string $input, int &$offset ): ?static { + if ( $offset >= strlen( $input ) ) { + return null; + } + + if ( '*' === $input[ $offset ] ) { + ++$offset; + return new WP_CSS_Type_Selector( '*' ); + } + + $result = self::parse_ident( $input, $offset ); + if ( null === $result ) { + return null; + } + + return new self( $result ); + } } diff --git a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php b/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php deleted file mode 100644 index b77ef40931d83..0000000000000 --- a/src/wp-includes/html-api/interface-wp-css-html-processor-matcher.php +++ /dev/null @@ -1,11 +0,0 @@ - Date: Wed, 11 Dec 2024 18:44:24 +0100 Subject: [PATCH 117/187] Update tests for class parsing --- .../tests/html-api/wpCssAttributeSelector.php | 90 ++++ .../tests/html-api/wpCssClassSelector.php | 49 +++ .../tests/html-api/wpCssComplexSelector.php | 71 ++++ .../html-api/wpCssComplexSelectorList.php | 73 +--- .../tests/html-api/wpCssCompoundSelector.php | 44 ++ .../html-api/wpCssCompoundSelectorList.php | 395 +----------------- .../tests/html-api/wpCssIdSelector.php | 50 +++ .../html-api/wpCssSelectorParserMatcher.php | 172 ++++++++ .../tests/html-api/wpCssTypeSelector.php | 51 +++ 9 files changed, 532 insertions(+), 463 deletions(-) create mode 100644 tests/phpunit/tests/html-api/wpCssAttributeSelector.php create mode 100644 tests/phpunit/tests/html-api/wpCssClassSelector.php create mode 100644 tests/phpunit/tests/html-api/wpCssComplexSelector.php create mode 100644 tests/phpunit/tests/html-api/wpCssCompoundSelector.php create mode 100644 tests/phpunit/tests/html-api/wpCssIdSelector.php create mode 100644 tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php create mode 100644 tests/phpunit/tests/html-api/wpCssTypeSelector.php diff --git a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php new file mode 100644 index 0000000000000..d907ad7c07e5b --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php @@ -0,0 +1,90 @@ +assertNull( $result ); + } else { + $this->assertSame( $expected_name, $result->name ); + $this->assertSame( $expected_matcher, $result->matcher ); + $this->assertSame( $expected_value, $result->value ); + $this->assertSame( $expected_modifier, $result->modifier ); + $this->assertSame( $rest, substr( $input, $offset ) ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_attribute_selectors(): array { + return array( + '[href]' => array( '[href]', 'href', null, null, null, '' ), + '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), + '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), + '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), + '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), + '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), + '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), + '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), + '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), + + '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), + "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), + "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + + '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), + '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), + + // Invalid + 'Invalid: (empty string)' => array( '' ), + 'Invalid: foo' => array( 'foo' ), + 'Invalid: [foo' => array( '[foo' ), + 'Invalid: [#foo]' => array( '[#foo]' ), + 'Invalid: [*|*]' => array( '[*|*]' ), + 'Invalid: [ns|*]' => array( '[ns|*]' ), + 'Invalid: [* |att]' => array( '[* |att]' ), + 'Invalid: [*| att]' => array( '[*| att]' ), + 'Invalid: [att * =]' => array( '[att * =]' ), + 'Invalid: [att+=val]' => array( '[att+=val]' ), + 'Invalid: [att=val ' => array( '[att=val ' ), + 'Invalid: [att i]' => array( '[att i]' ), + 'Invalid: [att s]' => array( '[att s]' ), + "Invalid: [att='val\\n']" => array( "[att='val\n']" ), + 'Invalid: [att=val i ' => array( '[att=val i ' ), + 'Invalid: [att="val"ix' => array( '[att="val"ix' ), + ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssClassSelector.php b/tests/phpunit/tests/html-api/wpCssClassSelector.php new file mode 100644 index 0000000000000..fa1d097a5ad3d --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssClassSelector.php @@ -0,0 +1,49 @@ +assertNull( $result ); + } else { + $this->assertSame( $expected, $result->class_name ); + $this->assertSame( $rest, substr( $input, $offset ) ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_class_selectors(): array { + return array( + 'valid ._-foo123' => array( '._-foo123', '_-foo123', '' ), + 'valid .foo.bar' => array( '.foo.bar', 'foo', '.bar' ), + 'escaped .\31 23' => array( '.\\31 23', '123', '' ), + 'with descendant .\31 23 div' => array( '.\\31 23 div', '123', ' div' ), + + 'not class foo' => array( 'foo' ), + 'not class #bar' => array( '#bar' ), + 'not valid .1foo' => array( '.1foo' ), + ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelector.php b/tests/phpunit/tests/html-api/wpCssComplexSelector.php new file mode 100644 index 0000000000000..bb7b6e67e9d1a --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssComplexSelector.php @@ -0,0 +1,71 @@ + .child#bar[baz=quux] , rest'; + $offset = 0; + + /** @var WP_CSS_Complex_Selector|null */ + $sel = WP_CSS_Complex_Selector::parse( $input, $offset ); + + $this->assertSame( 2, count( $sel->context_selectors ) ); + + // Relative selectors should be reverse ordered. + $this->assertSame( 'el2', $sel->context_selectors[0][0]->type ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->context_selectors[0][1] ); + + $this->assertSame( 'el1', $sel->context_selectors[1][0]->type ); + $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->context_selectors[1][1] ); + + $this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) ); + $this->assertNull( $sel->self_selector->type_selector ); + $this->assertSame( 'child', $sel->self_selector->subclass_selectors[0]->class_name ); + + $this->assertSame( ', rest', substr( $input, $offset ) ); + } + + /** + * @ticket 62653 + */ + public function test_parse_invalid_complex_selector() { + $input = 'el.foo#bar[baz=quux] > , rest'; + $offset = 0; + $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + } + + /** + * @ticket 62653 + */ + public function test_parse_invalid_complex_selector_nonfinal_subclass() { + $input = 'el.foo#bar[baz=quux] > final, rest'; + $offset = 0; + $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + } + + /** + * @ticket 62653 + */ + public function test_parse_empty_complex_selector() { + $input = ''; + $offset = 0; + $result = WP_CSS_Complex_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 829af95a55d5f..4e788860ff53f 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -9,79 +9,10 @@ * @since 6.8.0 * * @group html-api + * + * @coversDefaultClass WP_CSS_Complex_Selector_List */ class Tests_HtmlApi_WpCssComplexSelectorList extends WP_UnitTestCase { - private $test_class; - - public function set_up(): void { - parent::set_up(); - $this->test_class = new class() extends WP_CSS_Complex_Selector_List { - public function __construct() { - parent::__construct( array() ); - } - - public static function test_parse_complex_selector( string $input, int &$offset ): ?WP_CSS_Complex_Selector { - return self::parse_complex_selector( $input, $offset ); - } - }; - } - - /** - * @ticket 62653 - */ - public function test_parse_complex_selector() { - $input = 'el1 el2 > .child#bar[baz=quux] , rest'; - $offset = 0; - - /** @var WP_CSS_Complex_Selector|null */ - $sel = $this->test_class::test_parse_complex_selector( $input, $offset ); - - $this->assertSame( 2, count( $sel->context_selectors ) ); - - // Relative selectors should be reverse ordered. - $this->assertSame( 'el2', $sel->context_selectors[0][0]->type ); - $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_CHILD, $sel->context_selectors[0][1] ); - - $this->assertSame( 'el1', $sel->context_selectors[1][0]->type ); - $this->assertSame( WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT, $sel->context_selectors[1][1] ); - - $this->assertSame( 3, count( $sel->self_selector->subclass_selectors ) ); - $this->assertNull( $sel->self_selector->type_selector ); - $this->assertSame( 'child', $sel->self_selector->subclass_selectors[0]->class_name ); - - $this->assertSame( ', rest', substr( $input, $offset ) ); - } - - /** - * @ticket 62653 - */ - public function test_parse_invalid_complex_selector() { - $input = 'el.foo#bar[baz=quux] > , rest'; - $offset = 0; - $result = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertNull( $result ); - } - - /** - * @ticket 62653 - */ - public function test_parse_invalid_complex_selector_nonfinal_subclass() { - $input = 'el.foo#bar[baz=quux] > final, rest'; - $offset = 0; - $result = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertNull( $result ); - } - - /** - * @ticket 62653 - */ - public function test_parse_empty_complex_selector() { - $input = ''; - $offset = 0; - $result = $this->test_class::test_parse_complex_selector( $input, $offset ); - $this->assertNull( $result ); - } - /** * @ticket 62653 */ diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelector.php b/tests/phpunit/tests/html-api/wpCssCompoundSelector.php new file mode 100644 index 0000000000000..8800c89d6ed36 --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelector.php @@ -0,0 +1,44 @@ + .child'; + $offset = 0; + $sel = WP_CSS_Compound_Selector::parse( $input, $offset ); + + $this->assertSame( 'el', $sel->type_selector->type ); + $this->assertSame( 3, count( $sel->subclass_selectors ) ); + $this->assertSame( 'foo', $sel->subclass_selectors[0]->class_name, 'foo' ); + $this->assertSame( 'bar', $sel->subclass_selectors[1]->id, 'bar' ); + $this->assertSame( 'baz', $sel->subclass_selectors[2]->name, 'baz' ); + $this->assertSame( WP_CSS_Attribute_Selector::MATCH_EXACT, $sel->subclass_selectors[2]->matcher ); + $this->assertSame( 'quux', $sel->subclass_selectors[2]->value ); + $this->assertSame( ' > .child', substr( $input, $offset ) ); + } + + /** + * @ticket 62653 + */ + public function test_parse_empty_selector() { + $input = ''; + $offset = 0; + $result = WP_CSS_Compound_Selector::parse( $input, $offset ); + $this->assertNull( $result ); + $this->assertSame( 0, $offset ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index c112585e622c8..01eff118a87b0 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -1,6 +1,6 @@ test_class = new class() extends WP_CSS_Compound_Selector_List { - public function __construct() { - parent::__construct( array() ); - } - - /* - * Parsing - */ - public static function test_parse_ident( string $input, int &$offset ) { - return self::parse_ident( $input, $offset ); - } - - public static function test_parse_string( string $input, int &$offset ) { - return self::parse_string( $input, $offset ); - } - - public static function test_parse_type_selector( string $input, int &$offset ) { - return self::parse_type_selector( $input, $offset ); - } - - public static function test_parse_id_selector( string $input, int &$offset ) { - return self::parse_id_selector( $input, $offset ); - } - - public static function test_parse_class_selector( string $input, int &$offset ) { - return self::parse_class_selector( $input, $offset ); - } - - public static function test_parse_attribute_selector( string $input, int &$offset ) { - return self::parse_attribute_selector( $input, $offset ); - } - - public static function test_parse_compound_selector( string $input, int &$offset ) { - return self::parse_compound_selector( $input, $offset ); - } - - /* - * Utilities - */ - public static function test_is_ident_codepoint( string $input, int $offset ) { - return self::is_ident_codepoint( $input, $offset ); - } - - public static function test_is_ident_start_codepoint( string $input, int $offset ) { - return self::is_ident_start_codepoint( $input, $offset ); - } - }; - } - - /** - * Data provider. - * - * @return array - */ - public static function data_idents(): array { - return array( - 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), - 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), - 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), - 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), - 'escaped space' => array( '\\ x', ' x', '' ), - 'escaped emoji' => array( '\\😍', '😍', '' ), - 'hex unicode codepoint' => array( '\\1f0a1', '🂡', '' ), - 'HEX UNICODE CODEPOINT' => array( '\\1D4B2', '𝒲', '' ), - - 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), - 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), - 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), - 'hex tab' => array( '\\9', "\t", '' ), - 'hex a' => array( '\\61 bc', 'abc', '' ), - 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), - - 'out of range replacement min' => array( '\\110000 ', "\u{fffd}", '' ), - 'out of range replacement max' => array( '\\ffffff ', "\u{fffd}", '' ), - 'leading surrogate min replacement' => array( '\\d800 ', "\u{fffd}", '' ), - 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), - 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), - 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), - 'can start with -ident' => array( '-ident', '-ident', '' ), - 'can start with --anything' => array( '--anything', '--anything', '' ), - 'can start with ---anything' => array( '--_anything', '--_anything', '' ), - 'can start with --1anything' => array( '--1anything', '--1anything', '' ), - 'can start with -\31 23' => array( '-\31 23', '-123', '' ), - 'can start with --\31 23' => array( '--\31 23', '--123', '' ), - 'ident ends before ]' => array( 'ident]', 'ident', ']' ), - - // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: bad start >' => array( '>ident' ), - 'Invalid: bad start [' => array( '[ident' ), - 'Invalid: bad start #' => array( '#ident' ), - 'Invalid: bad start " "' => array( ' ident' ), - 'Invalid: bad start 1' => array( '1ident' ), - 'Invalid: bad start -1' => array( '-1ident' ), - 'Invalid: bad start -' => array( '-' ), - ); - } - - /** - * @ticket 62653 - */ - public function test_is_ident_and_is_ident_start() { - $this->assertFalse( $this->test_class::test_is_ident_codepoint( '[', 0 ) ); - $this->assertFalse( $this->test_class::test_is_ident_codepoint( ']', 0 ) ); - $this->assertFalse( $this->test_class::test_is_ident_start_codepoint( '[', 0 ) ); - $this->assertFalse( $this->test_class::test_is_ident_start_codepoint( ']', 0 ) ); - } - - /** - * @ticket 62653 - * - * @dataProvider data_idents - */ - public function test_parse_ident( string $input, ?string $expected = null, ?string $rest = null ) { - - $offset = 0; - $result = $this->test_class::test_parse_ident( $input, $offset ); - if ( null === $expected ) { - $this->assertNull( $result ); - } else { - $this->assertSame( $expected, $result, 'Ident did not match.' ); - $this->assertSame( $rest, substr( $input, $offset ), 'Offset was not updated correctly.' ); - } - } - - /** - * @ticket 62653 - * - * @dataProvider data_strings - */ - public function test_parse_string( string $input, ?string $expected = null, ?string $rest = null ) { - $offset = 0; - $result = $this->test_class::test_parse_string( $input, $offset ); - if ( null === $expected ) { - $this->assertNull( $result ); - } else { - $this->assertSame( $expected, $result, 'String did not match.' ); - $this->assertSame( $rest, substr( $input, $offset ), 'Offset was not updated correctly.' ); - } - } - - /** - * Data provider. - * - * @return array - */ - public static function data_strings(): array { - return array( - '"foo"' => array( '"foo"', 'foo', '' ), - '"foo"after' => array( '"foo"after', 'foo', 'after' ), - '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), - '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), - - "'foo'" => array( "'foo'", 'foo', '' ), - "'foo'after" => array( "'foo'after", 'foo', 'after' ), - "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), - "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), - - "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), - "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), - "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), - "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), - "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), - - "'foo\\" => array( "'foo\\", 'foo', '' ), - - '"' => array( '"', '', '' ), - '"\\"' => array( '"\\"', '"', '' ), - '"missing close' => array( '"missing close', 'missing close', '' ), - - // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: .foo' => array( '.foo' ), - 'Invalid: #foo' => array( '#foo' ), - "Invalid: 'newline\\n'" => array( "'newline\n'" ), - 'Invalid: foo' => array( 'foo' ), - ); - } - - /** - * @ticket 62653 - * - * @dataProvider data_id_selectors - */ - public function test_parse_id( string $input, ?string $expected = null, ?string $rest = null ) { - $offset = 0; - $result = $this->test_class::test_parse_id_selector( $input, $offset ); - if ( null === $expected ) { - $this->assertNull( $result ); - } else { - $this->assertSame( $expected, $result->id ); - $this->assertSame( $rest, substr( $input, $offset ) ); - } - } - - /** - * Data provider. - * - * @return array - */ - public static function data_id_selectors(): array { - return array( - 'valid #_-foo123' => array( '#_-foo123', '_-foo123', '' ), - 'valid #foo#bar' => array( '#foo#bar', 'foo', '#bar' ), - 'escaped #\31 23' => array( '#\\31 23', '123', '' ), - 'with descendant #\31 23 div' => array( '#\\31 23 div', '123', ' div' ), - - 'not ID foo' => array( 'foo' ), - 'not ID .bar' => array( '.bar' ), - 'not valid #1foo' => array( '#1foo' ), - ); - } - - /** - * @ticket 62653 - * - * @dataProvider data_class_selectors - */ - public function test_parse_class( string $input, ?string $expected = null, ?string $rest = null ) { - $offset = 0; - $result = $this->test_class::test_parse_class_selector( $input, $offset ); - if ( null === $expected ) { - $this->assertNull( $result ); - } else { - $this->assertSame( $expected, $result->class_name ); - $this->assertSame( $rest, substr( $input, $offset ) ); - } - } - - /** - * Data provider. - * - * @return array - */ - public static function data_class_selectors(): array { - return array( - 'valid ._-foo123' => array( '._-foo123', '_-foo123', '' ), - 'valid .foo.bar' => array( '.foo.bar', 'foo', '.bar' ), - 'escaped .\31 23' => array( '.\\31 23', '123', '' ), - 'with descendant .\31 23 div' => array( '.\\31 23 div', '123', ' div' ), - - 'not class foo' => array( 'foo' ), - 'not class #bar' => array( '#bar' ), - 'not valid .1foo' => array( '.1foo' ), - ); - } - - /** - * @ticket 62653 - * - * @dataProvider data_type_selectors - */ - public function test_parse_type( string $input, ?string $expected = null, ?string $rest = null ) { - $offset = 0; - $result = $this->test_class::test_parse_type_selector( $input, $offset ); - if ( null === $expected ) { - $this->assertNull( $result ); - } else { - $this->assertSame( $expected, $result->type ); - $this->assertSame( $rest, substr( $input, $offset ) ); - } - } - - /** - * Data provider. - * - * @return array - */ - public static function data_type_selectors(): array { - return array( - 'any *' => array( '* .class', '*', ' .class' ), - 'a' => array( 'a', 'a', '' ), - 'div.class' => array( 'div.class', 'div', '.class' ), - 'custom-type#id' => array( 'custom-type#id', 'custom-type', '#id' ), - - // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: #id' => array( '#id' ), - 'Invalid: .class' => array( '.class' ), - 'Invalid: [attr]' => array( '[attr]' ), - ); - } - - /** - * @ticket 62653 - * - * @dataProvider data_attribute_selectors - */ - public function test_parse_attribute( - string $input, - ?string $expected_name = null, - ?string $expected_matcher = null, - ?string $expected_value = null, - ?string $expected_modifier = null, - ?string $rest = null - ) { - $offset = 0; - $result = $this->test_class::test_parse_attribute_selector( $input, $offset ); - if ( null === $expected_name ) { - $this->assertNull( $result ); - } else { - $this->assertSame( $expected_name, $result->name ); - $this->assertSame( $expected_matcher, $result->matcher ); - $this->assertSame( $expected_value, $result->value ); - $this->assertSame( $expected_modifier, $result->modifier ); - $this->assertSame( $rest, substr( $input, $offset ) ); - } - } - - /** - * Data provider. - * - * @return array - */ - public static function data_attribute_selectors(): array { - return array( - '[href]' => array( '[href]', 'href', null, null, null, '' ), - '[href] type' => array( '[href] type', 'href', null, null, null, ' type' ), - '[href]#id' => array( '[href]#id', 'href', null, null, null, '#id' ), - '[href].class' => array( '[href].class', 'href', null, null, null, '.class' ), - '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), - '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), - '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), - '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), - '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), - - '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - - '[match~="quoted[][]"]' => array( '[match~="quoted[][]"]', 'match', WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, 'quoted[][]', null, '' ), - "[match$='quoted!{}']" => array( "[match$='quoted!{}']", 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'quoted!{}', null, '' ), - "[match*='quoted's]" => array( "[match*='quoted's]", 'match', WP_CSS_Attribute_Selector::MATCH_CONTAINS, 'quoted', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), - - '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), - '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), - - // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: foo' => array( 'foo' ), - 'Invalid: [foo' => array( '[foo' ), - 'Invalid: [#foo]' => array( '[#foo]' ), - 'Invalid: [*|*]' => array( '[*|*]' ), - 'Invalid: [ns|*]' => array( '[ns|*]' ), - 'Invalid: [* |att]' => array( '[* |att]' ), - 'Invalid: [*| att]' => array( '[*| att]' ), - 'Invalid: [att * =]' => array( '[att * =]' ), - 'Invalid: [att+=val]' => array( '[att+=val]' ), - 'Invalid: [att=val ' => array( '[att=val ' ), - 'Invalid: [att i]' => array( '[att i]' ), - 'Invalid: [att s]' => array( '[att s]' ), - "Invalid: [att='val\\n']" => array( "[att='val\n']" ), - 'Invalid: [att=val i ' => array( '[att=val i ' ), - 'Invalid: [att="val"ix' => array( '[att="val"ix' ), - ); - } - - /** - * @ticket 62653 - */ - public function test_parse_selector() { - $input = 'el.foo#bar[baz=quux] > .child'; - $offset = 0; - $sel = $this->test_class::test_parse_compound_selector( $input, $offset ); - - $this->assertSame( 'el', $sel->type_selector->type ); - $this->assertSame( 3, count( $sel->subclass_selectors ) ); - $this->assertSame( 'foo', $sel->subclass_selectors[0]->class_name, 'foo' ); - $this->assertSame( 'bar', $sel->subclass_selectors[1]->id, 'bar' ); - $this->assertSame( 'baz', $sel->subclass_selectors[2]->name, 'baz' ); - $this->assertSame( WP_CSS_Attribute_Selector::MATCH_EXACT, $sel->subclass_selectors[2]->matcher ); - $this->assertSame( 'quux', $sel->subclass_selectors[2]->value ); - $this->assertSame( ' > .child', substr( $input, $offset ) ); - } - - /** - * @ticket 62653 - */ - public function test_parse_empty_selector() { - $input = ''; - $offset = 0; - $result = $this->test_class::test_parse_compound_selector( $input, $offset ); - $this->assertNull( $result ); - $this->assertSame( 0, $offset ); - } - /** * @ticket 62653 */ diff --git a/tests/phpunit/tests/html-api/wpCssIdSelector.php b/tests/phpunit/tests/html-api/wpCssIdSelector.php new file mode 100644 index 0000000000000..6cd6b83a46b8d --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssIdSelector.php @@ -0,0 +1,50 @@ +assertNull( $result ); + } else { + $this->assertSame( $expected, $result->id ); + $this->assertSame( $rest, substr( $input, $offset ) ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_id_selectors(): array { + return array( + 'valid #_-foo123' => array( '#_-foo123', '_-foo123', '' ), + 'valid #foo#bar' => array( '#foo#bar', 'foo', '#bar' ), + 'escaped #\31 23' => array( '#\\31 23', '123', '' ), + 'with descendant #\31 23 div' => array( '#\\31 23 div', '123', ' div' ), + + // Invalid + 'not ID foo' => array( 'foo' ), + 'not ID .bar' => array( '.bar' ), + 'not valid #1foo' => array( '#1foo' ), + ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php new file mode 100644 index 0000000000000..4497334791c88 --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -0,0 +1,172 @@ +test_class = new class() extends WP_CSS_Selector_Parser_Matcher { + /* + * Parsing + */ + public static function test_parse_ident( string $input, int &$offset ) { + return self::parse_ident( $input, $offset ); + } + + public static function test_parse_string( string $input, int &$offset ) { + return self::parse_string( $input, $offset ); + } + + /* + * Utilities + */ + public static function test_is_ident_codepoint( string $input, int $offset ) { + return self::is_ident_codepoint( $input, $offset ); + } + + public static function test_is_ident_start_codepoint( string $input, int $offset ) { + return self::is_ident_start_codepoint( $input, $offset ); + } + }; + } + + /** + * Data provider. + * + * @return array + */ + public static function data_idents(): array { + return array( + 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), + 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), + 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), + 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), + 'escaped space' => array( '\\ x', ' x', '' ), + 'escaped emoji' => array( '\\😍', '😍', '' ), + 'hex unicode codepoint' => array( '\\1f0a1', '🂡', '' ), + 'HEX UNICODE CODEPOINT' => array( '\\1D4B2', '𝒲', '' ), + + 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), + 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), + 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), + 'hex tab' => array( '\\9', "\t", '' ), + 'hex a' => array( '\\61 bc', 'abc', '' ), + 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), + + 'out of range replacement min' => array( '\\110000 ', "\u{fffd}", '' ), + 'out of range replacement max' => array( '\\ffffff ', "\u{fffd}", '' ), + 'leading surrogate min replacement' => array( '\\d800 ', "\u{fffd}", '' ), + 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), + 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), + 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), + 'can start with -ident' => array( '-ident', '-ident', '' ), + 'can start with --anything' => array( '--anything', '--anything', '' ), + 'can start with ---anything' => array( '--_anything', '--_anything', '' ), + 'can start with --1anything' => array( '--1anything', '--1anything', '' ), + 'can start with -\31 23' => array( '-\31 23', '-123', '' ), + 'can start with --\31 23' => array( '--\31 23', '--123', '' ), + 'ident ends before ]' => array( 'ident]', 'ident', ']' ), + + // Invalid + 'Invalid: (empty string)' => array( '' ), + 'Invalid: bad start >' => array( '>ident' ), + 'Invalid: bad start [' => array( '[ident' ), + 'Invalid: bad start #' => array( '#ident' ), + 'Invalid: bad start " "' => array( ' ident' ), + 'Invalid: bad start 1' => array( '1ident' ), + 'Invalid: bad start -1' => array( '-1ident' ), + 'Invalid: bad start -' => array( '-' ), + ); + } + + /** + * @ticket 62653 + */ + public function test_is_ident_and_is_ident_start() { + $this->assertFalse( $this->test_class::test_is_ident_codepoint( '[', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_codepoint( ']', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_start_codepoint( '[', 0 ) ); + $this->assertFalse( $this->test_class::test_is_ident_start_codepoint( ']', 0 ) ); + } + + /** + * @ticket 62653 + * + * @dataProvider data_idents + */ + public function test_parse_ident( string $input, ?string $expected = null, ?string $rest = null ) { + + $offset = 0; + $result = $this->test_class::test_parse_ident( $input, $offset ); + if ( null === $expected ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $expected, $result, 'Ident did not match.' ); + $this->assertSame( $rest, substr( $input, $offset ), 'Offset was not updated correctly.' ); + } + } + + /** + * @ticket 62653 + * + * @dataProvider data_strings + */ + public function test_parse_string( string $input, ?string $expected = null, ?string $rest = null ) { + $offset = 0; + $result = $this->test_class::test_parse_string( $input, $offset ); + if ( null === $expected ) { + $this->assertNull( $result ); + } else { + $this->assertSame( $expected, $result, 'String did not match.' ); + $this->assertSame( $rest, substr( $input, $offset ), 'Offset was not updated correctly.' ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_strings(): array { + return array( + '"foo"' => array( '"foo"', 'foo', '' ), + '"foo"after' => array( '"foo"after', 'foo', 'after' ), + '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), + '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), + + "'foo'" => array( "'foo'", 'foo', '' ), + "'foo'after" => array( "'foo'after", 'foo', 'after' ), + "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), + "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), + + "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), + "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), + "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), + "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), + "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), + + "'foo\\" => array( "'foo\\", 'foo', '' ), + + '"' => array( '"', '', '' ), + '"\\"' => array( '"\\"', '"', '' ), + '"missing close' => array( '"missing close', 'missing close', '' ), + + // Invalid + 'Invalid: (empty string)' => array( '' ), + 'Invalid: .foo' => array( '.foo' ), + 'Invalid: #foo' => array( '#foo' ), + "Invalid: 'newline\\n'" => array( "'newline\n'" ), + 'Invalid: foo' => array( 'foo' ), + ); + } +} diff --git a/tests/phpunit/tests/html-api/wpCssTypeSelector.php b/tests/phpunit/tests/html-api/wpCssTypeSelector.php new file mode 100644 index 0000000000000..fb53c41dd058c --- /dev/null +++ b/tests/phpunit/tests/html-api/wpCssTypeSelector.php @@ -0,0 +1,51 @@ +assertNull( $result ); + } else { + $this->assertSame( $expected, $result->type ); + $this->assertSame( $rest, substr( $input, $offset ) ); + } + } + + /** + * Data provider. + * + * @return array + */ + public static function data_type_selectors(): array { + return array( + 'any *' => array( '* .class', '*', ' .class' ), + 'a' => array( 'a', 'a', '' ), + 'div.class' => array( 'div.class', 'div', '.class' ), + 'custom-type#id' => array( 'custom-type#id', 'custom-type', '#id' ), + + // Invalid + 'Invalid: (empty string)' => array( '' ), + 'Invalid: #id' => array( '#id' ), + 'Invalid: .class' => array( '.class' ), + 'Invalid: [attr]' => array( '[attr]' ), + ); + } +} From f217eb0de026fcee8beb645f941de5221c676795 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 18:45:20 +0100 Subject: [PATCH 118/187] Use whitepsace chars constant --- .../html-api/class-wp-css-attribute-selector.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 700a8cba9bb0c..ab566f8f1af11 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -231,15 +231,15 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { */ private function whitespace_delimited_list( string $input ): Generator { // Start by skipping whitespace. - $offset = strspn( $input, " \t\r\n\f" ); + $offset = strspn( $input, self::WHITESPACE_CHARACTERS ); while ( $offset < strlen( $input ) ) { // Find the byte length until the next boundary. - $length = strcspn( $input, " \t\r\n\f", $offset ); + $length = strcspn( $input, self::WHITESPACE_CHARACTERS, $offset ); $value = substr( $input, $offset, $length ); // Move past trailing whitespace. - $offset += $length + strspn( $input, " \t\r\n\f", $offset + $length ); + $offset += $length + strspn( $input, self::WHITESPACE_CHARACTERS, $offset + $length ); yield $value; } From 6154742ecb42762951eb2267fe12434417f7bf85 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 18:46:14 +0100 Subject: [PATCH 119/187] parse_whitespace should be protected --- .../html-api/class-wp-css-selector-parser-matcher.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index 8820115f03cfb..744f75496f0f8 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -34,7 +34,7 @@ abstract public static function parse( string $input, int &$offset ): ?static; /** * @todo document */ - final public static function parse_whitespace( string $input, int &$offset ): bool { + final protected static function parse_whitespace( string $input, int &$offset ): bool { $length = strspn( $input, self::WHITESPACE_CHARACTERS, $offset ); $advanced = $length > 0; $offset += $length; From 577b3a3b7036b9db71d6c0ab3337b96f94960686 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 18:48:01 +0100 Subject: [PATCH 120/187] Update interface to abstract class require --- src/wp-settings.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/wp-settings.php b/src/wp-settings.php index b52fe8ab6181c..2e6ed6091a682 100644 --- a/src/wp-settings.php +++ b/src/wp-settings.php @@ -265,8 +265,7 @@ require ABSPATH . WPINC . '/html-api/class-wp-html-stack-event.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php'; -require ABSPATH . WPINC . '/html-api/interface-wp-css-html-tag-processor-matcher.php'; -require ABSPATH . WPINC . '/html-api/interface-wp-css-html-processor-matcher.php'; +require ABSPATH . WPINC . '/html-api/class-wp-css-selector-parser-matcher.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-attribute-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-class-selector.php'; require ABSPATH . WPINC . '/html-api/class-wp-css-id-selector.php'; From 5ea93abbf5704268239c3129a43e9bd9834e34b8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:04:03 +0100 Subject: [PATCH 121/187] Document base class --- .../class-wp-css-selector-parser-matcher.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index 744f75496f0f8..60e75820c264a 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -1,5 +1,19 @@ Date: Wed, 11 Dec 2024 19:06:19 +0100 Subject: [PATCH 122/187] Invert and comment confusing compound selector condition --- .../html-api/class-wp-css-compound-selector.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 68aca4d880e0d..f301f6f9342fd 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -95,12 +95,13 @@ public static function parse( string $input, int &$offset ): ?static { $last_parsed_subclass_selector = self::parse_subclass_selector( $input, $updated_offset ); } - // @todo invert this condition - if ( null !== $type_selector || array() !== $subclass_selectors ) { - $offset = $updated_offset; - return new self( $type_selector, $subclass_selectors ); + // There must be at least one selector. + if ( null === $type_selector && array() === $subclass_selectors ) { + return null; } - return null; + + $offset = $updated_offset; + return new self( $type_selector, $subclass_selectors ); } /** From db469e62def02391ab362d5b7fd01ee4f54606d0 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:08:46 +0100 Subject: [PATCH 123/187] Use switch in compound selector parsing --- .../class-wp-css-compound-selector.php | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index f301f6f9342fd..002021472f496 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -116,16 +116,15 @@ private static function parse_subclass_selector( string $input, int &$offset ) { return null; } - $next_char = $input[ $offset ]; - return '.' === $next_char - ? WP_CSS_Class_Selector::parse( $input, $offset ) - : ( - '#' === $next_char - ? WP_CSS_ID_Selector::parse( $input, $offset ) - : ( '[' === $next_char - ? WP_CSS_Attribute_Selector::parse( $input, $offset ) - : null - ) - ); + switch ( $input[ $offset ] ) { + case '.': + return WP_CSS_Class_Selector::parse( $input, $offset ); + case '#': + return WP_CSS_ID_Selector::parse( $input, $offset ); + case '[': + return WP_CSS_Attribute_Selector::parse( $input, $offset ); + } + + return null; } } From 400263a007f5e5aa6a0394343bf3dd827e32e029 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:20:45 +0100 Subject: [PATCH 124/187] Fix up some todo-s --- .../class-wp-css-complex-selector-list.php | 8 -------- .../class-wp-css-compound-selector-list.php | 14 ++++++-------- .../class-wp-css-selector-parser-matcher.php | 19 ++++++++++++++----- 3 files changed, 20 insertions(+), 21 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 10af613174a35..940bd098c6c19 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -44,14 +44,6 @@ class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List { * @return static|null The selector instance, or null if the parse was unsuccessful. */ public static function parse( string $input, int &$offset ): ?static { - $input = self::normalize_selector_input( $input ); - - if ( '' === $input ) { - return null; - } - - $offset = 0; - $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index a6f3b87409ff6..7edafc779ac4c 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -122,6 +122,12 @@ protected function __construct( array $selectors ) { * @return static|null */ public static function from_selectors( string $input ): ?static { + $input = self::normalize_selector_input( $input ); + + if ( '' === $input ) { + return null; + } + $offset = 0; return static::parse( $input, $offset ); } @@ -137,14 +143,6 @@ public static function from_selectors( string $input ): ?static { * @return static|null The selector instance, or null if the parse was unsuccessful. */ public static function parse( string $input, int &$offset ): ?static { - $input = self::normalize_selector_input( $input ); - - if ( '' === $input ) { - return null; - } - - $offset = 0; - $selector = WP_CSS_Compound_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index 60e75820c264a..6d665c4c26cb0 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -46,7 +46,12 @@ abstract public static function parse( string $input, int &$offset ): ?static; */ /** - * @todo document + * Consumes whitespace from the input string. + * + * @param string $input The selector string. + * @param int $offset The offset into the string. The offset is passed by reference and will + * be update to the byte after the whitespace sequence. + * @return bool True if whitespace was consumed. */ final protected static function parse_whitespace( string $input, int &$offset ): bool { $length = strspn( $input, self::WHITESPACE_CHARACTERS, $offset ); @@ -289,7 +294,6 @@ final protected static function parse_ident( string $input, int &$offset ): ?str $ident .= self::consume_escaped_codepoint( $input, $offset ); continue; } elseif ( self::is_ident_codepoint( $input, $offset ) ) { - // @todo this should append and advance the correct number of bytes. $ident .= $input[ $offset ]; ++$offset; continue; @@ -338,7 +342,7 @@ final protected static function next_two_are_valid_escape( string $input, int $o } /** - * Checks if the next code point is an "ident start code point". + * Checks if the next code point is an "ident start code point." * * Caution! This method does not do any bounds checking, it should not be passed * a string with an offset that is out of bounds. @@ -370,7 +374,7 @@ final protected static function is_ident_start_codepoint( string $input, int $of } /** - * Checks if the next code point is an "ident code point". + * Checks if the next code point is an "ident code point." * * Caution! This method does not do any bounds checking, it should not be passed * a string with an offset that is out of bounds. @@ -461,7 +465,12 @@ final protected static function check_if_three_code_points_would_start_an_ident_ } /** - * @todo doc… + * Normalizes selector input for processing. + * + * @see https://www.w3.org/TR/css-syntax-3/#input-preprocessing + * + * @param string $input The selector string. + * @return string The normalized selector string. */ final protected static function normalize_selector_input( string $input ): string { /* From 483a8191401c91f53601033ba3977a068bd03446 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:24:22 +0100 Subject: [PATCH 125/187] Make most selector constructors private --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-class-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-compound-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-id-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-type-selector.php | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index ab566f8f1af11..d2d4d17792a81 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -140,7 +140,7 @@ final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher { * @param string|null $modifier The attribute case modifier. * Must be one of the class MODIFIER_* constants or null. */ - public function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { + private function __construct( string $name, ?string $matcher = null, ?string $value = null, ?string $modifier = null ) { $this->name = $name; $this->matcher = $matcher; $this->value = $value; diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index 9abcb881ace49..ff7a0b0442813 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -29,7 +29,7 @@ final class WP_CSS_Class_Selector extends WP_CSS_Selector_Parser_Matcher { * * @param string $class_name The class name to match. */ - public function __construct( string $class_name ) { + private function __construct( string $class_name ) { $this->class_name = $class_name; } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 002021472f496..077ed5aa4b7f3 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -45,7 +45,7 @@ final class WP_CSS_Compound_Selector extends WP_CSS_Selector_Parser_Matcher { * @param (WP_CSS_ID_Selector|WP_CSS_Class_Selector|WP_CSS_Attribute_Selector)[]|null $subclass_selectors * The array of subclass selectors or null. */ - public function __construct( ?WP_CSS_Type_Selector $type_selector, ?array $subclass_selectors ) { + private function __construct( ?WP_CSS_Type_Selector $type_selector, ?array $subclass_selectors ) { $this->type_selector = $type_selector; $this->subclass_selectors = array() === $subclass_selectors ? null : $subclass_selectors; } diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index de854c37eea9f..2c7cb6feec658 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -29,7 +29,7 @@ final class WP_CSS_ID_Selector extends WP_CSS_Selector_Parser_Matcher { * * @param string $id The ID to match. */ - public function __construct( string $id ) { + private function __construct( string $id ) { $this->id = $id; } diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index 492569ee51d65..ab41a87f1a113 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -29,7 +29,7 @@ final class WP_CSS_Type_Selector extends WP_CSS_Selector_Parser_Matcher { * * @param string $type The element type (tag name) to match or '*' to match any element. */ - public function __construct( string $type ) { + private function __construct( string $type ) { $this->type = $type; } From 1f641685627d8536887c69d25e5f69466cb1f076 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:32:17 +0100 Subject: [PATCH 126/187] Fix test class implementation of abstract class --- .../phpunit/tests/html-api/wpCssSelectorParserMatcher.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 4497334791c88..4e0dd23af12f7 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -16,6 +16,13 @@ class Tests_HtmlApi_WpCssSelectorParserMatcher extends WP_UnitTestCase { public function set_up(): void { parent::set_up(); $this->test_class = new class() extends WP_CSS_Selector_Parser_Matcher { + public function matches( $processor ): bool { + throw new Exeption( 'Matches called on test class.' ); + } + public static function parse( string $input, int &$offset ): ?static { + throw new Exeption( 'Parse called on test class.' ); + } + /* * Parsing */ From 3bfb8a13acbfa5a5360d4555bdc6102f4236d8e5 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:41:30 +0100 Subject: [PATCH 127/187] Remove php 8+ ?static return types --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-class-selector.php | 2 +- .../html-api/class-wp-css-complex-selector-list.php | 2 +- src/wp-includes/html-api/class-wp-css-complex-selector.php | 2 +- .../html-api/class-wp-css-compound-selector-list.php | 4 ++-- src/wp-includes/html-api/class-wp-css-compound-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-id-selector.php | 2 +- .../html-api/class-wp-css-selector-parser-matcher.php | 2 +- src/wp-includes/html-api/class-wp-css-type-selector.php | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index d2d4d17792a81..dc3c13a5ea534 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -255,7 +255,7 @@ private function whitespace_delimited_list( string $input ): Generator { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { // Need at least 3 bytes [x] if ( $offset + 2 >= strlen( $input ) ) { return null; diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index ff7a0b0442813..57f7dac50315f 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -53,7 +53,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { if ( $offset + 1 >= strlen( $input ) || '.' !== $input[ $offset ] ) { return null; } diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 940bd098c6c19..d819cd469086f 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -43,7 +43,7 @@ class WP_CSS_Complex_Selector_List extends WP_CSS_Compound_Selector_List { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { $selector = WP_CSS_Complex_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 7c997c62a80f7..8c7c25ed7b984 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -200,7 +200,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { if ( $offset >= strlen( $input ) ) { return null; } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 7edafc779ac4c..41cf76e2c90f6 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -121,7 +121,7 @@ protected function __construct( array $selectors ) { * @param string $input CSS selectors. * @return static|null */ - public static function from_selectors( string $input ): ?static { + public static function from_selectors( string $input ) { $input = self::normalize_selector_input( $input ); if ( '' === $input ) { @@ -142,7 +142,7 @@ public static function from_selectors( string $input ): ?static { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { $selector = WP_CSS_Compound_Selector::parse( $input, $offset ); if ( null === $selector ) { return null; diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 077ed5aa4b7f3..91e543fdc7e7e 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -80,7 +80,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { if ( $offset >= strlen( $input ) ) { return null; } diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 2c7cb6feec658..f0c203dc6477e 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -62,7 +62,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { $ident = self::parse_hash_token( $input, $offset ); if ( null === $ident ) { return null; diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index 6d665c4c26cb0..e2b56a7b9e55c 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -34,7 +34,7 @@ abstract public function matches( WP_HTML_Tag_Processor $processor ): bool; * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - abstract public static function parse( string $input, int &$offset ): ?static; + abstract public static function parse( string $input, int &$offset ); /* * ------------------------ diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index ab41a87f1a113..c16883fa60679 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -70,7 +70,7 @@ public function matches_tag( string $tag_name ): bool { * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { if ( $offset >= strlen( $input ) ) { return null; } From 8d2aef2f19c99a7e1401fc29d16e56a930bad948 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:47:59 +0100 Subject: [PATCH 128/187] Fix typo in Exception class name --- tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 4e0dd23af12f7..bf84f30637510 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -17,10 +17,10 @@ public function set_up(): void { parent::set_up(); $this->test_class = new class() extends WP_CSS_Selector_Parser_Matcher { public function matches( $processor ): bool { - throw new Exeption( 'Matches called on test class.' ); + throw new Error( 'Matches called on test class.' ); } public static function parse( string $input, int &$offset ): ?static { - throw new Exeption( 'Parse called on test class.' ); + throw new Error( 'Parse called on test class.' ); } /* From 33b83338c827a67c48328dbf8f4c2dd70893ba9c Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 11 Dec 2024 19:48:37 +0100 Subject: [PATCH 129/187] Remove ?static return type from test --- tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index bf84f30637510..29a76bfd78723 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -19,7 +19,7 @@ public function set_up(): void { public function matches( $processor ): bool { throw new Error( 'Matches called on test class.' ); } - public static function parse( string $input, int &$offset ): ?static { + public static function parse( string $input, int &$offset ) { throw new Error( 'Parse called on test class.' ); } From 016d897f35d7b59400ba4b2fd386065b187e8e4d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 10 Jul 2025 19:36:44 +0200 Subject: [PATCH 130/187] Change MATCH_EXACT_OR_HYPHEN_PREFIXED to _SUFFIXED This is a more appropriate name for the type of match. > `[att|=val]` Represents an element with the att attribute, its value > either being exactly "val" or beginning with "val" immediately > followed by "-" (U+002D). This is primarily intended to allow language > subcode matches (e.g., the hreflang attribute on the a element in > HTML) as described in BCP 47 ([BCP47]) or its successor. --- .../html-api/class-wp-css-attribute-selector.php | 8 ++++---- tests/phpunit/tests/html-api/wpCssAttributeSelector.php | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index dc3c13a5ea534..e104b05fabf8c 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -43,7 +43,7 @@ final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher { * * [attr|=value] */ - const MATCH_EXACT_OR_HYPHEN_PREFIXED = 'exact-or-hyphen-prefixed'; + const MATCH_EXACT_OR_HYPHEN_SUFFIXED = 'exact-or-hyphen-suffixed'; /** * The attribute value matches the start of the attribute. @@ -103,7 +103,7 @@ final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher { * Allowed string values are the class constants: * - {@see WP_CSS_Attribute_Selector::MATCH_EXACT} * - {@see WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT} - * - {@see WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED} + * - {@see WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED} * - {@see WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY} * - {@see WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY} * - {@see WP_CSS_Attribute_Selector::MATCH_CONTAINS} @@ -187,7 +187,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { } return false; - case self::MATCH_EXACT_OR_HYPHEN_PREFIXED: + case self::MATCH_EXACT_OR_HYPHEN_SUFFIXED: // Attempt the full match first if ( $case_insensitive @@ -299,7 +299,7 @@ public static function parse( string $input, int &$offset ) { $updated_offset += 2; break; case '|': - $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED; + $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED; $updated_offset += 2; break; case '^': diff --git a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php index d907ad7c07e5b..45fa787f7a4ff 100644 --- a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php +++ b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php @@ -57,7 +57,7 @@ public static function data_attribute_selectors(): array { '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), '[match $= insensitive i]' => array( '[match $= insensitive i]', 'match', WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, 'insensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), - '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_PREFIXED, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + '[match|=sensitive s]' => array( '[match|=sensitive s]', 'match', WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED, 'sensitive', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), '[att=val I]' => array( '[att=val I]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), '[att=val S]' => array( '[att=val S]', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), From c0fa8d54a4a396ddf25b12aeb51462302b33e49c Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 10 Jul 2025 19:43:54 +0200 Subject: [PATCH 131/187] Use "attr" instead of "att" as short "attributes" --- .../class-wp-css-attribute-selector.php | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index e104b05fabf8c..7d9acd1665b51 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -22,7 +22,7 @@ final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher { * * @example * - * [att=val] + * [attr=val] */ const MATCH_EXACT = 'exact'; @@ -154,8 +154,8 @@ private function __construct( string $name, ?string $matcher = null, ?string $va * @return bool True if the processor's current position matches the selector. */ public function matches( WP_HTML_Tag_Processor $processor ): bool { - $att_value = $processor->get_attribute( $this->name ); - if ( null === $att_value ) { + $attr_value = $processor->get_attribute( $this->name ); + if ( null === $attr_value ) { return false; } @@ -163,8 +163,8 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { return true; } - if ( true === $att_value ) { - $att_value = ''; + if ( true === $attr_value ) { + $attr_value = ''; } $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; @@ -172,11 +172,11 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { switch ( $this->matcher ) { case self::MATCH_EXACT: return $case_insensitive - ? 0 === strcasecmp( $att_value, $this->value ) - : $att_value === $this->value; + ? 0 === strcasecmp( $attr_value, $this->value ) + : $attr_value === $this->value; case self::MATCH_ONE_OF_EXACT: - foreach ( $this->whitespace_delimited_list( $att_value ) as $val ) { + foreach ( $this->whitespace_delimited_list( $attr_value ) as $val ) { if ( $case_insensitive ? 0 === strcasecmp( $val, $this->value ) @@ -191,31 +191,31 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { // Attempt the full match first if ( $case_insensitive - ? 0 === strcasecmp( $att_value, $this->value ) - : $att_value === $this->value + ? 0 === strcasecmp( $attr_value, $this->value ) + : $attr_value === $this->value ) { return true; } // Partial match - if ( strlen( $att_value ) < strlen( $this->value ) + 1 ) { + if ( strlen( $attr_value ) < strlen( $this->value ) + 1 ) { return false; } $starts_with = "{$this->value}-"; - return 0 === substr_compare( $att_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); + return 0 === substr_compare( $attr_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); case self::MATCH_PREFIXED_BY: - return 0 === substr_compare( $att_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); + return 0 === substr_compare( $attr_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); case self::MATCH_SUFFIXED_BY: - return 0 === substr_compare( $att_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); + return 0 === substr_compare( $attr_value, $this->value, -strlen( $this->value ), null, $case_insensitive ); case self::MATCH_CONTAINS: return false !== ( $case_insensitive - ? stripos( $att_value, $this->value ) - : strpos( $att_value, $this->value ) + ? stripos( $attr_value, $this->value ) + : strpos( $attr_value, $this->value ) ); } } From cfa2bc2ecb17d2893cb239db168608f295ee187f Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 10 Jul 2025 20:13:46 +0200 Subject: [PATCH 132/187] Simplify exact or hyphen suffixed implementation --- .../class-wp-css-attribute-selector.php | 22 +++++-------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 7d9acd1665b51..dde5f12bbf962 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -188,22 +188,12 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { return false; case self::MATCH_EXACT_OR_HYPHEN_SUFFIXED: - // Attempt the full match first - if ( - $case_insensitive - ? 0 === strcasecmp( $attr_value, $this->value ) - : $attr_value === $this->value - ) { - return true; - } - - // Partial match - if ( strlen( $attr_value ) < strlen( $this->value ) + 1 ) { - return false; - } - - $starts_with = "{$this->value}-"; - return 0 === substr_compare( $attr_value, $starts_with, 0, strlen( $starts_with ), $case_insensitive ); + $exact_length = strlen( $this->value ); + $matches_prefix = substr_compare( $attr_value, $this->value, 0, $exact_length, $case_insensitive ); + return ( + 0 === $matches_prefix && + ( strlen( $attr_value ) === $exact_length || '-' === $attr_value[ $exact_length ] ) + ); case self::MATCH_PREFIXED_BY: return 0 === substr_compare( $attr_value, $this->value, 0, strlen( $this->value ), $case_insensitive ); From dc789e41f26f9b08ab9f306ffc51be7e3945daec Mon Sep 17 00:00:00 2001 From: Dennis Snell Date: Mon, 14 Jul 2025 12:44:26 -0500 Subject: [PATCH 133/187] Only expose `select()` for a `while ( $->select() )` loop Matches the calling interface for the other HTML API classes, avoids creating the `Generator`, using a static var to avoid re-parsing the selector string instead. --- .../class-wp-css-complex-selector-list.php | 2 +- .../class-wp-css-compound-selector-list.php | 2 +- .../html-api/class-wp-html-processor.php | 52 ++++++------------- .../html-api/class-wp-html-tag-processor.php | 52 ++++++------------- .../tests/html-api/wpHtmlProcessor-select.php | 9 ++-- .../html-api/wpHtmlTagProcessor-select.php | 8 +-- 6 files changed, 41 insertions(+), 84 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index d819cd469086f..5d6c4029af08e 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -12,7 +12,7 @@ * * This class is designed for internal use by the HTML processor. * - * For usage, see {@see WP_HTML_Processor::select()} or {@see WP_HTML_Processor::select_all()}. + * For usage, see {@see WP_HTML_Processor::select()}. * * This class is instantiated via the {@see WP_CSS_Complex_Selector_List::from_selectors()} method. * It takes a CSS selector string and returns an instance of itself or `null` if the selector diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index 41cf76e2c90f6..d12f6cdeda944 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -12,7 +12,7 @@ * * This class is designed for internal use by the HTML Tag Processor. * - * For usage, see {@see WP_HTML_Tag_Processor::select()} or {@see WP_HTML_Tag_Processor::select_all()}. + * For usage, see {@see WP_HTML_Tag_Processor::select()}. * * This class is instantiated via the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. * It takes a CSS selector string and returns an instance of itself or `null` if the selector diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 4be8b2860f3ce..1f23e93a4023d 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -640,12 +640,12 @@ public function get_unsupported_exception() { /** * Progress through a document pausing on tags matching the provided CSS selector string. * - * @example + * Example: * * $processor = WP_HTML_Processor::create_fragment( * 'Example' * ); - * foreach ( $processor->select_all( 'meta[property^="og:" i]' ) as $_ ) { + * while ( $processor->select( 'meta[property^="og:" i]' ) ) { * // Loop is entered twice. * var_dump( * $processor->get_tag(), // string(4) "META" @@ -654,55 +654,37 @@ public function get_unsupported_exception() { * ); * } * - * @since 6.8.0 + * @since {WP_VERSION} * * @param string $selector_string Selector string. - * @return Generator A generator pausing on each tag matching the selector. + * @return bool Whether a selection was found. */ - public function select_all( $selector_string ): Generator { - $selector = WP_CSS_Complex_Selector_List::from_selectors( $selector_string ); + public function select( $selector_string ): bool { + static $previous_selector_string = null; + static $previous_selector = null; + + $selector = $selector_string === $previous_selector_string + ? $previous_selector + : WP_CSS_Complex_Selector_List::from_selectors( $selector_string ); + + $previous_selector = $selector; + $previous_selector_string = $selector_string; + if ( null === $selector ) { _doing_it_wrong( __METHOD__, sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ), '6.8' ); - return; + return false; } while ( $this->next_tag() ) { if ( $selector->matches( $this ) ) { - yield; + return true; } } - } - /** - * Move to the next tag matching the provided CSS selector string. - * - * This method will stop at the next match. To progress through all matches, use - * the {@see WP_HTML_Processor::select_all()} method. - * - * @example - * - * $processor = WP_HTML_Processor::create_fragment( - * 'Example' - * ); - * $processor->select( 'meta[charset]' ); - * var_dump( - * $processor->get_tag(), // string(4) "META" - * $processor->get_attribute( 'charset' ), // string(5) "utf-8" - * ); - * - * @since 6.8.0 - * - * @param string $selector_string - * @return bool True if a matching tag was found, otherwise false. - */ - public function select( string $selector_string ): bool { - foreach ( $this->select_all( $selector_string ) as $_ ) { - return true; - } return false; } diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php index 0f6b59441c75b..2f9d27e0f415c 100644 --- a/src/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php @@ -863,12 +863,12 @@ public function change_parsing_namespace( string $new_namespace ): bool { /** * Progress through a document pausing on tags matching the provided CSS selector string. * - * @example + * Example: * * $processor = new WP_HTML_Tag_Processor( * 'Example' * ); - * foreach ( $processor->select_all( 'meta[property^="og:" i]' ) as $_ ) { + * while ( $processor->select( 'meta[property^="og:" i]' ) ) { * // Loop is entered twice. * var_dump( * $processor->get_tag(), // string(4) "META" @@ -877,55 +877,37 @@ public function change_parsing_namespace( string $new_namespace ): bool { * ); * } * - * @since 6.8.0 + * @since {WP_VERSION} * * @param string $selector_string Selector string. - * @return Generator A generator pausing on each tag matching the selector. + * @return bool Whether a selection was found. */ - public function select_all( $selector_string ): Generator { - $selector = WP_CSS_Compound_Selector_List::from_selectors( $selector_string ); + public function select( $selector_string ): bool { + static $previous_selector_string = null; + static $previous_selector = null; + + $selector = $selector_string === $previous_selector_string + ? $previous_selector + : WP_CSS_Compound_Selector_List::from_selectors( $selector_string ); + + $previous_selector = $selector; + $previous_selector_string = $selector_string; + if ( null === $selector ) { _doing_it_wrong( __METHOD__, sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ), '6.8' ); - return; + return false; } while ( $this->next_tag() ) { if ( $selector->matches( $this ) ) { - yield; + return true; } } - } - /** - * Move to the next tag matching the provided CSS selector string. - * - * This method will stop at the next match. To progress through all matches, use - * the {@see WP_HTML_Tag_Processor::select_all()} method. - * - * @example - * - * $processor = new WP_HTML_Tag_Processor( - * 'Example' - * ); - * $processor->select( 'meta[charset]' ); - * var_dump( - * $processor->get_tag(), // string(4) "META" - * $processor->get_attribute( 'charset' ), // string(5) "utf-8" - * ); - * - * @since 6.8.0 - * - * @param string $selector_string - * @return bool True if a matching tag was found, otherwise false. - */ - public function select( string $selector_string ): bool { - foreach ( $this->select_all( $selector_string ) as $_ ) { - return true; - } return false; } diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index a8f6a7c949080..6ce8e6606fc51 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -3,10 +3,7 @@ * Unit tests covering WP_HTML_Processor select functionality. * * Covers functionality related to CSS selectors and the {@see WP_HTML_Processor::select()} - * and {@see WP_HTML_Processor::select_all()} methods. - * - * @package WordPress - * @subpackage HTML-API + * and {@see WP_HTML_Processor::select()} methods. * * @since 6.8.0 * @@ -26,10 +23,10 @@ public function test_select_miss() { * * @dataProvider data_selectors */ - public function test_select_all( string $html, string $selector, int $match_count ) { + public function test_selects_all_matches( string $html, string $selector, int $match_count ) { $processor = WP_HTML_Processor::create_full_parser( $html ); $count = 0; - foreach ( $processor->select_all( $selector ) as $_ ) { + while ( $processor->select( $selector ) ) { $breadcrumb_string = implode( ', ', $processor->get_breadcrumbs() ); $this->assertTrue( $processor->get_attribute( 'match' ), diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 28f88778629ce..4f35fc777f3b6 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -2,11 +2,7 @@ /** * Unit tests covering WP_HTML_Tag_Processor CSS selection functionality. * - * Covers functionality related to CSS selectors and the {@see WP_HTML_Tag_Processor::select()} - * and {@see WP_HTML_Tag_Processor::select_all()} methods. - * - * @package WordPress - * @subpackage HTML-API + * Covers functionality related to CSS selectors and the {@see WP_HTML_Tag_Processor::select()} method. * * @since 6.8.0 * @@ -29,7 +25,7 @@ public function test_select_miss() { public function test_select( string $html, string $selector, int $match_count ) { $processor = new WP_HTML_Tag_Processor( $html ); $count = 0; - foreach ( $processor->select_all( $selector ) as $_ ) { + while ( $processor->select( $selector ) ) { $this->assertTrue( $processor->get_attribute( 'match' ), "Matched unexpected tag {$processor->get_tag()}" From 2d931ef7e768ed6a522fbf44eb78b050de88c04d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:26:52 +0200 Subject: [PATCH 134/187] Fix expectedIncorrectUsage method name --- tests/phpunit/tests/html-api/wpHtmlProcessor-select.php | 2 +- tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 6ce8e6606fc51..9bdae5802dfe4 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -59,7 +59,7 @@ public static function data_selectors(): array { /** * @ticket 62653 * - * @expectedIncorrectUsage WP_HTML_Processor::select_all + * @expectedIncorrectUsage WP_HTML_Processor::select * * @dataProvider data_invalid_selectors */ diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 4f35fc777f3b6..a133ea63bc3fa 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -83,7 +83,7 @@ public static function data_selectors(): array { /** * @ticket 62653 * - * @expectedIncorrectUsage WP_HTML_Tag_Processor::select_all + * @expectedIncorrectUsage WP_HTML_Tag_Processor::select * * @dataProvider data_invalid_selectors */ From 53ee08d14888d4dd9c5f4614e4721292c9803271 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:27:15 +0200 Subject: [PATCH 135/187] Improve and fix complex selector list documentation --- .../class-wp-css-complex-selector-list.php | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 5d6c4029af08e..bc1dd5f25d849 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -21,14 +21,24 @@ * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}. * - * This class is rougly analogous to the in the grammar. See {@see WP_CSS_Compound_Selector_List} for more details on the grammar. + * This class is rougly analogous to the in the grammar. + * See {@see WP_CSS_Compound_Selector_List} for more details on the grammar. * - * This class supports the same selector syntax as {@see WP_CSS_Compound_Selector_List} as well as: - * - The following combinators: - * - Next sibling (`el + el`) - * - Subsequent sibling (`el ~ el`) + * This class supports the same selector syntax as {@see WP_CSS_Compound_Selector_List} as well as + * the following combinators: + * - Descendant (`ancestor descendant`) + * - Child (`parent > child`) * - * @since 6.8.0 + * Combinators may only be used with type selectors in the non-final position, for example: + * - `div [type=input]` is valid because the `div` type selector appears in a non-final position. + * - `[disabled] option` is NOT valid, because the `[disabled]` attribute selector appears + * a non-final position. + * + * These combinators are not supported: + * - Next sibling (`former-sibling + next-sibling`) + * - Subsequent sibling (`former-sibling ~ subsequent-sibling`) + * + * @since {WP_VERSION} * * @access private */ From a627471539c46d33b343fdc6155946e3f455aed5 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:27:32 +0200 Subject: [PATCH 136/187] Add unsupports sibling selector tests --- .../phpunit/tests/html-api/wpHtmlProcessor-select.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 9bdae5802dfe4..419d9831cbe63 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -75,11 +75,15 @@ public function test_invalid_selector( string $selector ) { */ public static function data_invalid_selectors(): array { return array( - 'invalid selector' => array( '[invalid!selector]' ), + 'invalid selector' => array( '[invalid!selector]' ), // The class selectors below are not allowed in non-final position. - 'unsupported child selector' => array( '.parent > .child' ), - 'unsupported descendant selector' => array( '.ancestor .descendant' ), + 'unsupported child selector' => array( '.parent > .child' ), + 'unsupported descendant selector' => array( '.ancestor .descendant' ), + + // Unsupported combinators + 'unsupported next sibling selector' => array( 'p + p' ), + 'unsupported subsequent sibling selector' => array( 'p ~ p' ), ); } } From 0058e15e37c32a190d6a33132e8f5320bd94ea87 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:31:31 +0200 Subject: [PATCH 137/187] Do not support + and ~ selectors --- src/wp-includes/html-api/class-wp-css-complex-selector.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 8c7c25ed7b984..832bea2df6926 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -218,10 +218,14 @@ public static function parse( string $input, int &$offset ) { $combinator = null; $next_selector = null; + // Sibling (`+` and `~`) combinators are not supported at this time. if ( - WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] || WP_CSS_Complex_Selector::COMBINATOR_NEXT_SIBLING === $input[ $updated_offset ] || WP_CSS_Complex_Selector::COMBINATOR_SUBSEQUENT_SIBLING === $input[ $updated_offset ] + ) { + return null; + } elseif ( + WP_CSS_Complex_Selector::COMBINATOR_CHILD === $input[ $updated_offset ] ) { $combinator = $input[ $updated_offset ]; ++$updated_offset; From a99207dad15b164ed82940049dcb0c6e3f7162eb Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:36:00 +0200 Subject: [PATCH 138/187] Update @since tags to WP_VERSION placeholder --- .../html-api/class-wp-css-attribute-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-class-selector.php | 4 ++-- .../html-api/class-wp-css-complex-selector-list.php | 2 +- src/wp-includes/html-api/class-wp-css-complex-selector.php | 6 +++--- .../html-api/class-wp-css-compound-selector-list.php | 6 ++---- src/wp-includes/html-api/class-wp-css-compound-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-id-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-css-type-selector.php | 4 ++-- src/wp-includes/html-api/class-wp-html-processor.php | 2 +- src/wp-includes/html-api/class-wp-html-tag-processor.php | 2 +- tests/phpunit/tests/html-api/wpCssAttributeSelector.php | 2 +- tests/phpunit/tests/html-api/wpCssClassSelector.php | 2 +- tests/phpunit/tests/html-api/wpCssComplexSelector.php | 2 +- tests/phpunit/tests/html-api/wpCssComplexSelectorList.php | 2 +- tests/phpunit/tests/html-api/wpCssCompoundSelector.php | 2 +- tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php | 2 +- tests/phpunit/tests/html-api/wpCssIdSelector.php | 2 +- tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php | 2 +- tests/phpunit/tests/html-api/wpCssTypeSelector.php | 2 +- tests/phpunit/tests/html-api/wpHtmlProcessor-select.php | 2 +- tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php | 2 +- 21 files changed, 29 insertions(+), 31 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index dde5f12bbf962..7e8e21bacbc26 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/class-wp-css-class-selector.php index 57f7dac50315f..121b3abf10f96 100644 --- a/src/wp-includes/html-api/class-wp-css-class-selector.php +++ b/src/wp-includes/html-api/class-wp-css-class-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index bc1dd5f25d849..80c84c10cfad9 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 832bea2df6926..96a4fd10be481 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -15,7 +15,7 @@ * A compound selector is at least a single compound selector. There may be additional selectors * with combinators. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private */ @@ -184,7 +184,7 @@ private function explore_matches( array $selectors, array $breadcrumbs ): bool { __( 'Unsupported combinator "%s" found.' ), $combinator ), - '6.8.0' + '{WP_VERSION}' ); return false; } diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index d12f6cdeda944..c55eccb0dfe56 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -67,7 +67,7 @@ * - `svg|*` to select all SVG elements * - `html|title` to select only HTML TITLE elements. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private * @@ -116,8 +116,6 @@ protected function __construct( array $selectors ) { * Takes a CSS selector string and returns an instance of itself or `null` if the selector * string is invalid or unsupported. * - * @since 6.8.0 - * * @param string $input CSS selectors. * @return static|null */ diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/class-wp-css-compound-selector.php index 91e543fdc7e7e..48e206819c0d3 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -17,7 +17,7 @@ * - Zero or more subclass selectors (ID, class, or attribute selectors). * - At least one of the above. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index f0c203dc6477e..1d3b7f1f85d16 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/class-wp-css-type-selector.php index c16883fa60679..c7c7baa2d5508 100644 --- a/src/wp-includes/html-api/class-wp-css-type-selector.php +++ b/src/wp-includes/html-api/class-wp-css-type-selector.php @@ -4,7 +4,7 @@ * * @package WordPress * @subpackage HTML-API - * @since 6.8.0 + * @since {WP_VERSION} */ /** @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Tag_Processor}. * - * @since 6.8.0 + * @since {WP_VERSION} * * @access private */ diff --git a/src/wp-includes/html-api/class-wp-html-processor.php b/src/wp-includes/html-api/class-wp-html-processor.php index 1f23e93a4023d..a17ba18de3340 100644 --- a/src/wp-includes/html-api/class-wp-html-processor.php +++ b/src/wp-includes/html-api/class-wp-html-processor.php @@ -674,7 +674,7 @@ public function select( $selector_string ): bool { _doing_it_wrong( __METHOD__, sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ), - '6.8' + '{WP_VERSION}' ); return false; } diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php index 2f9d27e0f415c..ac066a908b6c9 100644 --- a/src/wp-includes/html-api/class-wp-html-tag-processor.php +++ b/src/wp-includes/html-api/class-wp-html-tag-processor.php @@ -897,7 +897,7 @@ public function select( $selector_string ): bool { _doing_it_wrong( __METHOD__, sprintf( 'Received unsupported or invalid selector "%s".', $selector_string ), - '6.8' + '{WP_VERSION}' ); return false; } diff --git a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php index 45fa787f7a4ff..e574cedd1876b 100644 --- a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php +++ b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssClassSelector.php b/tests/phpunit/tests/html-api/wpCssClassSelector.php index fa1d097a5ad3d..9646d05da23d5 100644 --- a/tests/phpunit/tests/html-api/wpCssClassSelector.php +++ b/tests/phpunit/tests/html-api/wpCssClassSelector.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelector.php b/tests/phpunit/tests/html-api/wpCssComplexSelector.php index bb7b6e67e9d1a..8738bb6fc32d2 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelector.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelector.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index 4e788860ff53f..edf912e97f490 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelector.php b/tests/phpunit/tests/html-api/wpCssCompoundSelector.php index 8800c89d6ed36..8092ee049b6e1 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelector.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelector.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 01eff118a87b0..af05332c9aa3e 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssIdSelector.php b/tests/phpunit/tests/html-api/wpCssIdSelector.php index 6cd6b83a46b8d..6dc2e5461ea03 100644 --- a/tests/phpunit/tests/html-api/wpCssIdSelector.php +++ b/tests/phpunit/tests/html-api/wpCssIdSelector.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 29a76bfd78723..29372172da2b1 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api */ diff --git a/tests/phpunit/tests/html-api/wpCssTypeSelector.php b/tests/phpunit/tests/html-api/wpCssTypeSelector.php index fb53c41dd058c..23d5f5517453a 100644 --- a/tests/phpunit/tests/html-api/wpCssTypeSelector.php +++ b/tests/phpunit/tests/html-api/wpCssTypeSelector.php @@ -6,7 +6,7 @@ * * @subpackage HTML-API * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api * diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 419d9831cbe63..003e65e69ebce 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -5,7 +5,7 @@ * Covers functionality related to CSS selectors and the {@see WP_HTML_Processor::select()} * and {@see WP_HTML_Processor::select()} methods. * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api */ diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index a133ea63bc3fa..1d09c61b4760d 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -4,7 +4,7 @@ * * Covers functionality related to CSS selectors and the {@see WP_HTML_Tag_Processor::select()} method. * - * @since 6.8.0 + * @since {WP_VERSION} * * @group html-api */ From 0fb0c2010f4e6c729fb410a4df7f8f8e331223ef Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:48:34 +0200 Subject: [PATCH 139/187] Add unsupported complex selector test --- .../phpunit/tests/html-api/wpCssCompoundSelectorList.php | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index af05332c9aa3e..8f1d3dfb88a45 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -48,4 +48,13 @@ public function test_parse_empty_selector_list() { $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); $this->assertNull( $result ); } + + /** + * @ticket 62653 + */ + public function test_unsupported_complex_selector() { + $input = 'ancestor descendant'; + $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); + $this->assertNull( $result ); + } } From 2f47c32955139dae5fef66e21efa1ad8668ff1ed Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 10:53:10 +0200 Subject: [PATCH 140/187] Fix spelling and grammar in documentation --- .../html-api/class-wp-css-complex-selector-list.php | 4 ++-- src/wp-includes/html-api/class-wp-css-complex-selector.php | 2 +- .../html-api/class-wp-css-compound-selector-list.php | 2 +- .../html-api/class-wp-css-selector-parser-matcher.php | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php index 80c84c10cfad9..da5e17011e0d8 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector-list.php @@ -21,7 +21,7 @@ * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}. * - * This class is rougly analogous to the in the grammar. + * This class is roughly analogous to the in the grammar. * See {@see WP_CSS_Compound_Selector_List} for more details on the grammar. * * This class supports the same selector syntax as {@see WP_CSS_Compound_Selector_List} as well as @@ -32,7 +32,7 @@ * Combinators may only be used with type selectors in the non-final position, for example: * - `div [type=input]` is valid because the `div` type selector appears in a non-final position. * - `[disabled] option` is NOT valid, because the `[disabled]` attribute selector appears - * a non-final position. + * in a non-final position. * * These combinators are not supported: * - Next sibling (`former-sibling + next-sibling`) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 96a4fd10be481..36671067be537 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -12,7 +12,7 @@ * * This class is used to test for matching HTML tags in a {@see WP_HTML_Processor}. * - * A compound selector is at least a single compound selector. There may be additional selectors + * A complex selector is at least a single compound selector. There may be additional selectors * with combinators. * * @since {WP_VERSION} diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index c55eccb0dfe56..d70cff59f7428 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -59,7 +59,7 @@ * - Pseudo-element selectors (`::before`) * - Pseudo-class selectors (`:hover` or `:nth-child(2)`) * - Namespace prefixes (`svg|title` or `[xlink|href]`) - * - No combinators are supported (descendant, child, next sibling, subsequent sibling) + * - Combinators are not supported (descendant, child, next sibling, subsequent sibling) * * Future ideas: * - Namespace type selectors could be implemented with select namespaces in order to diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index e2b56a7b9e55c..180ecba98bacf 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -8,7 +8,7 @@ */ /** - * Base class for all CSS Selector praser/matcher classes. + * Base class for all CSS Selector parser/matcher classes. * * @since 6.8.0 * @@ -50,7 +50,7 @@ abstract public static function parse( string $input, int &$offset ); * * @param string $input The selector string. * @param int $offset The offset into the string. The offset is passed by reference and will - * be update to the byte after the whitespace sequence. + * be updated to the byte after the whitespace sequence. * @return bool True if whitespace was consumed. */ final protected static function parse_whitespace( string $input, int &$offset ): bool { @@ -258,7 +258,7 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): s /** * Parse an ident token * - * CAUTION: This method is _not_ for parsing and ID selector! + * CAUTION: This method is _not_ for parsing an ID selector! * * > 4.3.11. Consume an ident sequence * > This section describes how to consume an ident sequence from a stream of code points. It returns a string containing the largest name that can be formed from adjacent code points in the stream, starting from the first. From c5723916f34c10fdf5e81ee636edddcc0a2e4f90 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 17:05:28 +0200 Subject: [PATCH 141/187] Improve documentation --- .../class-wp-css-complex-selector.php | 40 +++++++------------ .../class-wp-css-compound-selector-list.php | 5 ++- 2 files changed, 18 insertions(+), 27 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 36671067be537..4ebe9fd476f5a 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -48,7 +48,7 @@ final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser_Matcher { * The "self selector" is the last element in a complex selector, it corresponds to the * selected element. * - * @example + * Example: * * $self_selector * ┏━━━━┻━━━━┓ @@ -67,38 +67,28 @@ final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser_Matcher { * the element at index 1 is the combinator string constant from this class, * e.g. `WP_CSS_Complex_Selector::COMBINATOR_CHILD`. * - * In the example selector below, an element like `` is selected iff: + * In the example selector below, an element like `` matches iff: * - it is a child of an `H1` element - * - *and* that `H1` element is a descendant of a `HEADING` element. + * - that `H1` element is a descendant of a `SECTION` element. * - * The `H1` and `HEADING` parts of this selector are the "context selectors." Note that this - * terminology is used for purposes of this class but does not correspond to language in the - * CSS or selector specifications. - * - * @example + * The `section` and `h1` parts of this selector and their combinators are the + * "context selectors." Note that this terminology does not correspond to language in the + * specification texts. * * $context_selectors - * ┏━━━━━━┻━━━━┓ - * .heading h1 > el.selected - * - * The example would have the following relative selectors: + * ┏━━━━━┻━━━━┓ + * section h1 > strong.selected * - * @example + * The example would have the following context selectors: * - * array ( - * array( - * WP_CSS_Type_Selector( 'ident' => 'h1' ), - * '>', // WP_CSS_Complex_Selector::COMBINATOR_CHILD - * ), - * array( - * new WP_CSS_Type_Selector( 'header' ), - * ' ', // WP_CSS_Complex_Selector::COMBINATOR_DESCENDANT - * ), + * // Pseudo-code + * array( + * array( WP_CSS_Type_Selector( 'type'=>'h1' ), '>' ), + * array( WP_CSS_Type_Selector( 'type'=>'section' ), ' ' ), * ) * - * Note that the order of context selectors is reversed. This is to match the self selector - * first and then match the context selectors beginning with the selector closest to the self - * selector. + * Context selectors are ordered from right to left in the selector text. The selectors closest + * to the target appear at the start of the `context_selectors` array. * * @readonly * @var array{WP_CSS_Type_Selector, string}[]|null diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index d70cff59f7428..edc6a841a859a 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -41,7 +41,7 @@ * @link https://www.w3.org/TR/selectors/#grammar Refer to the grammar for more details. * * This class of selectors does not support "complex" selectors. That is any selector with a - * combinator such as descendent (`.ancestor .descendant`) or child (`.parent > .child`). + * combinator such as descendant (`.ancestor .descendant`) or child (`.parent > .child`). * See {@see WP_CSS_Complex_Selector_List} for support of some combinators. * * Note that this grammar has been adapted and does not support the full CSS selector grammar. @@ -59,7 +59,8 @@ * - Pseudo-element selectors (`::before`) * - Pseudo-class selectors (`:hover` or `:nth-child(2)`) * - Namespace prefixes (`svg|title` or `[xlink|href]`) - * - Combinators are not supported (descendant, child, next sibling, subsequent sibling) + * - Combinators are not supported by this class (descendant, child, next sibling, + * subsequent sibling). See {@see WP_CSS_Complex_Selector_List} for combinator support. * * Future ideas: * - Namespace type selectors could be implemented with select namespaces in order to From ac2fb562c560033708cd8cec1321589c8af999f3 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 17:18:47 +0200 Subject: [PATCH 142/187] More documentation improvements --- src/wp-includes/html-api/class-wp-css-attribute-selector.php | 2 +- src/wp-includes/html-api/class-wp-css-complex-selector.php | 4 ++-- .../html-api/class-wp-css-compound-selector-list.php | 4 +--- .../html-api/class-wp-css-selector-parser-matcher.php | 4 ++-- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/class-wp-css-attribute-selector.php index 7e8e21bacbc26..a63dfaba66b61 100644 --- a/src/wp-includes/html-api/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/class-wp-css-attribute-selector.php @@ -217,7 +217,7 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { * * @param string $input * - * @return Generator + * @return Generator Yields each whitespace-delimited value from the input string. */ private function whitespace_delimited_list( string $input ): Generator { // Start by skipping whitespace. diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/class-wp-css-complex-selector.php index 4ebe9fd476f5a..fd05c29daba91 100644 --- a/src/wp-includes/html-api/class-wp-css-complex-selector.php +++ b/src/wp-includes/html-api/class-wp-css-complex-selector.php @@ -99,7 +99,7 @@ final class WP_CSS_Complex_Selector extends WP_CSS_Selector_Parser_Matcher { * Constructor. * * @param WP_CSS_Compound_Selector $self_selector The selector in the final position. - * @param array{WP_CSS_Type_Selector, string}[]|null $selectors The context selectors. + * @param array{WP_CSS_Type_Selector, string}[]|null $context_selectors The context selectors. */ private function __construct( WP_CSS_Compound_Selector $self_selector, @@ -246,7 +246,7 @@ public static function parse( string $input, int &$offset ) { return null; } - /** @var array{WP_CSS_Compound_Selector, string} */ + /** @var array{WP_CSS_Type_Selector, string} */ $selector_pair = array( $self_selector->type_selector, $combinator ); $selectors[] = $selector_pair; $self_selector = $next_selector; diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php index edc6a841a859a..c9eb936ff7371 100644 --- a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/class-wp-css-compound-selector-list.php @@ -51,9 +51,7 @@ * - ID selectors (e.g. `#unique-id`) * - Attribute selectors (e.g. `[attribute-name]` or `[attribute-name="value"]`) * - Comma-separated selector lists (e.g. `.selector-1, .selector-2`) - * - The following combinators. Only type (element) selectors are allowed in non-final position: - * - descendant (e.g. `el .descendant`) - * - child (`el > .child`) + * - Compound selectors (e.g. `div.class-name#id[attr]`) * * Unsupported selector syntax: * - Pseudo-element selectors (`::before`) diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index 180ecba98bacf..e020bbb664d3f 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -123,7 +123,7 @@ final protected static function parse_hash_token( string $input, int &$offset ): * the is not a part of the selector grammar. That * case is treated as failure to parse and null is returned. * - * @return string|null + * @return string|null The parsed string token value, or null if parsing failed. */ final protected static function parse_string( string $input, int &$offset ): ?string { if ( $offset >= strlen( $input ) ) { @@ -278,7 +278,7 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): s * * https://www.w3.org/TR/css-syntax-3/#consume-name * - * @return string|null + * @return string|null The parsed identifier name, or null if parsing failed. */ final protected static function parse_ident( string $input, int &$offset ): ?string { if ( ! self::check_if_three_code_points_would_start_an_ident_sequence( $input, $offset ) ) { From 57b5128ba1381a15d5c8df6157083b7b14490e74 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 17:19:06 +0200 Subject: [PATCH 143/187] Avoid redundant get_attribute call --- src/wp-includes/html-api/class-wp-css-id-selector.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/class-wp-css-id-selector.php index 1d3b7f1f85d16..e2e47a24d1e6c 100644 --- a/src/wp-includes/html-api/class-wp-css-id-selector.php +++ b/src/wp-includes/html-api/class-wp-css-id-selector.php @@ -48,8 +48,8 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { $case_insensitive = $processor->is_quirks_mode(); return $case_insensitive - ? 0 === strcasecmp( $id, $this->id ) - : $processor->get_attribute( 'id' ) === $this->id; + ? 0 === strcasecmp( $id, $this->id ) + : $id === $this->id; } /** From 5f06f84c2eb45594c5f7147bb28cb5865893a43a Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Tue, 15 Jul 2025 17:34:05 +0200 Subject: [PATCH 144/187] Reformat some documentation --- .../html-api/class-wp-css-selector-parser-matcher.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php index e020bbb664d3f..aa8153ca27f45 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php @@ -316,7 +316,10 @@ final protected static function parse_ident( string $input, int &$offset ): ?str * Checks for two valid escape codepoints. * * > 4.3.8. Check if two code points are a valid escape - * > This section describes how to check if two code points are a valid escape. The algorithm described here can be called explicitly with two code points, or can be called with the input stream itself. In the latter case, the two code points in question are the current input code point and the next input code point, in that order. + * > This section describes how to check if two code points are a valid escape. The algorithm + * > described here can be called explicitly with two code points, or can be called with the + * > input stream itself. In the latter case, the two code points in question are the current + * > input code point and the next input code point, in that order. * > * > Note: This algorithm will not consume any additional code point. * > @@ -328,7 +331,7 @@ final protected static function parse_ident( string $input, int &$offset ): ?str * * https://www.w3.org/TR/css-syntax-3/#starts-with-a-valid-escape * - * @todo this does not check whether the second codepoint is valid. + * @todo The second codepoint is not checked for validity. * * @param string $input The input string. * @param int $offset The byte offset in the string. From e559f6a18a410c75f73ab566412a5c83fce210eb Mon Sep 17 00:00:00 2001 From: Dennis Snell Date: Tue, 15 Jul 2025 13:53:52 -0500 Subject: [PATCH 145/187] Rename files and remove duplicate character --- .../class-wp-css-attribute-selector.php | 0 .../{ => css}/class-wp-css-class-selector.php | 0 .../class-wp-css-complex-selector-list.php | 0 .../class-wp-css-complex-selector.php | 0 .../class-wp-css-compound-selector-list.php | 0 .../class-wp-css-compound-selector.php | 0 .../{ => css}/class-wp-css-id-selector.php | 0 .../class-wp-css-selector-parser-matcher.php | 2 +- .../{ => css}/class-wp-css-type-selector.php | 0 src/wp-settings.php | 18 +++++++++--------- 10 files changed, 10 insertions(+), 10 deletions(-) rename src/wp-includes/html-api/{ => css}/class-wp-css-attribute-selector.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-class-selector.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-complex-selector-list.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-complex-selector.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-compound-selector-list.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-compound-selector.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-id-selector.php (100%) rename src/wp-includes/html-api/{ => css}/class-wp-css-selector-parser-matcher.php (99%) rename src/wp-includes/html-api/{ => css}/class-wp-css-type-selector.php (100%) diff --git a/src/wp-includes/html-api/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-attribute-selector.php rename to src/wp-includes/html-api/css/class-wp-css-attribute-selector.php diff --git a/src/wp-includes/html-api/class-wp-css-class-selector.php b/src/wp-includes/html-api/css/class-wp-css-class-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-class-selector.php rename to src/wp-includes/html-api/css/class-wp-css-class-selector.php diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector-list.php b/src/wp-includes/html-api/css/class-wp-css-complex-selector-list.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-complex-selector-list.php rename to src/wp-includes/html-api/css/class-wp-css-complex-selector-list.php diff --git a/src/wp-includes/html-api/class-wp-css-complex-selector.php b/src/wp-includes/html-api/css/class-wp-css-complex-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-complex-selector.php rename to src/wp-includes/html-api/css/class-wp-css-complex-selector.php diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-compound-selector-list.php rename to src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php diff --git a/src/wp-includes/html-api/class-wp-css-compound-selector.php b/src/wp-includes/html-api/css/class-wp-css-compound-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-compound-selector.php rename to src/wp-includes/html-api/css/class-wp-css-compound-selector.php diff --git a/src/wp-includes/html-api/class-wp-css-id-selector.php b/src/wp-includes/html-api/css/class-wp-css-id-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-id-selector.php rename to src/wp-includes/html-api/css/class-wp-css-id-selector.php diff --git a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php similarity index 99% rename from src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php rename to src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php index aa8153ca27f45..cac314e8b6c27 100644 --- a/src/wp-includes/html-api/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php @@ -482,7 +482,7 @@ final protected static function normalize_selector_input( string $input ): strin * This list includes \f. * A later step would normalize it to a known whitespace character, but it can be trimmed here as well. */ - $input = trim( $input, " \t\r\n\r\f" ); + $input = trim( $input, " \t\r\n\f" ); /* * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. diff --git a/src/wp-includes/html-api/class-wp-css-type-selector.php b/src/wp-includes/html-api/css/class-wp-css-type-selector.php similarity index 100% rename from src/wp-includes/html-api/class-wp-css-type-selector.php rename to src/wp-includes/html-api/css/class-wp-css-type-selector.php diff --git a/src/wp-settings.php b/src/wp-settings.php index d4a209893d5cd..9337af05da3ae 100644 --- a/src/wp-settings.php +++ b/src/wp-settings.php @@ -266,15 +266,15 @@ require ABSPATH . WPINC . '/html-api/class-wp-html-stack-event.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor-state.php'; require ABSPATH . WPINC . '/html-api/class-wp-html-processor.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-selector-parser-matcher.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-attribute-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-class-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-id-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-type-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-compound-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-complex-selector.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-compound-selector-list.php'; -require ABSPATH . WPINC . '/html-api/class-wp-css-complex-selector-list.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-selector-parser-matcher.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-attribute-selector.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-class-selector.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-id-selector.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-type-selector.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-compound-selector.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-complex-selector.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-compound-selector-list.php'; +require ABSPATH . WPINC . '/html-api/css/class-wp-css-complex-selector-list.php'; require ABSPATH . WPINC . '/class-wp-http.php'; require ABSPATH . WPINC . '/class-wp-http-streams.php'; require ABSPATH . WPINC . '/class-wp-http-curl.php'; From 0a87b201785b6a85420e666aaac6b3b7811ba92d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 16:58:41 +0200 Subject: [PATCH 146/187] CSS selector: Fix off-by-one rejecting [a=b] at end of selector The length guard before the attribute matcher required 4 remaining bytes where the minimum valid tail `=x]` is 3, so a valid exact-match attribute selector with a single-character unquoted value at the end of the selector string (e.g. `[a=b]`) was wrongly rejected as unparseable. Relax the guard from `>=` to `>`. All reads after the guard are bounded: the operator reads touch at most offset+1, and every later read re-checks the length itself. Adds the exact-fit valid case and invalid cases at the same boundary (`[a=]`, `[a~=]`, `[a==b]`, `[a=1]`) to the parse tests, plus an assertNotNull so parse failures report cleanly instead of erroring on a null property read. Found by the CSS selector fuzzer (tools/css-selector-fuzz, Bug 3 in FINDINGS.md). (cherry picked from commit 16d03e2c5fd49d79f413562d88d7e6e36774618a) --- .../html-api/css/class-wp-css-attribute-selector.php | 2 +- tests/phpunit/tests/html-api/wpCssAttributeSelector.php | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php index a63dfaba66b61..aee6f09a41088 100644 --- a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php @@ -275,7 +275,7 @@ public static function parse( string $input, int &$offset ) { } // need to match at least `=x]` at this point - if ( $updated_offset + 3 >= strlen( $input ) ) { + if ( $updated_offset + 3 > strlen( $input ) ) { return null; } diff --git a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php index e574cedd1876b..08880a7311acf 100644 --- a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php +++ b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php @@ -31,6 +31,7 @@ public function test_parse_attribute( if ( null === $expected_name ) { $this->assertNull( $result ); } else { + $this->assertNotNull( $result, "Failed to parse attribute selector: {$input}" ); $this->assertSame( $expected_name, $result->name ); $this->assertSame( $expected_matcher, $result->matcher ); $this->assertSame( $expected_value, $result->value ); @@ -53,6 +54,7 @@ public static function data_attribute_selectors(): array { '[href][href2]' => array( '[href][href2]', 'href', null, null, null, '[href2]' ), '[\n href\t\r]' => array( "[\n href\t\r]", 'href', null, null, null, '' ), '[href=foo]' => array( '[href=foo]', 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foo', null, '' ), + '[a=b]' => array( '[a=b]', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ), '[href \n = bar ]' => array( "[href \n = bar ]", 'href', WP_CSS_Attribute_Selector::MATCH_EXACT, 'bar', null, '' ), '[href \n ^= baz ]' => array( "[href \n ^= baz ]", 'href', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'baz', null, '' ), @@ -79,6 +81,10 @@ public static function data_attribute_selectors(): array { 'Invalid: [*| att]' => array( '[*| att]' ), 'Invalid: [att * =]' => array( '[att * =]' ), 'Invalid: [att+=val]' => array( '[att+=val]' ), + 'Invalid: [a=]' => array( '[a=]' ), + 'Invalid: [a~=]' => array( '[a~=]' ), + 'Invalid: [a==b]' => array( '[a==b]' ), + 'Invalid: [a=1]' => array( '[a=1]' ), 'Invalid: [att=val ' => array( '[att=val ' ), 'Invalid: [att i]' => array( '[att i]' ), 'Invalid: [att s]' => array( '[att s]' ), From 989e18da8a9ed5bdd829e66f41ec63f086bf0aca Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 17:11:19 +0200 Subject: [PATCH 147/187] CSS selector: Empty-operand substring attribute matchers match nothing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per Selectors level 4, the substring attribute matchers with an empty value — [x^=""], [x$=""], [x*=""] — represent nothing and must never match. The matcher instead matched any element carrying the attribute (prefix and contains) or an element whose attribute value was exactly empty (suffix). Add an early return for the empty operand on those three matchers, before the case modifier and boolean-attribute normalization so [x^="" i] and valueless attributes are covered too. [x=""], [x|=""], and [x~=""] are unaffected and remain spec-correct: exact and hyphen matchers may match an empty value, and the one-of matcher already matched nothing because a whitespace-delimited list never yields an empty item. Tests pin all of these, including |= against a hyphen-prefixed value. https://www.w3.org/TR/selectors-4/#attribute-substrings Found by the CSS selector fuzzer (tools/css-selector-fuzz, Bug 2 in FINDINGS.md). (cherry picked from commit 0cefeb2fc8fd6b255498c6dc0438b7334698b975) --- .../css/class-wp-css-attribute-selector.php | 18 ++++++++++++++++++ .../tests/html-api/wpHtmlProcessor-select.php | 10 ++++++++++ 2 files changed, 28 insertions(+) diff --git a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php index aee6f09a41088..8b631966bb579 100644 --- a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php @@ -163,6 +163,24 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { return true; } + /* + * The substring matchers match nothing when the value is empty: + * + * > If "val" is the empty string then the selector does not represent anything. + * + * https://www.w3.org/TR/selectors-4/#attribute-substrings + */ + if ( + '' === $this->value && + ( + self::MATCH_PREFIXED_BY === $this->matcher || + self::MATCH_SUFFIXED_BY === $this->matcher || + self::MATCH_CONTAINS === $this->matcher + ) + ) { + return false; + } + if ( true === $attr_value ) { $attr_value = ''; } diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 003e65e69ebce..0fb5788efce7f 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -53,6 +53,16 @@ public static function data_selectors(): array { 'any child matches all children' => array( '

', 'section > *', 2 ), 'multiple complex selectors' => array( '

', 'section > div p > i', 1 ), + + // Per Selectors-4, the substring matchers ^= $= *= match nothing when the value + // is empty. ~= also matches nothing: an empty string is never a list item. + 'empty value ^= matches nothing' => array( '', '[x^=""]', 0 ), + 'empty value $= matches nothing' => array( '', '[x$=""]', 0 ), + 'empty value *= matches nothing' => array( '', '[x*=""]', 0 ), + 'empty value ~= matches nothing' => array( '', '[x~=""]', 0 ), + 'empty value ^= i matches nothing' => array( '', '[x^="" i]', 0 ), + 'empty value = matches empty' => array( '', '[x=""]', 1 ), + 'empty value |= matches empty or hyphen-prefixed' => array( '', '[x|=""]', 2 ), ); } From 5ac71eeb3fc0ce524d6ed481d7840191397337d1 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 10:43:31 +0200 Subject: [PATCH 148/187] CSS selector: Align test data provider arrows per WPCS phpcbf reports 40 WordPress.Arrays.MultipleStatementAlignment warnings in this file's data providers, and the coding-standards workflow runs phpcs over the test suite without -n, so warnings fail CI. Pure whitespace; no test changes. (cherry picked from commit 3db43eaef2107421f156e6ac2a29478fe6e4b2fd) --- .../html-api/wpCssSelectorParserMatcher.php | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 4f3c1f73390fe..37f26ec8f3b92 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -54,38 +54,38 @@ public static function test_is_ident_start_codepoint( string $input, int $offset */ public static function data_idents(): array { return array( - 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), - 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), - 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), - 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), - 'escape after multibyte character' => array( 'Ü\\sup', 'Üsup', '' ), - 'escape after multibyte characters' => array( 'ÜÜ\\sup', 'ÜÜsup', '' ), + 'trailing #' => array( '_-foo123#xyz', '_-foo123', '#xyz' ), + 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), + 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), + 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), + 'escape after multibyte character' => array( 'Ü\\sup', 'Üsup', '' ), + 'escape after multibyte characters' => array( 'ÜÜ\\sup', 'ÜÜsup', '' ), 'hex escape after multibyte character' => array( 'Ü\\31 23', 'Ü123', '' ), - 'escaped space' => array( '\\ x', ' x', '' ), - 'escaped emoji' => array( '\\😍', '😍', '' ), - 'hex unicode codepoint' => array( '\\1f0a1', '🂡', '' ), - 'HEX UNICODE CODEPOINT' => array( '\\1D4B2', '𝒲', '' ), - - 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), - 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), - 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), - 'hex tab' => array( '\\9', "\t", '' ), - 'hex a' => array( '\\61 bc', 'abc', '' ), - 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), - - 'out of range replacement min' => array( '\\110000 ', "\u{fffd}", '' ), - 'out of range replacement max' => array( '\\ffffff ', "\u{fffd}", '' ), - 'leading surrogate min replacement' => array( '\\d800 ', "\u{fffd}", '' ), - 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), - 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), - 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), - 'can start with -ident' => array( '-ident', '-ident', '' ), - 'can start with --anything' => array( '--anything', '--anything', '' ), - 'can start with ---anything' => array( '--_anything', '--_anything', '' ), - 'can start with --1anything' => array( '--1anything', '--1anything', '' ), - 'can start with -\31 23' => array( '-\31 23', '-123', '' ), - 'can start with --\31 23' => array( '--\31 23', '--123', '' ), - 'ident ends before ]' => array( 'ident]', 'ident', ']' ), + 'escaped space' => array( '\\ x', ' x', '' ), + 'escaped emoji' => array( '\\😍', '😍', '' ), + 'hex unicode codepoint' => array( '\\1f0a1', '🂡', '' ), + 'HEX UNICODE CODEPOINT' => array( '\\1D4B2', '𝒲', '' ), + + 'hex tab-suffixed 1' => array( "\\31\t23", '123', '' ), + 'hex newline-suffixed 1' => array( "\\31\n23", '123', '' ), + 'hex space-suffixed 1' => array( "\\31 23", '123', '' ), + 'hex tab' => array( '\\9', "\t", '' ), + 'hex a' => array( '\\61 bc', 'abc', '' ), + 'hex a max escape length' => array( '\\000061bc', 'abc', '' ), + + 'out of range replacement min' => array( '\\110000 ', "\u{fffd}", '' ), + 'out of range replacement max' => array( '\\ffffff ', "\u{fffd}", '' ), + 'leading surrogate min replacement' => array( '\\d800 ', "\u{fffd}", '' ), + 'leading surrogate max replacement' => array( '\\dbff ', "\u{fffd}", '' ), + 'trailing surrogate min replacement' => array( '\\dc00 ', "\u{fffd}", '' ), + 'trailing surrogate max replacement' => array( '\\dfff ', "\u{fffd}", '' ), + 'can start with -ident' => array( '-ident', '-ident', '' ), + 'can start with --anything' => array( '--anything', '--anything', '' ), + 'can start with ---anything' => array( '--_anything', '--_anything', '' ), + 'can start with --1anything' => array( '--1anything', '--1anything', '' ), + 'can start with -\31 23' => array( '-\31 23', '-123', '' ), + 'can start with --\31 23' => array( '--\31 23', '--123', '' ), + 'ident ends before ]' => array( 'ident]', 'ident', ']' ), /* * > EOF @@ -93,19 +93,19 @@ public static function data_idents(): array { * * https://www.w3.org/TR/css-syntax-3/#consume-escaped-code-point */ - 'escape at EOF' => array( 'foo\\', "foo\u{fffd}", '' ), - 'lone escape at EOF' => array( '\\', "\u{fffd}", '' ), - 'hyphen then escape at EOF' => array( '-\\', "-\u{fffd}", '' ), + 'escape at EOF' => array( 'foo\\', "foo\u{fffd}", '' ), + 'lone escape at EOF' => array( '\\', "\u{fffd}", '' ), + 'hyphen then escape at EOF' => array( '-\\', "-\u{fffd}", '' ), // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: bad start >' => array( '>ident' ), - 'Invalid: bad start [' => array( '[ident' ), - 'Invalid: bad start #' => array( '#ident' ), - 'Invalid: bad start " "' => array( ' ident' ), - 'Invalid: bad start 1' => array( '1ident' ), - 'Invalid: bad start -1' => array( '-1ident' ), - 'Invalid: bad start -' => array( '-' ), + 'Invalid: (empty string)' => array( '' ), + 'Invalid: bad start >' => array( '>ident' ), + 'Invalid: bad start [' => array( '[ident' ), + 'Invalid: bad start #' => array( '#ident' ), + 'Invalid: bad start " "' => array( ' ident' ), + 'Invalid: bad start 1' => array( '1ident' ), + 'Invalid: bad start -1' => array( '-1ident' ), + 'Invalid: bad start -' => array( '-' ), ); } From aed6cfb4aaddb874c26c30fdf53d568a98d8c17c Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 17:26:10 +0200 Subject: [PATCH 149/187] CSS selector: Decode identity escapes at the byte offset, not char index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit consume_escaped_codepoint() read the escaped codepoint for non-hex (identity) escapes with mb_substr( $input, $offset, 1 ), but $offset is a byte offset while mb_substr()'s second argument is a character index. Any multibyte content earlier in the selector string shifts the read one character right per continuation byte, decoding the wrong codepoint: 'Ü\sup' parsed as ident 'Üuup', and the corruption threads across an entire selector list ('#ÜÜÜ,\sup #x' parsed the second selector's type as ' up'). Depending on the mis-decoded codepoint this also caused spurious parse failures of valid selectors. Hex escapes were already byte-correct and are unaffected. Read the codepoint from the byte offset instead. ASCII-only inputs are byte-for-byte unchanged, and the returned codepoint's byte length keeps the offset advancing exactly past it. Adds parse_ident and parse_string cases pinning identity escapes after multibyte characters, plus a hex-escape control. Found by the CSS selector fuzzer (tools/css-selector-fuzz, Bug 1 in FINDINGS.md). (cherry picked from commit 7419a9fef6c6c23d14b8ae9c04ae1c91834824b0) --- .../html-api/css/class-wp-css-selector-parser-matcher.php | 3 ++- tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php index cac314e8b6c27..dc8aa8d018446 100644 --- a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php @@ -250,7 +250,8 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): s return $codepoint_char; } - $codepoint_char = mb_substr( $input, $offset, 1, 'UTF-8' ); + // $offset is a byte offset; mb_substr() expects a character offset. + $codepoint_char = mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' ); $offset += strlen( $codepoint_char ); return $codepoint_char; } diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 29372172da2b1..ffa02b17b7f0d 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -58,6 +58,9 @@ public static function data_idents(): array { 'trailing .' => array( '😍foo123.xyz', '😍foo123', '.xyz' ), 'trailing " "' => array( '😍foo123 more', '😍foo123', ' more' ), 'escaped ASCII character' => array( '\\xyz', 'xyz', '' ), + 'escape after multibyte character' => array( 'Ü\\sup', 'Üsup', '' ), + 'escape after multibyte characters' => array( 'ÜÜ\\sup', 'ÜÜsup', '' ), + 'hex escape after multibyte character' => array( 'Ü\\31 23', 'Ü123', '' ), 'escaped space' => array( '\\ x', ' x', '' ), 'escaped emoji' => array( '\\😍', '😍', '' ), 'hex unicode codepoint' => array( '\\1f0a1', '🂡', '' ), @@ -158,6 +161,7 @@ public static function data_strings(): array { "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), + "'Ü\\sup'" => array( "'Ü\\sup'", 'Üsup', '' ), "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), From e0356cad899bd09610827c125d4815a9dc02697b Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 22:38:35 +0200 Subject: [PATCH 150/187] CSS selector: Backslash at end of input is a valid escape (U+FFFD) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per CSS Syntax 3, a backslash followed by EOF is a valid escape in ident context -- §4.3.8 rejects only a newline as the second code point, and EOF is not a newline -- and consuming it returns U+FFFD REPLACEMENT CHARACTER (§4.3.7). WP rejected the whole selector: next_two_are_valid_escape() required a code point after the backslash, so '.foo\' parsed to null instead of the class "foo\u{FFFD}". Fix: consume_escaped_codepoint() returns U+FFFD at EOF without advancing, and next_two_are_valid_escape() accepts a backslash as the final byte. String context is unaffected: parse_string() guards EOF itself before consuming an escape, preserving the §4.3.5 'do nothing' EOF rule ('foo\ still parses to foo). Review of the fix surfaced a second bug in the same family: normalize_selector_input() trimmed *trailing* whitespace before tokenizing, so '.foo\ ' (escaped space: the valid, unmatchable class 'foo ') and ".foo\\n" (invalid escape: must be rejected) both collapsed to '.foo\' and matched elements with class "foo\u{FFFD}" -- a wrong-match-set bug, where before the EOF-escape fix the collapse was a harmless fail-safe rejection. Now only leading whitespace is stripped; the grammar already consumes insignificant trailing whitespace via parse_whitespace() in both selector-list parsers. Verified against lexbor: '.foo\' matches class "foo\u{FFFD}", lone '\' parses as type U+FFFD and matches nothing, '.foo\ ' is valid and matches nothing, and the LF/CR/FF escape variants are rejected -- exact agreement on all probes. (NEXT-STEPS.md 'candidate finding 4', now confirmed and closed.) (cherry picked from commit 203858bbd470a2b7a8eeaf7f7579d85eeced3264) --- .../class-wp-css-selector-parser-matcher.php | 29 ++++++++++++++++--- .../tests/html-api/wpCssClassSelector.php | 1 + .../html-api/wpCssCompoundSelectorList.php | 23 +++++++++++++++ .../tests/html-api/wpCssIdSelector.php | 1 + .../html-api/wpCssSelectorParserMatcher.php | 10 +++++++ .../tests/html-api/wpCssTypeSelector.php | 1 + .../html-api/wpHtmlTagProcessor-select.php | 20 +++++++++++++ 7 files changed, 81 insertions(+), 4 deletions(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php index dc8aa8d018446..23d14d01c673b 100644 --- a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php @@ -209,6 +209,14 @@ final protected static function parse_string( string $input, int &$offset ): ?st * @return string */ final protected static function consume_escaped_codepoint( $input, &$offset ): string { + /* + * > EOF + * > This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�). + */ + if ( $offset >= strlen( $input ) ) { + return "\u{FFFD}"; + } + $hex_length = strspn( $input, '0123456789abcdefABCDEF', $offset, 6 ); if ( $hex_length > 0 ) { /** @@ -339,10 +347,17 @@ final protected static function parse_ident( string $input, int &$offset ): ?str * @return bool True if the next two codepoints are a valid escape, otherwise false. */ final protected static function next_two_are_valid_escape( string $input, int $offset ): bool { - if ( $offset + 1 >= strlen( $input ) ) { + if ( $offset >= strlen( $input ) ) { return false; } - return '\\' === $input[ $offset ] && "\n" !== $input[ $offset + 1 ]; + + /* + * The second code point may be EOF. EOF is not a newline, so a + * backslash at the end of input is a valid escape; consuming it + * produces U+FFFD REPLACEMENT CHARACTER. + */ + return '\\' === $input[ $offset ] && + ( $offset + 1 >= strlen( $input ) || "\n" !== $input[ $offset + 1 ] ); } /** @@ -481,9 +496,15 @@ final protected static function normalize_selector_input( string $input ): strin * > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… * * This list includes \f. - * A later step would normalize it to a known whitespace character, but it can be trimmed here as well. + * + * Only leading whitespace is removed here. Trailing whitespace may be + * significant: a backslash may escape a final whitespace code point + * into an ident (`.foo\ ` is the class `foo `), and a backslash + * before a final newline is an invalid escape, while a backslash at + * the end of input is a valid escape that decodes to U+FFFD. The + * selector grammar consumes insignificant trailing whitespace itself. */ - $input = trim( $input, " \t\r\n\f" ); + $input = ltrim( $input, " \t\r\n\f" ); /* * > The input stream consists of the filtered code points pushed into it as the input byte stream is decoded. diff --git a/tests/phpunit/tests/html-api/wpCssClassSelector.php b/tests/phpunit/tests/html-api/wpCssClassSelector.php index 9646d05da23d5..3328b047fa143 100644 --- a/tests/phpunit/tests/html-api/wpCssClassSelector.php +++ b/tests/phpunit/tests/html-api/wpCssClassSelector.php @@ -40,6 +40,7 @@ public static function data_class_selectors(): array { 'valid .foo.bar' => array( '.foo.bar', 'foo', '.bar' ), 'escaped .\31 23' => array( '.\\31 23', '123', '' ), 'with descendant .\31 23 div' => array( '.\\31 23 div', '123', ' div' ), + 'escape at EOF .foo\\' => array( '.foo\\', "foo\u{fffd}", '' ), 'not class foo' => array( 'foo' ), 'not class #bar' => array( '#bar' ), diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index 8f1d3dfb88a45..c71aa09596d8f 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -40,6 +40,29 @@ public function test_parse_invalid_selector_list2() { $this->assertNull( $result ); } + /** + * An escaped whitespace code point at the end of input belongs to the + * ident and must survive input normalization: `.foo\ ` is the valid + * class `foo ` (with a space), not a backslash at the end of input. + * + * @ticket 62653 + */ + public function test_parse_escaped_whitespace_at_end_of_input() { + $result = WP_CSS_Compound_Selector_List::from_selectors( '.foo\\ ' ); + $this->assertNotNull( $result ); + } + + /** + * A backslash before a newline is not a valid escape; at the end of + * input it must not be mistaken for trimmable trailing whitespace. + * + * @ticket 62653 + */ + public function test_parse_escape_before_newline_at_end_of_input_is_invalid() { + $result = WP_CSS_Compound_Selector_List::from_selectors( ".foo\\\n" ); + $this->assertNull( $result ); + } + /** * @ticket 62653 */ diff --git a/tests/phpunit/tests/html-api/wpCssIdSelector.php b/tests/phpunit/tests/html-api/wpCssIdSelector.php index 6dc2e5461ea03..03694fa4456e5 100644 --- a/tests/phpunit/tests/html-api/wpCssIdSelector.php +++ b/tests/phpunit/tests/html-api/wpCssIdSelector.php @@ -40,6 +40,7 @@ public static function data_id_selectors(): array { 'valid #foo#bar' => array( '#foo#bar', 'foo', '#bar' ), 'escaped #\31 23' => array( '#\\31 23', '123', '' ), 'with descendant #\31 23 div' => array( '#\\31 23 div', '123', ' div' ), + 'escape at EOF #foo\\' => array( '#foo\\', "foo\u{fffd}", '' ), // Invalid 'not ID foo' => array( 'foo' ), diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index ffa02b17b7f0d..4f3c1f73390fe 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -87,6 +87,16 @@ public static function data_idents(): array { 'can start with --\31 23' => array( '--\31 23', '--123', '' ), 'ident ends before ]' => array( 'ident]', 'ident', ']' ), + /* + * > EOF + * > This is a parse error. Return U+FFFD REPLACEMENT CHARACTER (�). + * + * https://www.w3.org/TR/css-syntax-3/#consume-escaped-code-point + */ + 'escape at EOF' => array( 'foo\\', "foo\u{fffd}", '' ), + 'lone escape at EOF' => array( '\\', "\u{fffd}", '' ), + 'hyphen then escape at EOF' => array( '-\\', "-\u{fffd}", '' ), + // Invalid 'Invalid: (empty string)' => array( '' ), 'Invalid: bad start >' => array( '>ident' ), diff --git a/tests/phpunit/tests/html-api/wpCssTypeSelector.php b/tests/phpunit/tests/html-api/wpCssTypeSelector.php index 23d5f5517453a..94ae49bff474a 100644 --- a/tests/phpunit/tests/html-api/wpCssTypeSelector.php +++ b/tests/phpunit/tests/html-api/wpCssTypeSelector.php @@ -40,6 +40,7 @@ public static function data_type_selectors(): array { 'a' => array( 'a', 'a', '' ), 'div.class' => array( 'div.class', 'div', '.class' ), 'custom-type#id' => array( 'custom-type#id', 'custom-type', '#id' ), + 'escape at EOF foo\\' => array( 'foo\\', "foo\u{fffd}", '' ), // Invalid 'Invalid: (empty string)' => array( '' ), diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 1d09c61b4760d..a2cc231150b09 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -75,6 +75,16 @@ public static function data_selectors(): array { 'attribute contains insensitive' => array( '

', '[att*="x"i]', 1 ), 'attribute contains sensitive mod' => array( '

', '[att*="x"s]', 1 ), + /* + * An escaped trailing whitespace code point is part of the ident, + * not trailing whitespace: `.foo\ ` is the class `foo ` (with a + * space). Class attribute values are whitespace-separated token + * lists, so such a class can never match. It must NOT be confused + * with a backslash at the end of input, which decodes to U+FFFD. + */ + 'escaped space at end' => array( "

", '.foo\\ ', 0 ), + 'escaped tab at end' => array( "
", ".foo\\\t", 0 ), + 'list' => array( '

', 'a, p, .class, #id, [att]', 2 ), 'compound' => array( '

', 'custom-el[att="bar"][ fruit ~= "banana" i]', 1 ), ); @@ -102,6 +112,16 @@ public static function data_invalid_selectors(): array { 'complex descendant' => array( 'div *' ), 'complex child' => array( 'div > *' ), 'invalid selector' => array( '[invalid!selector]' ), + + /* + * A backslash before a newline at the end of input is not a valid + * escape and is not trailing whitespace: the selector is invalid. + * The CR and FF variants are normalized to a newline before + * tokenizing. + */ + 'escape before newline at end' => array( ".foo\\\n" ), + 'escape before CR at end' => array( ".foo\\\r" ), + 'escape before FF at end' => array( ".foo\\\f" ), ); } } From 481e5a4e857d44b13961aa35984b3fc926fb95a4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 23:02:16 +0200 Subject: [PATCH 151/187] CSS selector: End of input auto-closes an open attribute selector MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per CSS Syntax 3 §5.4.8/§4.3.5, tokenization auto-closes unterminated simple blocks and unterminated strings at EOF (a parse error, but the block/string is returned), and the selector grammar then applies to the block contents. So '[att=val' is the same selector as '[att=val]', and '[att="a b' carries the string value 'a b'. WP rejected all of these with null. The attribute parser now treats the end of input like a closing ']' at the two positions where the grammar is complete (after the name, and after the value/modifier), and the early length guards that required room for a closing bracket are relaxed accordingly. Truncation inside the grammar itself is still invalid: '[', '[a=', '[a~', '[a=b x', and a comma inside the open block ('[a=b, div') all stay null. Escape interplay (verified per spec and in Chromium): '[a=b\' carries the value "b\u{FFFD}" (escape at EOF in ident context), while '[a="b\' carries 'b' (backslash-then-EOF in a string 'does nothing'). '[a\]' parses as a presence selector for the attribute 'a]' (the escaped ']' joins the ident and EOF closes the block). Chromium agrees with every accepted and rejected form above. lexbor rejects all EOF-truncated forms (it does not implement the auto-close rule) and diverges from browsers and the spec here; the fuzzer's lexbor differential is unaffected because it compares canonical re-renders, which always include the closing bracket. (cherry picked from commit 5eea359bd5da8d0f8bc01a510237eec4177a5c1e) --- .../css/class-wp-css-attribute-selector.php | 64 ++++++++++--------- .../tests/html-api/wpCssAttributeSelector.php | 33 +++++++++- .../html-api/wpHtmlTagProcessor-select.php | 18 ++++++ 3 files changed, 83 insertions(+), 32 deletions(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php index 8b631966bb579..8fd3b5b3cbd35 100644 --- a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php @@ -258,14 +258,21 @@ private function whitespace_delimited_list( string $input ): Generator { * * To create an instance of this class, use the {@see WP_CSS_Compound_Selector_List::from_selectors()} method. * + * The end of input acts like a closing `]`: tokenization auto-closes + * unterminated simple blocks (and unterminated strings) at EOF, so + * `[att=val` is the same selector as `[att=val]`. Truncation inside the + * selector grammar itself (e.g. `[` or `[att=`) is still invalid. + * + * https://www.w3.org/TR/css-syntax-3/#consume-simple-block + * * @param string $input The selector string. * @param int $offset The offset into the string. The offset is passed by reference and * will be updated if the parse is successful. * @return static|null The selector instance, or null if the parse was unsuccessful. */ public static function parse( string $input, int &$offset ) { - // Need at least 3 bytes [x] - if ( $offset + 2 >= strlen( $input ) ) { + // Need at least 2 bytes `[x`; the closing `]` may be supplied by the end of input. + if ( $offset + 1 >= strlen( $input ) ) { return null; } @@ -283,8 +290,10 @@ public static function parse( string $input, int &$offset ) { } self::parse_whitespace( $input, $updated_offset ); + // The end of input auto-closes the attribute selector. if ( $updated_offset >= strlen( $input ) ) { - return null; + $offset = $updated_offset; + return new WP_CSS_Attribute_Selector( $attr_name ); } if ( ']' === $input[ $updated_offset ] ) { @@ -292,15 +301,10 @@ public static function parse( string $input, int &$offset ) { return new WP_CSS_Attribute_Selector( $attr_name ); } - // need to match at least `=x]` at this point - if ( $updated_offset + 3 > strlen( $input ) ) { - return null; - } - if ( '=' === $input[ $updated_offset ] ) { ++$updated_offset; $attr_matcher = WP_CSS_Attribute_Selector::MATCH_EXACT; - } elseif ( '=' === $input[ $updated_offset + 1 ] ) { + } elseif ( $updated_offset + 1 < strlen( $input ) && '=' === $input[ $updated_offset + 1 ] ) { switch ( $input[ $updated_offset ] ) { case '~': $attr_matcher = WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT; @@ -339,32 +343,34 @@ public static function parse( string $input, int &$offset ) { } self::parse_whitespace( $input, $updated_offset ); - if ( $updated_offset >= strlen( $input ) ) { - return null; - } $attr_modifier = null; - switch ( $input[ $updated_offset ] ) { - case 'i': - case 'I': - $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; - ++$updated_offset; - break; - - case 's': - case 'S': - $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; - ++$updated_offset; - break; - } + if ( $updated_offset < strlen( $input ) ) { + switch ( $input[ $updated_offset ] ) { + case 'i': + case 'I': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE; + ++$updated_offset; + break; + + case 's': + case 'S': + $attr_modifier = WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE; + ++$updated_offset; + break; + } - if ( null !== $attr_modifier ) { - self::parse_whitespace( $input, $updated_offset ); - if ( $updated_offset >= strlen( $input ) ) { - return null; + if ( null !== $attr_modifier ) { + self::parse_whitespace( $input, $updated_offset ); } } + // The end of input auto-closes the attribute selector. + if ( $updated_offset >= strlen( $input ) ) { + $offset = $updated_offset; + return new self( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); + } + if ( ']' === $input[ $updated_offset ] ) { $offset = $updated_offset + 1; return new self( $attr_name, $attr_matcher, $attr_val, $attr_modifier ); diff --git a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php index 08880a7311acf..99051f2cc971c 100644 --- a/tests/phpunit/tests/html-api/wpCssAttributeSelector.php +++ b/tests/phpunit/tests/html-api/wpCssAttributeSelector.php @@ -70,10 +70,36 @@ public static function data_attribute_selectors(): array { '[escape-nl="foo\\nbar"]' => array( "[escape-nl='foo\\\nbar']", 'escape-nl', WP_CSS_Attribute_Selector::MATCH_EXACT, 'foobar', null, '' ), '[escape-seq="\\31 23"]' => array( "[escape-seq='\\31 23']", 'escape-seq', WP_CSS_Attribute_Selector::MATCH_EXACT, '123', null, '' ), + /* + * The end of input closes an open attribute selector: tokenization + * auto-closes unterminated simple blocks (and strings) at EOF. + * + * https://www.w3.org/TR/css-syntax-3/#consume-simple-block + */ + 'EOF [foo' => array( '[foo', 'foo', null, null, null, '' ), + 'EOF [ \n foo' => array( "[ \n foo", 'foo', null, null, null, '' ), + 'EOF [foo ' => array( '[foo ', 'foo', null, null, null, '' ), + 'EOF [a=b' => array( '[a=b', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ), + 'EOF [att=val ' => array( '[att=val ', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', null, '' ), + 'EOF [a="b' => array( '[a="b', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ), + "EOF [a='b" => array( "[a='b", 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ), + 'EOF [a="b\\' => array( '[a="b\\', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, 'b', null, '' ), + 'EOF [a=b\\' => array( '[a=b\\', 'a', WP_CSS_Attribute_Selector::MATCH_EXACT, "b\u{FFFD}", null, '' ), + 'EOF [a^=b' => array( '[a^=b', 'a', WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, 'b', null, '' ), + 'EOF [att=val i' => array( '[att=val i', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + 'EOF [att=val i ' => array( '[att=val i ', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, '' ), + 'EOF [att="val"s' => array( '[att="val"s', 'att', WP_CSS_Attribute_Selector::MATCH_EXACT, 'val', WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, '' ), + // Invalid 'Invalid: (empty string)' => array( '' ), 'Invalid: foo' => array( 'foo' ), - 'Invalid: [foo' => array( '[foo' ), + 'Invalid: [' => array( '[' ), + 'Invalid: [ ' => array( '[ ' ), + 'Invalid: [a=' => array( '[a=' ), + 'Invalid: [a= ' => array( '[a= ' ), + 'Invalid: [a~' => array( '[a~' ), + 'Invalid: [a=b x' => array( '[a=b x' ), + 'Invalid: [a i' => array( '[a i' ), 'Invalid: [#foo]' => array( '[#foo]' ), 'Invalid: [*|*]' => array( '[*|*]' ), 'Invalid: [ns|*]' => array( '[ns|*]' ), @@ -85,12 +111,13 @@ public static function data_attribute_selectors(): array { 'Invalid: [a~=]' => array( '[a~=]' ), 'Invalid: [a==b]' => array( '[a==b]' ), 'Invalid: [a=1]' => array( '[a=1]' ), - 'Invalid: [att=val ' => array( '[att=val ' ), + 'Invalid: [a=1' => array( '[a=1' ), 'Invalid: [att i]' => array( '[att i]' ), 'Invalid: [att s]' => array( '[att s]' ), "Invalid: [att='val\\n']" => array( "[att='val\n']" ), - 'Invalid: [att=val i ' => array( '[att=val i ' ), + "Invalid: [att='val\\n" => array( "[att='val\n" ), 'Invalid: [att="val"ix' => array( '[att="val"ix' ), + 'Invalid: [att="val"ix ' => array( '[att="val"ix ' ), ); } } diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index a2cc231150b09..d09a6e350256d 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -85,6 +85,16 @@ public static function data_selectors(): array { 'escaped space at end' => array( "
", '.foo\\ ', 0 ), 'escaped tab at end' => array( "
", ".foo\\\t", 0 ), + /* + * The end of input closes an open attribute selector ( and an + * unterminated string ): tokenization auto-closes simple blocks + * at EOF. + */ + 'EOF-truncated attribute presence' => array( '
', '[att', 1 ), + 'EOF-truncated attribute value' => array( '
', '[att=val', 1 ), + 'EOF-truncated quoted value' => array( '
', '[att="a b', 1 ), + 'EOF-truncated with modifier' => array( '
', '[att=val i', 1 ), + 'list' => array( '

', 'a, p, .class, #id, [att]', 2 ), 'compound' => array( '

', 'custom-el[att="bar"][ fruit ~= "banana" i]', 1 ), ); @@ -122,6 +132,14 @@ public static function data_invalid_selectors(): array { 'escape before newline at end' => array( ".foo\\\n" ), 'escape before CR at end' => array( ".foo\\\r" ), 'escape before FF at end' => array( ".foo\\\f" ), + + /* + * EOF auto-closes an open attribute selector block, but + * grammar-level truncation is still invalid. + */ + 'truncated matcher without value' => array( '[a=' ), + 'truncated half matcher' => array( '[a~' ), + 'lone open bracket' => array( '[' ), ); } } From 8bf3e522df5e8879525d5adf1d6ff4ef686b2990 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 23:54:25 +0200 Subject: [PATCH 152/187] CSS selector: Implement HTML's case-insensitive attribute value list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit HTML defines 46 attributes (type, rel, lang, dir, media, hreflang, http-equiv, ...) whose values must match ASCII case-insensitively in attribute selectors on an HTML element when the selector carries no i/s modifier: https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors WP honored only the explicit modifiers, so [type=TEXT] silently failed to match — a wrong match set rather than a refusal, invisible to callers. The matcher now folds case when all three hold: no modifier on the selector, the element is in the html namespace (per the processor's get_namespace()), and the lowercased attribute name is in the list. An explicit s modifier still forces case-sensitive matching, per Selectors 4 §6.3: 'the UA must match the value case-sensitively ... regardless of document language rules.' All six matchers and |='s hyphen check honor the rule via the existing case-insensitive comparison branches. Namespace scoping follows the spec's 'on an HTML element' wording: SVG/MathML elements keep case-sensitive matching, while elements at HTML integration points (e.g. inside ) fold, since they are html-namespace. Verified in Chromium, which agrees on the integration point but also folds plain SVG-namespace elements, diverging from the spec's scoping; WP follows the spec. The standalone Tag Processor tracks no namespaces and folds everywhere — the same class of approximation as its ancestor-blind matching. The review panel machine-diffed both list constants against the live spec (exact, in spec order). (cherry picked from commit 40640d173ec680a05cf06bd9829273ab2a8805ae) --- .../css/class-wp-css-attribute-selector.php | 71 ++++++++++++++++++- .../tests/html-api/wpHtmlProcessor-select.php | 11 +++ .../html-api/wpHtmlTagProcessor-select.php | 17 +++++ 3 files changed, 98 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php index 8fd3b5b3cbd35..134e68104811f 100644 --- a/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php +++ b/src/wp-includes/html-api/css/class-wp-css-attribute-selector.php @@ -90,6 +90,66 @@ final class WP_CSS_Attribute_Selector extends WP_CSS_Selector_Parser_Matcher { */ const MODIFIER_CASE_INSENSITIVE = 'case-insensitive'; + /** + * The attributes whose values HTML defines as ASCII case-insensitive + * for attribute selectors on an HTML element, when the selector has no + * `i`/`s` modifier. An explicit `s` modifier forces case-sensitive + * matching even for these attributes; elements in other namespaces + * (SVG, MathML) are unaffected. + * + * The names are stored as array keys for constant-time lookup. + * + * @see https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors + */ + const HTML_CASE_INSENSITIVE_ATTRIBUTE_VALUES = array( + 'accept' => true, + 'accept-charset' => true, + 'align' => true, + 'alink' => true, + 'axis' => true, + 'bgcolor' => true, + 'charset' => true, + 'checked' => true, + 'clear' => true, + 'codetype' => true, + 'color' => true, + 'compact' => true, + 'declare' => true, + 'defer' => true, + 'dir' => true, + 'direction' => true, + 'disabled' => true, + 'enctype' => true, + 'face' => true, + 'frame' => true, + 'hreflang' => true, + 'http-equiv' => true, + 'lang' => true, + 'language' => true, + 'link' => true, + 'media' => true, + 'method' => true, + 'multiple' => true, + 'nohref' => true, + 'noresize' => true, + 'noshade' => true, + 'nowrap' => true, + 'readonly' => true, + 'rel' => true, + 'rev' => true, + 'rules' => true, + 'scope' => true, + 'scrolling' => true, + 'selected' => true, + 'shape' => true, + 'target' => true, + 'text' => true, + 'type' => true, + 'valign' => true, + 'valuetype' => true, + 'vlink' => true, + ); + /** * The name of the attribute to match. * @@ -185,7 +245,16 @@ public function matches( WP_HTML_Tag_Processor $processor ): bool { $attr_value = ''; } - $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier; + /* + * Without an explicit modifier, HTML defines some attributes' values + * as ASCII case-insensitive on HTML elements. An explicit `s` + * modifier forces case-sensitive matching even for those. + */ + $case_insensitive = self::MODIFIER_CASE_INSENSITIVE === $this->modifier || ( + null === $this->modifier && + 'html' === $processor->get_namespace() && + isset( self::HTML_CASE_INSENSITIVE_ATTRIBUTE_VALUES[ strtolower( $this->name ) ] ) + ); switch ( $this->matcher ) { case self::MATCH_EXACT: diff --git a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php index 0fb5788efce7f..fcb1acf3fa7d6 100644 --- a/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlProcessor-select.php @@ -63,6 +63,17 @@ public static function data_selectors(): array { 'empty value ^= i matches nothing' => array( '', '[x^="" i]', 0 ), 'empty value = matches empty' => array( '', '[x=""]', 1 ), 'empty value |= matches empty or hyphen-prefixed' => array( '', '[x|=""]', 2 ), + + /* + * HTML's case-insensitive attribute value list applies to + * "an HTML element in an HTML document": a foreign element with + * the same attribute name keeps case-sensitive matching. + * ( Chromium applies the list to foreign elements as well, + * diverging from the HTML specification here. ) + * + * https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors + */ + 'HTML-namespace-only attribute case-insensitivity' => array( '', '[type=TEXT]', 1 ), ); } diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index d09a6e350256d..1062c66a40253 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -95,6 +95,23 @@ public static function data_selectors(): array { 'EOF-truncated quoted value' => array( '
', '[att="a b', 1 ), 'EOF-truncated with modifier' => array( '
', '[att=val i', 1 ), + /* + * HTML defines a set of attributes whose values must match ASCII + * case-insensitively in selectors when no modifier is present. + * An explicit `s` modifier still forces case-sensitive matching. + * Attributes outside the list stay case-sensitive by default. + * + * https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors + */ + 'HTML insensitive attribute =' => array( '', '[type=TEXT]', 2 ), + 'HTML insensitive attribute ~=' => array( '', '[rel~=nofollow]', 1 ), + 'HTML insensitive attribute ^=' => array( '', '[media^=screen]', 1 ), + 'HTML insensitive attribute |=' => array( '', '[hreflang|=en]', 1 ), + 'HTML insensitive attribute s mod' => array( '', '[type=text s]', 1 ), + 'HTML insensitive attribute i mod' => array( '', '[type=text i]', 2 ), + 'unlisted attribute stays sensitive' => array( '', '[data-type=TEXT]', 1 ), + 'listed attribute name is matched case-insensitively in the list' => array( '', '[TYPE=TEXT]', 1 ), + 'list' => array( '

', 'a, p, .class, #id, [att]', 2 ), 'compound' => array( '

', 'custom-el[att="bar"][ fruit ~= "banana" i]', 1 ), ); From 00537a266f562edbf062cef6ccf7204c6e2dabc8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 10:48:22 +0200 Subject: [PATCH 153/187] CSS selector: Decode identity escapes without copying the input tail The identity arm of consume_escaped_codepoint() read one character via mb_substr( substr( $input, $offset ), 0, 1 ), copying the entire remaining input per escape: O(n^2) over selectors composed of escapes, plus an O(n) temporary allocation each time. Size the code point in place instead with the bounded scanner _wp_scan_utf8( $input, $at, $invalid_length, 4, 1 ) from compat-utf8.php (WP 6.9, loaded unconditionally before the HTML API), then copy at most 4 bytes. Escapes of invalid UTF-8 fall through to the literal previous mb_substr() line, so behavior is preserved by construction under every mb_substitute_character setting; that fallback remains O(tail) per call, accepted for developer-supplied selectors. _wp_utf8_codepoint_span() is deliberately not used: it leaves the scanner's ASCII fast-path unbounded, which is quadratic again (noted in-code). 200KB of repeated \g through parse_ident: 180 ms before, 45 ms after, with linear scaling after (47/90/180 ms at 200/400/800KB; previously ~4x per doubling) and half the peak memory. Escape pin coverage grows to 14 cases: 2/3/4-byte characters including at end of input, NUL, and each invalid-byte class (lone continuation, overlong lead, invalid lead, truncated 3/4-byte, encoded surrogate, above U+10FFFF), with expectations probe-verified against the pre-change implementation. Adversarial review: equivalence reviewer ran ~74M differential old-vs-new cases (exhaustive byte-class boundaries at every offset, random fuzz, non-default mb_substitute_character) with 0 mismatches; perf reviewer independently reproduced the quadratic-before / linear-after curves; integration reviewer verified load order (including SHORTINIT), private-function precedent, and phpcs. All approved. Gates: full html-api PHPUnit group green (1654 tests), fuzzer 5000 seeds 0 failures. (cherry picked from commit 9d82c1ccafbf4a8db412f7873e01eb55a9b0c627) --- .../class-wp-css-selector-parser-matcher.php | 29 +++++++++++++++- .../html-api/wpCssSelectorParserMatcher.php | 33 +++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php index 23d14d01c673b..0fe7d6c608ed0 100644 --- a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php @@ -258,7 +258,34 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): s return $codepoint_char; } - // $offset is a byte offset; mb_substr() expects a character offset. + /* + * Find the byte length of the code point at $offset without copying the rest + * of the input: a code point is at most 4 bytes, so the scan is bounded and + * an escape of valid UTF-8 decodes in O(1) regardless of selector length. + * Escaped invalid bytes take the mb_substr() fallback below, which copies + * the remaining input on each call. + * + * `_wp_utf8_codepoint_span()` is not suitable here: it does not bound the + * scan, so its ASCII fast-path reads to the end of the input on every call, + * which is quadratic over a selector composed of escapes. + */ + $at = $offset; + $invalid_length = 0; + _wp_scan_utf8( $input, $at, $invalid_length, 4, 1 ); + if ( $at > $offset ) { + $codepoint_char = substr( $input, $offset, $at - $offset ); + $offset = $at; + return $codepoint_char; + } + + /* + * The bytes at $offset are not valid UTF-8. Decode with mbstring to + * preserve the parser's long-standing behavior for invalid input, which + * depends on `mb_substitute_character()`: with the default setting the + * substitute character `?` is returned and one byte is consumed. + * + * $offset is a byte offset; mb_substr() expects a character offset. + */ $codepoint_char = mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' ); $offset += strlen( $codepoint_char ); return $codepoint_char; diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 37f26ec8f3b92..6971fbbdec7fc 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -97,6 +97,39 @@ public static function data_idents(): array { 'lone escape at EOF' => array( '\\', "\u{fffd}", '' ), 'hyphen then escape at EOF' => array( '-\\', "-\u{fffd}", '' ), + // Identity escapes of multibyte characters, by UTF-8 sequence length. + 'escaped 2-byte character' => array( "\\\u{FC}z", "\u{FC}z", '' ), + 'escaped 3-byte character' => array( "\\\u{270F}z", "\u{270F}z", '' ), + 'escaped 4-byte character' => array( "\\\u{1F0A1}z", "\u{1F0A1}z", '' ), + 'escaped 2-byte character at EOF' => array( "a\\\u{FC}", "a\u{FC}", '' ), + 'escaped 3-byte character at EOF' => array( "a\\\u{270F}", "a\u{270F}", '' ), + 'escaped 4-byte character at EOF' => array( "a\\\u{1F0A1}", "a\u{1F0A1}", '' ), + + /* + * An escaped NUL byte passes through this low-level helper unchanged. + * This is unreachable through the public selector API, where + * normalize_selector_input() replaces NUL with U+FFFD before parsing. + */ + 'escaped NUL byte' => array( "a\\\x00z", "a\x00z", '' ), + + /* + * Identity escapes of invalid UTF-8 byte sequences. + * + * These inputs are not valid UTF-8. The escaped invalid byte decodes via + * mbstring substitution (`?` under the default `mb_substitute_character()` + * setting) and one byte is consumed; any continuation bytes that follow + * are appended verbatim by the ident-code-point path. These cases pin the + * current behavior under the default mbstring settings; they do not + * assert it is desirable. + */ + 'escaped lone continuation byte' => array( "a\\\x80z", 'a?z', '' ), + 'escaped overlong lead 0xC0' => array( "a\\\xC0\xAFz", "a?\xAFz", '' ), + 'escaped invalid lead 0xF5' => array( "a\\\xF5z", 'a?z', '' ), + 'escaped truncated 3-byte sequence' => array( "a\\\xE2\x80z", "a?\x80z", '' ), + 'escaped truncated 4-byte at EOF' => array( "a\\\xF0\x9F\x82", "a?\x9F\x82", '' ), + 'escaped UTF-8-encoded surrogate' => array( "a\\\xED\xA0\x80z", "a?\xA0\x80z", '' ), + 'escaped sequence above U+10FFFF' => array( "a\\\xF4\x90\x80\x80z", "a?\x90\x80\x80z", '' ), + // Invalid 'Invalid: (empty string)' => array( '' ), 'Invalid: bad start >' => array( '>ident' ), From 1b148d7a274a880fdca9aa733fc3b66bb59b9150 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 11:45:35 +0200 Subject: [PATCH 154/187] CSS selector: Pin a canary mb_substitute_character in escape tests Decoding an identity escape of invalid UTF-8 leaks the process-global mb_substitute_character() setting into parse results: the substitute character is returned and the offset advances by the byte length of the substitute, not of the invalid sequence. Under the default '?' this is nearly invisible; under a multibyte substitute it swallows following characters and can push the offset past the end of the input. Pin the setting to a distinctive canary -- U+2603 SNOWMAN -- in set_up()/tear_down() and rewrite the seven invalid-byte pins to the canary expectations, making the dependence unmistakable: five cases show the trailing 'z' being eaten, and a dedicated test asserts the offset overrun that the rest-of-input assertion cannot see (substr() returns '' both at and past the end). A differential run of all provider cases under canary/default/'none' confirms exactly these seven react to the setting; everything else is independent of it. These pins document the leak, not endorse it. They are the ready-made red suite for the planned fix: decoding invalid bytes to U+FFFD per maximal subpart (CSS Syntax 3 section 3.2 via the WHATWG Encoding Standard) makes the outputs setting-independent and flips every one of these expectations. Adversarial review approved; full html-api group green (1654 tests) with the substitute character verified restored after the run. (cherry picked from commit 9b0b1df6ec47b2937e9eb49a4388b08bb0f5e104) --- .../html-api/wpCssSelectorParserMatcher.php | 78 +++++++++++++++---- 1 file changed, 65 insertions(+), 13 deletions(-) diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 6971fbbdec7fc..707afb5d4a133 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -13,8 +13,27 @@ class Tests_HtmlApi_WpCssSelectorParserMatcher extends WP_UnitTestCase { private $test_class; + /** + * Preserves the `mb_substitute_character()` setting around each test. + * + * @var int|string + */ + private $original_substitute_character; + public function set_up(): void { parent::set_up(); + + /* + * Decoding invalid UTF-8 in identity escapes leaks the process-global + * `mb_substitute_character()` setting into parse results. Pin it to a + * distinctive character — U+2603 SNOWMAN (☃) — so that any dependence + * on the setting is unmistakable in test expectations, rather than a + * `?` that looks like an intentional placeholder. The escape-decode + * cases below document the leak; a parser that decodes invalid bytes + * to U+FFFD per CSS Syntax §3.2 would be unaffected by this setting. + */ + $this->original_substitute_character = mb_substitute_character(); + mb_substitute_character( 0x2603 ); $this->test_class = new class() extends WP_CSS_Selector_Parser_Matcher { public function matches( $processor ): bool { throw new Error( 'Matches called on test class.' ); @@ -47,6 +66,11 @@ public static function test_is_ident_start_codepoint( string $input, int $offset }; } + public function tear_down(): void { + mb_substitute_character( $this->original_substitute_character ); + parent::tear_down(); + } + /** * Data provider. * @@ -115,20 +139,30 @@ public static function data_idents(): array { /* * Identity escapes of invalid UTF-8 byte sequences. * - * These inputs are not valid UTF-8. The escaped invalid byte decodes via - * mbstring substitution (`?` under the default `mb_substitute_character()` - * setting) and one byte is consumed; any continuation bytes that follow - * are appended verbatim by the ident-code-point path. These cases pin the - * current behavior under the default mbstring settings; they do not - * assert it is desirable. + * These inputs are not valid UTF-8. The escaped invalid byte decodes to + * the process-global `mb_substitute_character()` — pinned to U+2603 (☃) + * in set_up() to make the dependence visible — and the offset then + * advances by the byte length of *the substitute character* (3 bytes + * for ☃, 1 byte for the default `?`), not of the invalid sequence. + * The expectations below show the damage: following characters are + * swallowed (the `z` in most cases) and the offset can even overrun + * the end of the input (the lone-continuation and 0xF5 cases end with + * the offset one byte past the end; see the dedicated offset test). + * + * These cases pin the current behavior to document the leak, not to + * endorse it. CSS Syntax §3.2 decodes the input byte stream per the + * WHATWG Encoding Standard, which replaces each maximal subpart of an + * invalid sequence with U+FFFD; when the parser does that, these + * expectations flip to U+FFFD outputs that are independent of + * `mb_substitute_character()`. */ - 'escaped lone continuation byte' => array( "a\\\x80z", 'a?z', '' ), - 'escaped overlong lead 0xC0' => array( "a\\\xC0\xAFz", "a?\xAFz", '' ), - 'escaped invalid lead 0xF5' => array( "a\\\xF5z", 'a?z', '' ), - 'escaped truncated 3-byte sequence' => array( "a\\\xE2\x80z", "a?\x80z", '' ), - 'escaped truncated 4-byte at EOF' => array( "a\\\xF0\x9F\x82", "a?\x9F\x82", '' ), - 'escaped UTF-8-encoded surrogate' => array( "a\\\xED\xA0\x80z", "a?\xA0\x80z", '' ), - 'escaped sequence above U+10FFFF' => array( "a\\\xF4\x90\x80\x80z", "a?\x90\x80\x80z", '' ), + 'escaped lone continuation byte' => array( "a\\\x80z", "a\u{2603}", '' ), + 'escaped overlong lead 0xC0' => array( "a\\\xC0\xAFz", "a\u{2603}", '' ), + 'escaped invalid lead 0xF5' => array( "a\\\xF5z", "a\u{2603}", '' ), + 'escaped truncated 3-byte sequence' => array( "a\\\xE2\x80z", "a\u{2603}", '' ), + 'escaped truncated 4-byte at EOF' => array( "a\\\xF0\x9F\x82", "a\u{2603}", '' ), + 'escaped UTF-8-encoded surrogate' => array( "a\\\xED\xA0\x80z", "a\u{2603}z", '' ), + 'escaped sequence above U+10FFFF' => array( "a\\\xF4\x90\x80\x80z", "a\u{2603}\x80z", '' ), // Invalid 'Invalid: (empty string)' => array( '' ), @@ -169,6 +203,24 @@ public function test_parse_ident( string $input, ?string $expected = null, ?stri } } + /** + * The rest-of-input assertion above cannot distinguish an offset at the end + * of the input from one past it (`substr()` returns '' for both), so the + * offset overrun caused by decoding an escaped invalid byte to a multibyte + * substitute character is pinned explicitly here: the 3-byte ☃ advance over + * the 1-byte invalid sequence leaves the offset one byte past the end. + * Decoding invalid bytes to U+FFFD with maximal-subpart consumption would + * turn this case into `"a\u{FFFD}z"` with the offset at the end of input. + */ + public function test_parse_ident_escaped_invalid_byte_overruns_offset() { + $input = "a\\\x80z"; + $offset = 0; + $result = $this->test_class::test_parse_ident( $input, $offset ); + + $this->assertSame( "a\u{2603}", $result, 'Ident did not match.' ); + $this->assertSame( strlen( $input ) + 1, $offset, 'Offset did not overrun the end of input.' ); + } + /** * @ticket 62653 * From b26128e09b4bf4b24a0771a29ebdf76c7f566e3f Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 18:07:47 +0200 Subject: [PATCH 155/187] CSS selector: Scrub invalid UTF-8 selector input to U+FFFD MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Selector strings are UTF-8 text. from_selectors() now decodes the input byte stream before parsing: normalize_selector_input() replaces each maximal subpart of an ill-formed byte sequence with U+FFFD via wp_scrub_utf8() (WP 6.9), per the byte-decoding step CSS Syntax 3 section 3.2 defines through the WHATWG Encoding Standard's UTF-8 decoder. A replaced selector is almost always a developer mistake (mojibake, double encoding) that would otherwise yield a silently empty match set, so the replacement also reports _doing_it_wrong(), named "::from_selectors" via late static binding. The mb_substitute_character() leak in consume_escaped_codepoint() dies structurally: with all public input scrubbed, the identity arm's mb_substr() fallback became unreachable through from_selectors() and is replaced by a deterministic decode for direct parse() callers — consume the maximal subpart the existing _wp_scan_utf8() call already reported and return one U+FFFD, consistent with the scrub. This also removes the remaining O(tail)-per-escape copy for invalid bytes. Design decision: reject (wp_is_valid_utf8() -> null) and raw byte passthrough were both considered and discarded by a three-persona adversarial design review; scrub is the option that stays stable under both the current raw value getters and a future where the getters scrub their return values. An escape-arm-only U+FFFD decode was ruled out unanimously: it would break the identity property that escaping a non-special code point is equivalent to writing it unescaped. The known divergence is pinned in a test: a scrubbed selector cannot match raw invalid bytes in a document (the Tag Processor reports raw bytes); if the HTML API value getters are ever changed to scrub, that pin flips to a match and must be updated in the same change. The compound-list class docblock gains a "Text Encoding" section recording the contract. Tests: the seven U+2603-canary escape pins flip to maximal-subpart U+FFFD expectations, and the canary is retained permanently — its job inverted from documenting the leak to proving setting-independence (a reintroduced mb_substitute_character dependence fails eight tests). New coverage: scrub + notice through from_selectors() on both list classes (the complex-list test pins the late-static-binding notice name), a lone invalid byte parsing as a U+FFFD type selector, the notice firing even when the scrubbed selector is rejected by the grammar, string-token invalid-byte decode, identity-escape equivalence and U+FFFD matching through select(), and the raw-document-bytes no-match pin (deliberately unique 0xC1 byte: select() memoizes the last parsed selector string, so a unique selector guarantees the parse-time notice under any test order). Adversarial review: three hostile reviewers. The equivalence reviewer verified the decode against an independent reference WHATWG UTF-8 decoder (exhaustive 1-2-byte tails, ~204k boundary-alphabet 3-4-byte tails, 100k random; zero mismatches, all under a U+2603 canary), scrub idempotence and ordering-neutrality (200k cases), and the notice-name propagation. The test reviewer killed four core mutations against the suite and demonstrated two test defects (select()-cache coupling, an unpinned complex-list notice name), both fixed before commit. The integration reviewer verified worker-model equivalence and determinism (10000 fuzz seeds clean). All approved. Gates: full html-api group green (1665 tests), fuzzer 5000 seeds 0 failures, self-check OK, phpcs clean. (cherry picked from commit 598ed6f363daec3d954cf22cee71b7f98f1f17c2) --- .../class-wp-css-compound-selector-list.php | 24 ++++ .../class-wp-css-selector-parser-matcher.php | 46 +++++-- .../html-api/wpCssComplexSelectorList.php | 14 ++ .../html-api/wpCssCompoundSelectorList.php | 60 +++++++++ .../html-api/wpCssSelectorParserMatcher.php | 125 +++++++++--------- .../html-api/wpHtmlTagProcessor-select.php | 64 ++++++++- 6 files changed, 254 insertions(+), 79 deletions(-) diff --git a/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php b/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php index c9eb936ff7371..4042b1bc94f3e 100644 --- a/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php +++ b/src/wp-includes/html-api/css/class-wp-css-compound-selector-list.php @@ -18,6 +18,26 @@ * It takes a CSS selector string and returns an instance of itself or `null` if the selector * is invalid or unsupported. * + * ### Text Encoding + * + * Selector strings are UTF-8 text. Ill-formed byte sequences in a selector string are + * replaced with U+FFFD REPLACEMENT CHARACTER (visually "�"), one per maximal subpart, + * before parsing — following the byte-decoding step CSS Syntax specifies for input + * byte streams (via the WHATWG Encoding Standard's UTF-8 decoder), not a browser's + * `querySelector`, which receives already-decoded strings and can never see ill-formed + * input. The replacement also triggers a `_doing_it_wrong()` notice, since a selector + * containing ill-formed bytes is almost always a developer error and, once replaced, + * matches only literal U+FFFD characters in the document. + * + * Note that the document side is byte-oriented and unscrubbed: the Tag Processor + * reports attribute values and class names with their raw bytes intact (see the + * "Text Encoding" section of {@see WP_HTML_Tag_Processor}). A selector containing + * ill-formed bytes therefore never matches those same raw bytes in a document. + * Selectors for non-UTF-8 ( but ASCII-compatible ) documents can only reliably match + * non-ASCII values by converting the selector and document to UTF-8 beforehand. + * + * @link https://www.w3.org/TR/css-syntax-3/#input-byte-stream + * * A subset of the CSS selector grammar is supported. The grammar is defined in the CSS Syntax * specification, which is available at {@link https://www.w3.org/TR/selectors/#grammar}. * @@ -115,6 +135,10 @@ protected function __construct( array $selectors ) { * Takes a CSS selector string and returns an instance of itself or `null` if the selector * string is invalid or unsupported. * + * The selector string must be UTF-8: ill-formed byte sequences are replaced with + * U+FFFD per maximal subpart before parsing and reported with `_doing_it_wrong()`. + * See the "Text Encoding" section of the class documentation. + * * @param string $input CSS selectors. * @return static|null */ diff --git a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php index 0fe7d6c608ed0..14d9d28a771cc 100644 --- a/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php +++ b/src/wp-includes/html-api/css/class-wp-css-selector-parser-matcher.php @@ -262,8 +262,6 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): s * Find the byte length of the code point at $offset without copying the rest * of the input: a code point is at most 4 bytes, so the scan is bounded and * an escape of valid UTF-8 decodes in O(1) regardless of selector length. - * Escaped invalid bytes take the mb_substr() fallback below, which copies - * the remaining input on each call. * * `_wp_utf8_codepoint_span()` is not suitable here: it does not bound the * scan, so its ASCII fast-path reads to the end of the input on every call, @@ -279,16 +277,15 @@ final protected static function consume_escaped_codepoint( $input, &$offset ): s } /* - * The bytes at $offset are not valid UTF-8. Decode with mbstring to - * preserve the parser's long-standing behavior for invalid input, which - * depends on `mb_substitute_character()`: with the default setting the - * substitute character `?` is returned and one byte is consumed. - * - * $offset is a byte offset; mb_substr() expects a character offset. + * The bytes at $offset are not valid UTF-8, which can only happen when + * `parse()` was called directly with un-normalized input: the public + * `from_selectors()` API replaces ill-formed byte sequences with U+FFFD + * before parsing. Decode consistently with that normalization — consume + * the maximal subpart of the ill-formed sequence, whose length the scan + * above reported, and return a single U+FFFD. */ - $codepoint_char = mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' ); - $offset += strlen( $codepoint_char ); - return $codepoint_char; + $offset += max( 1, $invalid_length ); + return "\u{FFFD}"; } /** @@ -511,14 +508,39 @@ final protected static function check_if_three_code_points_would_start_an_ident_ } /** - * Normalizes selector input for processing. + * Normalizes selector input for processing: decodes the byte stream as + * UTF-8 ( replacing ill-formed sequences with U+FFFD ), then filters the + * code points per the input-preprocessing rules. * + * @see https://www.w3.org/TR/css-syntax-3/#input-byte-stream * @see https://www.w3.org/TR/css-syntax-3/#input-preprocessing * * @param string $input The selector string. * @return string The normalized selector string. */ final protected static function normalize_selector_input( string $input ): string { + /* + * > The input byte stream defines the byte stream that comprises a style sheet. + * > To decode bytes into a stream of code points… + * + * Selector strings are UTF-8 text. Decoding replaces each maximal + * subpart of an ill-formed byte sequence with U+FFFD REPLACEMENT + * CHARACTER (�), per the WHATWG Encoding Standard's UTF-8 decoder. + * The replaced selector is unlikely to match the elements the + * developer intended, so the replacement also reports a notice. + * + * https://www.w3.org/TR/css-syntax-3/#input-byte-stream + */ + $scrubbed = wp_scrub_utf8( $input ); + if ( $scrubbed !== $input ) { + _doing_it_wrong( + get_called_class() . '::from_selectors', + 'Selector strings must be valid UTF-8: ill-formed byte sequences were replaced with U+FFFD (�), which is unlikely to match the intended elements.', + '{WP_VERSION}' + ); + $input = $scrubbed; + } + /* * > A selector string is a list of one or more complex selectors ([SELECTORS4], section 3.1) that may be surrounded by whitespace… * diff --git a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php index edf912e97f490..b85f788f98f0d 100644 --- a/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssComplexSelectorList.php @@ -48,4 +48,18 @@ public function test_parse_empty_selector_list() { $result = WP_CSS_Complex_Selector_List::from_selectors( $input ); $this->assertNull( $result ); } + + /** + * The invalid-UTF-8 scrub notice reports the called class: through this + * class it must be named WP_CSS_Complex_Selector_List::from_selectors, + * not the WP_CSS_Compound_Selector_List parent where from_selectors() + * and the scrub are implemented. The fuzzer's notice model depends on + * the per-class name. + * + * @expectedIncorrectUsage WP_CSS_Complex_Selector_List::from_selectors + */ + public function test_invalid_utf8_scrub_notice_reports_the_called_class() { + $result = WP_CSS_Complex_Selector_List::from_selectors( "el \xC2.child" ); + $this->assertNotNull( $result, 'Selector with invalid UTF-8 should parse after scrubbing.' ); + } } diff --git a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php index c71aa09596d8f..33149c22ed400 100644 --- a/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php +++ b/tests/phpunit/tests/html-api/wpCssCompoundSelectorList.php @@ -80,4 +80,64 @@ public function test_unsupported_complex_selector() { $result = WP_CSS_Compound_Selector_List::from_selectors( $input ); $this->assertNull( $result ); } + + /** + * Selector strings are UTF-8 text: invalid byte sequences are replaced + * with U+FFFD per maximal subpart (CSS Syntax §3.2 via the WHATWG + * Encoding Standard) before parsing, so the selector parses rather than + * being rejected. The replacement is almost certainly not what the + * developer meant, so it also triggers `_doing_it_wrong()`. + * + * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors + */ + public function test_invalid_utf8_is_scrubbed_to_replacement_character_and_notifies() { + $result = WP_CSS_Compound_Selector_List::from_selectors( ".B\xFCcher" ); + $this->assertNotNull( $result, 'Selector with invalid UTF-8 should parse after scrubbing.' ); + } + + /** + * Valid UTF-8 — including a literal U+FFFD — must parse without any + * incorrect-usage notice: scrubbing is the identity function on valid + * input. + */ + public function test_valid_utf8_with_literal_replacement_character_is_not_notified() { + $result = WP_CSS_Compound_Selector_List::from_selectors( ".B\u{FFFD}cher" ); + $this->assertNotNull( $result, 'Selector containing a literal U+FFFD should parse.' ); + } + + /** + * The whole input is scrubbed uniformly, so a selector list with invalid + * bytes in one of several selectors still parses as a list. + * + * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors + */ + public function test_invalid_utf8_in_selector_list_is_scrubbed() { + $result = WP_CSS_Compound_Selector_List::from_selectors( ".ok, .B\xE2\x8Ccher" ); + $this->assertNotNull( $result, 'Selector list with invalid UTF-8 should parse after scrubbing.' ); + } + + /** + * A selector consisting of nothing but an invalid byte parses: it scrubs + * to U+FFFD, which is an ident-start code point and therefore a valid + * type selector. Surprising, but it follows from the scrub running + * before tokenization — the parser never sees the invalid byte. + * + * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors + */ + public function test_lone_invalid_byte_parses_as_replacement_character_type_selector() { + $result = WP_CSS_Compound_Selector_List::from_selectors( "\x80" ); + $this->assertNotNull( $result, 'A lone invalid byte should parse as a U+FFFD type selector.' ); + } + + /** + * The scrub notice reports the byte replacement, which happens before + * parsing — it fires even when the scrubbed selector is then rejected + * by the grammar. + * + * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors + */ + public function test_invalid_utf8_notice_fires_even_when_selector_is_rejected() { + $result = WP_CSS_Compound_Selector_List::from_selectors( "\x80 div" ); + $this->assertNull( $result, 'Descendant combinators are unsupported by the compound list; the scrubbed selector should still be rejected.' ); + } } diff --git a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php index 707afb5d4a133..181519b3cbed3 100644 --- a/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php +++ b/tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php @@ -24,13 +24,12 @@ public function set_up(): void { parent::set_up(); /* - * Decoding invalid UTF-8 in identity escapes leaks the process-global - * `mb_substitute_character()` setting into parse results. Pin it to a - * distinctive character — U+2603 SNOWMAN (☃) — so that any dependence - * on the setting is unmistakable in test expectations, rather than a - * `?` that looks like an intentional placeholder. The escape-decode - * cases below document the leak; a parser that decodes invalid bytes - * to U+FFFD per CSS Syntax §3.2 would be unaffected by this setting. + * Parse results must not depend on the process-global + * `mb_substitute_character()` setting. Pin it to a distinctive + * character — U+2603 SNOWMAN (☃) — for every test in this file: any + * dependence on the setting would surface as a ☃ in the results + * rather than the expected U+FFFD. This guards the invalid-byte + * decode, which once leaked the setting into parse results. */ $this->original_substitute_character = mb_substitute_character(); mb_substitute_character( 0x2603 ); @@ -139,30 +138,25 @@ public static function data_idents(): array { /* * Identity escapes of invalid UTF-8 byte sequences. * - * These inputs are not valid UTF-8. The escaped invalid byte decodes to - * the process-global `mb_substitute_character()` — pinned to U+2603 (☃) - * in set_up() to make the dependence visible — and the offset then - * advances by the byte length of *the substitute character* (3 bytes - * for ☃, 1 byte for the default `?`), not of the invalid sequence. - * The expectations below show the damage: following characters are - * swallowed (the `z` in most cases) and the offset can even overrun - * the end of the input (the lone-continuation and 0xF5 cases end with - * the offset one byte past the end; see the dedicated offset test). - * - * These cases pin the current behavior to document the leak, not to - * endorse it. CSS Syntax §3.2 decodes the input byte stream per the - * WHATWG Encoding Standard, which replaces each maximal subpart of an - * invalid sequence with U+FFFD; when the parser does that, these - * expectations flip to U+FFFD outputs that are independent of - * `mb_substitute_character()`. + * These inputs are not valid UTF-8, which can only reach the parser + * through a direct `parse()` call: the public `from_selectors()` API + * replaces invalid byte sequences with U+FFFD before parsing. On + * this un-normalized path the escape decodes the maximal subpart of + * the invalid sequence (CSS Syntax §3.2 via the WHATWG Encoding + * Standard) to a single U+FFFD — independent of the + * `mb_substitute_character()` setting, which set_up() pins to ☃ + * precisely to prove that independence. Invalid bytes *after* the + * escaped subpart are not escaped; they pass through this low-level + * helper raw, exactly as unescaped invalid bytes do (the 0xAF, + * 0xA0 0x80, and 0x90 0x80 0x80 tails below). */ - 'escaped lone continuation byte' => array( "a\\\x80z", "a\u{2603}", '' ), - 'escaped overlong lead 0xC0' => array( "a\\\xC0\xAFz", "a\u{2603}", '' ), - 'escaped invalid lead 0xF5' => array( "a\\\xF5z", "a\u{2603}", '' ), - 'escaped truncated 3-byte sequence' => array( "a\\\xE2\x80z", "a\u{2603}", '' ), - 'escaped truncated 4-byte at EOF' => array( "a\\\xF0\x9F\x82", "a\u{2603}", '' ), - 'escaped UTF-8-encoded surrogate' => array( "a\\\xED\xA0\x80z", "a\u{2603}z", '' ), - 'escaped sequence above U+10FFFF' => array( "a\\\xF4\x90\x80\x80z", "a\u{2603}\x80z", '' ), + 'escaped lone continuation byte' => array( "a\\\x80z", "a\u{FFFD}z", '' ), + 'escaped overlong lead 0xC0' => array( "a\\\xC0\xAFz", "a\u{FFFD}\xAFz", '' ), + 'escaped invalid lead 0xF5' => array( "a\\\xF5z", "a\u{FFFD}z", '' ), + 'escaped truncated 3-byte sequence' => array( "a\\\xE2\x80z", "a\u{FFFD}z", '' ), + 'escaped truncated 4-byte at EOF' => array( "a\\\xF0\x9F\x82", "a\u{FFFD}", '' ), + 'escaped UTF-8-encoded surrogate' => array( "a\\\xED\xA0\x80z", "a\u{FFFD}\xA0\x80z", '' ), + 'escaped sequence above U+10FFFF' => array( "a\\\xF4\x90\x80\x80z", "a\u{FFFD}\x90\x80\x80z", '' ), // Invalid 'Invalid: (empty string)' => array( '' ), @@ -206,19 +200,19 @@ public function test_parse_ident( string $input, ?string $expected = null, ?stri /** * The rest-of-input assertion above cannot distinguish an offset at the end * of the input from one past it (`substr()` returns '' for both), so the - * offset overrun caused by decoding an escaped invalid byte to a multibyte - * substitute character is pinned explicitly here: the 3-byte ☃ advance over - * the 1-byte invalid sequence leaves the offset one byte past the end. - * Decoding invalid bytes to U+FFFD with maximal-subpart consumption would - * turn this case into `"a\u{FFFD}z"` with the offset at the end of input. + * offset arithmetic of the invalid-byte decode is pinned explicitly here: + * the escape consumes exactly the 1-byte maximal subpart and the following + * `z`, leaving the offset at — never past — the end of the input. (The + * previous `mb_substr()`-based decode advanced by the byte length of the + * substitute character and overran the end by one byte under the ☃ canary.) */ - public function test_parse_ident_escaped_invalid_byte_overruns_offset() { + public function test_parse_ident_escaped_invalid_byte_does_not_overrun_offset() { $input = "a\\\x80z"; $offset = 0; $result = $this->test_class::test_parse_ident( $input, $offset ); - $this->assertSame( "a\u{2603}", $result, 'Ident did not match.' ); - $this->assertSame( strlen( $input ) + 1, $offset, 'Offset did not overrun the end of input.' ); + $this->assertSame( "a\u{FFFD}z", $result, 'Ident did not match.' ); + $this->assertSame( strlen( $input ), $offset, 'Offset should stop exactly at the end of input.' ); } /** @@ -244,35 +238,44 @@ public function test_parse_string( string $input, ?string $expected = null, ?str */ public static function data_strings(): array { return array( - '"foo"' => array( '"foo"', 'foo', '' ), - '"foo"after' => array( '"foo"after', 'foo', 'after' ), - '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), - '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), + '"foo"' => array( '"foo"', 'foo', '' ), + '"foo"after' => array( '"foo"after', 'foo', 'after' ), + '"foo""two"' => array( '"foo""two"', 'foo', '"two"' ), + '"foo"\'two\'' => array( '"foo"\'two\'', 'foo', "'two'" ), + + "'foo'" => array( "'foo'", 'foo', '' ), + "'foo'after" => array( "'foo'after", 'foo', 'after' ), + "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), + "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), - "'foo'" => array( "'foo'", 'foo', '' ), - "'foo'after" => array( "'foo'after", 'foo', 'after' ), - "'foo'\"two\"" => array( "'foo'\"two\"", 'foo', '"two"' ), - "'foo''two'" => array( "'foo''two'", 'foo', "'two'" ), + "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), + "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), + "'Ü\\sup'" => array( "'Ü\\sup'", 'Üsup', '' ), + "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), + "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), + "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), - "'foo\\nbar'" => array( "'foo\\\nbar'", 'foobar', '' ), - "'foo\\31 23'" => array( "'foo\\31 23'", 'foo123', '' ), - "'Ü\\sup'" => array( "'Ü\\sup'", 'Üsup', '' ), - "'foo\\31\\n23'" => array( "'foo\\31\n23'", 'foo123', '' ), - "'foo\\31\\t23'" => array( "'foo\\31\t23'", 'foo123', '' ), - "'foo\\00003123'" => array( "'foo\\00003123'", 'foo123', '' ), + "'foo\\" => array( "'foo\\", 'foo', '' ), - "'foo\\" => array( "'foo\\", 'foo', '' ), + /* + * Invalid UTF-8 in string context, reachable only via a direct + * parse() call ( from_selectors() scrubs first ): an escaped + * invalid byte decodes its maximal subpart to U+FFFD, exactly as + * in ident context; raw invalid bytes pass through unexamined. + */ + 'string with escaped invalid byte' => array( "'a\\\xC0z'", "a\u{FFFD}z", '' ), + 'string with raw invalid byte' => array( "'a\xC0z'", "a\xC0z", '' ), - '"' => array( '"', '', '' ), - '"\\"' => array( '"\\"', '"', '' ), - '"missing close' => array( '"missing close', 'missing close', '' ), + '"' => array( '"', '', '' ), + '"\\"' => array( '"\\"', '"', '' ), + '"missing close' => array( '"missing close', 'missing close', '' ), // Invalid - 'Invalid: (empty string)' => array( '' ), - 'Invalid: .foo' => array( '.foo' ), - 'Invalid: #foo' => array( '#foo' ), - "Invalid: 'newline\\n'" => array( "'newline\n'" ), - 'Invalid: foo' => array( 'foo' ), + 'Invalid: (empty string)' => array( '' ), + 'Invalid: .foo' => array( '.foo' ), + 'Invalid: #foo' => array( '#foo' ), + "Invalid: 'newline\\n'" => array( "'newline\n'" ), + 'Invalid: foo' => array( 'foo' ), ); } } diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php index 1062c66a40253..96bb8e1b4457d 100644 --- a/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php +++ b/tests/phpunit/tests/html-api/wpHtmlTagProcessor-select.php @@ -136,9 +136,9 @@ public function test_invalid_selector( string $selector ) { */ public static function data_invalid_selectors(): array { return array( - 'complex descendant' => array( 'div *' ), - 'complex child' => array( 'div > *' ), - 'invalid selector' => array( '[invalid!selector]' ), + 'complex descendant' => array( 'div *' ), + 'complex child' => array( 'div > *' ), + 'invalid selector' => array( '[invalid!selector]' ), /* * A backslash before a newline at the end of input is not a valid @@ -146,9 +146,9 @@ public static function data_invalid_selectors(): array { * The CR and FF variants are normalized to a newline before * tokenizing. */ - 'escape before newline at end' => array( ".foo\\\n" ), - 'escape before CR at end' => array( ".foo\\\r" ), - 'escape before FF at end' => array( ".foo\\\f" ), + 'escape before newline at end' => array( ".foo\\\n" ), + 'escape before CR at end' => array( ".foo\\\r" ), + 'escape before FF at end' => array( ".foo\\\f" ), /* * EOF auto-closes an open attribute selector block, but @@ -159,4 +159,56 @@ public static function data_invalid_selectors(): array { 'lone open bracket' => array( '[' ), ); } + + /** + * Selector strings are UTF-8 text: invalid byte sequences are replaced + * with U+FFFD per maximal subpart before parsing. A selector containing + * invalid bytes therefore matches a literal U+FFFD in the document, and + * an identity escape of an invalid byte is equivalent to the same byte + * unescaped — both are scrubbed before tokenization. + * + * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors + */ + public function test_select_scrubbed_selector_matches_replacement_character() { + $html = "
"; + + $processor = new WP_HTML_Tag_Processor( $html ); + $this->assertTrue( + $processor->select( ".a\xC0b" ), + 'Scrubbed selector should match the replacement character in the document.' + ); + + $processor = new WP_HTML_Tag_Processor( $html ); + $this->assertTrue( + $processor->select( ".a\\\xC0b" ), + 'An identity escape of an invalid byte should be equivalent to the unescaped byte.' + ); + } + + /** + * A selector containing invalid bytes can never match those same raw + * bytes in a document: the selector side is scrubbed to U+FFFD while + * the Tag Processor reports raw document bytes untouched. + * + * This pins a deliberate, documented divergence. If the HTML API value + * getters (get_attribute(), class_list(), …) are ever changed to scrub + * invalid UTF-8 in their return values, both sides become U+FFFD and + * this case flips to a match — update this expectation in the same + * change. + * + * The selector byte (0xC1) is unique within this file on purpose: + * select() memoizes the most recently parsed selector string, so the + * scrub notice only fires when this test's selector was not already + * parsed by an earlier test. A unique selector string guarantees a + * fresh parse regardless of test order. + * + * @expectedIncorrectUsage WP_CSS_Compound_Selector_List::from_selectors + */ + public function test_select_scrubbed_selector_does_not_match_raw_invalid_document_bytes() { + $processor = new WP_HTML_Tag_Processor( "
" ); + $this->assertFalse( + $processor->select( ".a\xC1b" ), + 'Scrubbed selector should not match raw invalid bytes in the document.' + ); + } } From 74081b16926f1041c5f1a95f88fd39dd05cf8934 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 12:49:25 +0200 Subject: [PATCH 156/187] initial css fuzzer --- tools/css-selector-fuzz/FINDINGS.md | 114 +++ tools/css-selector-fuzz/NEXT-STEPS.md | 178 ++++ tools/css-selector-fuzz/README.md | 70 ++ tools/css-selector-fuzz/lib/AstExtractor.php | 149 +++ tools/css-selector-fuzz/lib/Bootstrap.php | 63 ++ .../lib/DocumentGenerator.php | 450 +++++++++ tools/css-selector-fuzz/lib/Prng.php | 65 ++ .../lib/ReferenceMatcher.php | 253 +++++ .../lib/SelectorGenerator.php | 899 ++++++++++++++++++ tools/css-selector-fuzz/lib/Worker.php | 589 ++++++++++++ tools/css-selector-fuzz/lib/autoload.php | 9 + tools/css-selector-fuzz/lib/util.php | 157 +++ tools/css-selector-fuzz/lib/wp-stubs.php | 62 ++ tools/css-selector-fuzz/replay.php | 91 ++ tools/css-selector-fuzz/runner.php | 267 ++++++ tools/css-selector-fuzz/tests/self-check.php | 131 +++ tools/css-selector-fuzz/worker.php | 34 + 17 files changed, 3581 insertions(+) create mode 100644 tools/css-selector-fuzz/FINDINGS.md create mode 100644 tools/css-selector-fuzz/NEXT-STEPS.md create mode 100644 tools/css-selector-fuzz/README.md create mode 100644 tools/css-selector-fuzz/lib/AstExtractor.php create mode 100644 tools/css-selector-fuzz/lib/Bootstrap.php create mode 100644 tools/css-selector-fuzz/lib/DocumentGenerator.php create mode 100644 tools/css-selector-fuzz/lib/Prng.php create mode 100644 tools/css-selector-fuzz/lib/ReferenceMatcher.php create mode 100644 tools/css-selector-fuzz/lib/SelectorGenerator.php create mode 100644 tools/css-selector-fuzz/lib/Worker.php create mode 100644 tools/css-selector-fuzz/lib/autoload.php create mode 100644 tools/css-selector-fuzz/lib/util.php create mode 100644 tools/css-selector-fuzz/lib/wp-stubs.php create mode 100644 tools/css-selector-fuzz/replay.php create mode 100644 tools/css-selector-fuzz/runner.php create mode 100644 tools/css-selector-fuzz/tests/self-check.php create mode 100644 tools/css-selector-fuzz/worker.php diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md new file mode 100644 index 0000000000000..981b33ef41d80 --- /dev/null +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -0,0 +1,114 @@ +# CSS Selector Fuzzer — Findings + +Run: branch `html-css-fuzz` @ `6ebbcc2fe4`, PHP 8.4.21. ~3600 deterministic +seeds, 0 crashes/timeouts. Three distinct, reproduced WordPress-core correctness +bugs in the new HTML-API CSS selector support. Every selector below is valid, +supported CSS that the API mis-handles **without** reporting lack of support. + +Reproduce any case: `php tools/css-selector-fuzz/replay.php --selector '' [--html '']`. + +--- + +## Bug 1 — Identity escapes mis-decode after a multibyte character (mis-parse) + +**Invariant:** `ast-mismatch` (57 hits, the dominant signature). + +`WP_CSS_Selector_Parser_Matcher::consume_escaped_codepoint()` decodes a +non-hex ("identity") escape with: + +```php +$codepoint_char = mb_substr( $input, $offset, 1, 'UTF-8' ); +``` + +`$offset` is a **byte** offset (threaded by reference through the whole +selector-string parse), but `mb_substr()`'s 2nd argument is a **character** +index. The two diverge by one per multibyte continuation byte seen earlier in +the string, so an identity escape preceded by any multibyte content decodes the +**wrong codepoint** (reads N characters too far right, N = preceding continuation bytes). + +Minimal reproduction (second selector's type should be `sup`): + +| selector | parsed context type | +|---|---| +| `#abc,\sup #x` | `sup` ✅ | +| `#Ü,\sup #x` | `uup` ❌ | +| `#ÜÜ,\sup #x` | `pup` ❌ | +| `#ÜÜÜ,\sup #x` | `" up"` ❌ | + +Hex escapes (`\75 `) use byte-correct `substr` and are unaffected; only the +non-hex identity-escape branch is wrong. Depending on what wrong codepoint is +produced this also causes spurious parse failures (a valid selector returns +`null`). + +**Fix direction:** read the next codepoint by byte offset, e.g. +`mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' )`, or decode the UTF-8 +lead byte length from `$input[$offset]` directly. + +--- + +## Bug 2 — Empty-value `^=` `*=` `$=` match everything instead of nothing (mis-match) + +**Invariant:** `match-mismatch-html` / `match-mismatch-tag` (12 hits). + +Per Selectors-4, `[attr^=""]`, `[attr*=""]`, `[attr$=""]` match **nothing** (an +empty operand never matches). `WP_CSS_Attribute_Selector::matches()` instead: + +- `^=`: `substr_compare($attr,'',0,0) === 0` → always 0 → matches any element with the attribute. +- `*=`: `strpos($attr,'') === 0` (PHP) → matches any element with the attribute. +- `$=`: matches elements whose attribute value is exactly `""`. + +`~=` is handled correctly (returns nothing for an empty/whitespace operand). + +Reproduction against ``: + +| selector | WP matches | spec | +|---|---|---| +| `[x^=""]` | `I, B` | none | +| `[x*=""]` | `I, B` | none | +| `[x$=""]` | `I` | none | +| `[x~=""]` | none ✅ | none | + +**Fix direction:** in `matches()`, return `false` for `^= $= *=` (and `~=`) when +`'' === $this->value`, before the `substr_compare`/`strpos` calls. (This also +removes a `substr_compare` negative-length edge with very short attribute values.) + +--- + +## Bug 3 — Off-by-one length guard rejects `[name=x]` at end of string (false reject) + +**Invariant:** `parse-expectation` (1 hit; valid selector → `null`). + +`WP_CSS_Attribute_Selector::parse()` guards "need at least `=x]` remaining": + +```php +// need to match at least `=x]` at this point +if ( $updated_offset + 3 >= strlen( $input ) ) { + return null; +} +``` + +`>=` is off by one: it also rejects the exact-fit case where `=x]` **is** the +remaining tail. This rejects a valid attribute selector that uses the exact-match +`=` operator with a single-character **unquoted** value when its `]` is the last +character of the selector string. + +| selector | result | +|---|---| +| `[a=b]` | `null` ❌ | +| `div.x[y=z]` | `null` ❌ | +| `[a=bb]` | parsed ✅ (2-char value) | +| `[a="b"]` | parsed ✅ (quoted) | +| `[a^=b]` | parsed ✅ (2-char operator) | +| `[a=b].c` | parsed ✅ (trailing content) | + +**Fix direction:** change `>=` to `>` (need `strlen - $updated_offset >= 3`). + +--- + +## Fuzzer status + +Implemented and validated: deterministic seeds, seed-based replay, generative +6-bucket selector generation, independent reference matcher, ~18 invariants, +process-isolated runner, self-check suite. `php tools/css-selector-fuzz/tests/self-check.php` +passes; see `README.md` for usage. No fuzzer-side (oracle/generator) defects +surfaced in 3600 seeds — all failures are the three target bugs above. diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md new file mode 100644 index 0000000000000..0b509450a177e --- /dev/null +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -0,0 +1,178 @@ +# CSS Selector Fuzzer — Next Steps / Improvement Roadmap + +Status: first-generation fuzzer is implemented, validated, and has found three +real WordPress-core bugs (see `FINDINGS.md`). Design and current coverage are in +`README.md`. This document is the prioritized plan to take it from "found three +bugs" to "exhaustive and trustworthy." Do NOT re-explain the existing tool here; +read `README.md` and `FINDINGS.md` first. + +Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch +`html-css-fuzz` @ `6ebbcc2fe4` (trunk + merged `html-api/add-css-selector-parser`). +PHP 8.4.21. Everything under `tools/css-selector-fuzz/` is untracked; nothing +committed. `/artifacts` is gitignored (runner output lives there). + +## Measured weaknesses driving this plan + +- Match oracle is a hand-reimplementation (`ReferenceMatcher`) by the same author + who could share a spec misreading with WP — no third opinion exists today. +- Positive-match rate is low (measured): supported-compound 39.6% of parseable + cases match ≥1 element; supported-complex only **14.5%**; ~72% of all supported + cases match nothing. Most match assertions are vacuous `[] == []`. +- The "structurally safe element set" restriction (needed so `model == + parse-tree` holds) means combinator/breadcrumb matching is only ever tested on + clean trees — never on foster-parented / adoption-agency / foreign-content / + implied-end-tag restructured trees, which are the hard cases. +- No metamorphic invariants (the cheapest oracle-free signal class) — absent. +- Line coverage never measured. Some target branches are provably unreachable by + the current generator (e.g. `consume_escaped_codepoint`'s U+FFFD path for + null/surrogate/over-max codepoints; the `normalize_selector_input` NUL→U+FFFD + path). +- No automatic minimizer (the sibling `html-api-fuzz` branch ships + `tools/html-api-fuzz/minimize.php` as a pattern to copy). +- Match path only exercises `WP_HTML_Processor::create_full_parser`; fragment + contexts and varied quirks-mode triggers (only doctype presence is toggled) + are untested. + +## Work items, in priority order + +### 1. Metamorphic invariants (cheapest, highest signal-per-effort, no deps) + +Add oracle-free relations to `Worker::run_case` that must hold for any parseable +supported selector over any document. For each, transform the selector, assert +the match set (both processors) is unchanged — or for AST-level ones, assert the +extracted AST is unchanged: + +- ASCII-case-fold a type-selector name → identical matches (type names are + case-insensitive). +- Reorder subclass selectors within a compound (`div.a#b[c]` ≡ any permutation of + the subclass part) → identical matches and structurally-equivalent AST. +- Escape an arbitrary ident codepoint that does not require escaping → identical + AST and matches (exercises the escape decoder against the no-op case). +- Append a redundant universal (`sel` vs `sel:where`-free `*sel` where the type + slot is empty → `*` + subclasses) → identical matches. +- Duplicate a selector-list branch (`a, a`) → identical matches. +- Whitespace-insert around combinators and commas where insignificant → identical + matches. + +These need no external engine; they would have independently caught Bug 1. + +### 2. Path-directed generation (fix the 14.5% positive-match rate) + +Add a generation mode that GUARANTEES positive matches and meaningful negatives: + +- Pick a random element in the generated model tree. +- Synthesize a selector that must match it: type from its tag, subclasses from a + subset of its real classes/id/attributes, and (for complex) a context chain + drawn from its real ancestor tags with `>`/descendant combinators matching the + actual nesting. +- Emit the matching selector (assert it matches that element) AND near-miss + mutations (swap one ancestor combinator `>`↔descendant, drop/extend a class, + change one attribute operator) and assert the flip. + +This makes the combinator/breadcrumb walker actually exercised with real depth +and real positive/negative boundaries instead of mostly-empty match sets. Keep +the existing buckets; add this as a new bucket. + +### 3. lexbor differential oracle (the match-oracle correctness ceiling) + +Use lexbor as a THIRD, independent oracle — primarily to validate +`ReferenceMatcher`, secondarily to unlock wilder HTML. Build cost is acceptable +(confirmed by maintainer). Refs: https://lexbor.com/modules/selectors/ and the +HTML module for selector matching. + +Design: + +- C harness linking liblexbor: read many `{html, selector}` cases from stdin + (one process, batched — invoked by the runner like the existing PHP worker + subprocess; isolate crashes). Parse HTML with `lxb_html_document_parse`, parse + the selector with the CSS/selectors module, run `lxb_selectors_find`, and via + the callback collect each matched element's unique `data-fid` attribute. Emit + one line of matched-fid sets per case. FFI to `liblexbor.so` is an acceptable + alternative but a standalone CLI isolates crashes better. +- Mark every generated element with a unique `data-fid` (the generator already + does this). +- **Tree-equality gate:** only run the differential on cases where WP's tree and + lexbor's tree agree (compare the fid→tag→breadcrumb sequence from each). This + isolates the SELECTOR layer from HTML tree-construction differences (which are + a different fuzzer's concern — see `html-api-fuzz`). Bonus: this gate lets you + fuzz ARBITRARY/wild HTML and keep any case where the two trees agree, which + relaxes the current "safe element set" restriction and reaches restructured + trees the present generator can't produce. +- Three-way verdict: `reference ≠ lexbor` ⇒ fuzzer-oracle bug (fix the fuzzer); + `reference == lexbor ≠ WP` ⇒ high-confidence WP finding. + +**CRITICAL CAVEAT — quirks-mode / case-sensitivity:** lexbor has a known +class/ID case-sensitivity bug — https://github.com/lexbor/lexbor/issues/368. +WP folds class/ID names ASCII-case-insensitively in QUIRKS mode and +case-sensitively in no-quirks (`WP_HTML_Tag_Processor::is_quirks_mode()`); type +names are always case-insensitive. Do NOT trust lexbor on quirks-mode case +behavior. Restrict the lexbor differential to **no-quirks documents** (emit +``), and keep `ReferenceMatcher` as the authority for the +quirks-mode path. Pin the exact lexbor version used and note whether #368 is +fixed in it. Re-evaluate enabling quirks comparison only after verifying lexbor's +behavior against that issue. + +- Also surface (don't auto-fail) **attribute default case-insensitivity**: + Selectors-4/HTML define a set of attributes matched case-insensitively by + default; WP appears to implement only explicit `i`/`s` modifiers. lexbor may + implement the default set, producing divergence that is either a real WP + conformance gap or an intentional subset limitation — triage per case and + report. + +### 4. Parser-derived oracle tree (decouple "tree right" from "match right") + +Instead of asserting `model == parse-tree`, walk the processor ONCE to capture +the ground-truth tree (fid → tag → breadcrumbs → attributes), then run both the +reference matcher and the lexbor differential against arbitrary/wild HTML using +that captured tree as truth for the selector layer. This is the structural +change that makes #3's wild-HTML mode fully general and lets the generator reuse +`html-api-fuzz`'s nasty-HTML generator. (`model-desync` becomes a separate, +optional sanity check rather than a precondition.) + +### 5. Coverage measurement + reach the unreachable branches + +- Wire line/branch coverage (phpdbg is available: `phpdbg -qrr` with + coverage, or install pcov/xdebug) over the `src/wp-includes/html-api/css/` + classes; gate "done" on a coverage target and a written list of intentionally- + unreached lines. +- Add a generator path emitting raw hex escapes for null / surrogate + (U+D800–U+DFFF) / over-max (> U+10FFFF) codepoints and assert they decode to + U+FFFD (currently unreachable — the renderer only escapes real codepoints). +- Fuzz NUL bytes and CR/FF in the selector INPUT to exercise + `normalize_selector_input` (NUL→U+FFFD, CR/CRLF/FF→LF). + +### 6. Automatic minimizer + +Port the delta-debugging pattern from `tools/html-api-fuzz/minimize.php`: given a +failing seed, shrink both the HTML and the selector (byte/structural deletes, +keep-failing) to a minimal reproducer. Wire into `replay.php` or a new +`minimize.php`. Bugs 1 and 3 were hand-minimized; automate it. + +### 7. Broaden match surface + +- Run the match oracle through `create_fragment` with varied fragment contexts, + not just `create_full_parser`. +- Vary all quirks-mode triggers (not only doctype presence): no-doctype, + malformed doctype, ``, limited-quirks doctypes. + +## Acceptance bar for "exacting standards" + +- Coverage measured and reported for the `css/` classes, with a justified list of + any unreached lines. +- Three independent oracles agree on no-quirks supported cases (AST round-trip, + `ReferenceMatcher`, lexbor); divergences are triaged to either a WP finding or + a fuzzer-oracle fix — never left ambiguous. +- Metamorphic invariants in place and passing. +- Positive-match rate for combinator selectors materially raised (path-directed + generation); match assertions are mostly non-vacuous. +- Minimizer produces minimal repros automatically. +- A clean multi-thousand-seed run with all signatures triaged; `FINDINGS.md` + updated with any new bugs (each with a minimal repro and a one-line fix + direction), and confirmation that the three known bugs still reproduce. + +## Existing bugs to keep verifying (regression anchors) + +From `FINDINGS.md` — minimal repros, all must still trigger until core is fixed: +1. Identity escape after multibyte mis-decodes: `#Ü,\sup #x` → type `uup` (want `sup`). +2. Empty-value matchers match everything: `[x^=""]`, `[x*=""]`, `[x$=""]`. +3. Off-by-one length guard: `[a=b]` (single-char unquoted value, exact `=`, at EOF) → `null`. diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md new file mode 100644 index 0000000000000..03c2c51d654f7 --- /dev/null +++ b/tools/css-selector-fuzz/README.md @@ -0,0 +1,70 @@ +# CSS Selector Fuzzer + +Generative fuzzer for the HTML API CSS selector support: +`WP_CSS_Compound_Selector_List`, `WP_CSS_Complex_Selector_List`, and the +`select()` methods on `WP_HTML_Tag_Processor` and `WP_HTML_Processor`. + +Every case is fully deterministic from its integer seed: the same seed always +produces the same document, the same selector, and the same verdict. + +## What a case does + +1. Generate a random HTML document from a structurally "safe" element set so + the model tree is provably identical to the parsed tree (this is itself + verified every case — `model-desync`). +2. Generate a selector in one of six buckets: + - `supported-compound` — must parse in both grammars; carries intended AST. + - `supported-complex` — uses `>`/descendant combinators; must parse only + in the complex grammar; carries intended AST. + - `unsupported` — valid CSS the API intentionally rejects (pseudo-classes + and -elements, `+`/`~`/`||` combinators, namespaces, non-type context + selectors); must not parse. + - `invalid` — not valid CSS; must not parse. + - `chaos` — arbitrary bytes; no parse expectation. + - `mutated` — a supported selector with random byte mutations; no parse + expectation. +3. Check invariants: + - No PHP error/warning/exception from parsing or matching, ever. + - Parse result (instance vs `null`) matches the bucket's expectation. + - Anything the compound grammar parses, the complex grammar parses, and + both produce the same AST. + - Parsed AST equals the generated AST (escapes, strings, whitespace and + case randomization must not change meaning). + - For any selector that parses (including chaos/mutated), the `select()` + match set equals an independent spec-faithful reference matcher, on both + processors, including quirks-mode class/ID case-insensitivity. + - For any selector that does not parse, `select()` returns `false`, + `_doing_it_wrong` fires exactly once per call (also via the parse + cache), and the processor remains usable. + - The processor ends with no `get_last_error()`/unsupported state. + - Repeating a case yields a byte-identical result digest (determinism). + +## Usage + +Bounded fuzz run (process-isolated chunks, crash/hang attribution): + + php tools/css-selector-fuzz/runner.php --max-seeds 1000 --duration-seconds 60 + +Artifacts go to `artifacts/css-selector-fuzz/run-*/` and are intentionally +small: `state.json` (counters, per-signature tallies) and `failures.ndjson` +(one line per failure, with base64 selector + document for offline analysis). + +Replay a failure by seed: + + php tools/css-selector-fuzz/replay.php --seed 42 --show-html + php tools/css-selector-fuzz/replay.php --seed 42 --json + +Probe a specific selector: + + php tools/css-selector-fuzz/replay.php --selector 'section > div.cls' --html '
' + +Run a batch in-process (no isolation, faster): + + php tools/css-selector-fuzz/worker.php --start-seed 1 --count 500 + +Options of note: + +- `runner.php --stop-on-failure` stops at the first failing chunk. +- `worker.php --determinism-every N` re-runs every Nth seed twice (default 16). +- `worker.php --max-failures N` stops a batch after N failures (default 200) + to bound artifact size. diff --git a/tools/css-selector-fuzz/lib/AstExtractor.php b/tools/css-selector-fuzz/lib/AstExtractor.php new file mode 100644 index 0000000000000..ed81beac30c3e --- /dev/null +++ b/tools/css-selector-fuzz/lib/AstExtractor.php @@ -0,0 +1,149 @@ + array(), + 'self' => self::from_compound( $selector ), + ); + } + return $out; + } + + private static function from_complex( \WP_CSS_Complex_Selector $selector ): array { + $context = array(); + foreach ( (array) $selector->context_selectors as $pair ) { + if ( ! is_array( $pair ) || 2 !== count( $pair ) ) { + throw new \UnexpectedValueException( 'Context selector pair has unexpected shape.' ); + } + if ( ! $pair[0] instanceof \WP_CSS_Type_Selector ) { + throw new \UnexpectedValueException( 'Context selector is not a type selector: ' . self::describe( $pair[0] ) ); + } + if ( ! in_array( $pair[1], array( ' ', '>' ), true ) ) { + throw new \UnexpectedValueException( 'Context selector uses unsupported combinator: ' . var_export( $pair[1], true ) ); + } + $context[] = array( $pair[0]->type, $pair[1] ); + } + + return array( + 'context' => $context, + 'self' => self::from_compound( $selector->self_selector ), + ); + } + + private static function from_compound( \WP_CSS_Compound_Selector $selector ): array { + $subs = null; + if ( null !== $selector->subclass_selectors ) { + if ( array() === $selector->subclass_selectors ) { + throw new \UnexpectedValueException( 'Compound selector has empty (non-null) subclass selector array.' ); + } + $subs = array(); + foreach ( $selector->subclass_selectors as $sub ) { + $subs[] = self::from_subclass( $sub ); + } + } + + if ( null === $selector->type_selector && null === $subs ) { + throw new \UnexpectedValueException( 'Compound selector has neither type nor subclass selectors.' ); + } + + return array( + 'type' => null === $selector->type_selector ? null : $selector->type_selector->type, + 'subs' => $subs, + ); + } + + private static function from_subclass( $sub ): array { + if ( $sub instanceof \WP_CSS_Class_Selector ) { + return array( + 'kind' => 'class', + 'name' => $sub->class_name, + ); + } + if ( $sub instanceof \WP_CSS_ID_Selector ) { + return array( + 'kind' => 'id', + 'name' => $sub->id, + ); + } + if ( $sub instanceof \WP_CSS_Attribute_Selector ) { + $valid_matchers = array( + null, + \WP_CSS_Attribute_Selector::MATCH_EXACT, + \WP_CSS_Attribute_Selector::MATCH_ONE_OF_EXACT, + \WP_CSS_Attribute_Selector::MATCH_EXACT_OR_HYPHEN_SUFFIXED, + \WP_CSS_Attribute_Selector::MATCH_PREFIXED_BY, + \WP_CSS_Attribute_Selector::MATCH_SUFFIXED_BY, + \WP_CSS_Attribute_Selector::MATCH_CONTAINS, + ); + if ( ! in_array( $sub->matcher, $valid_matchers, true ) ) { + throw new \UnexpectedValueException( 'Attribute selector has unknown matcher: ' . var_export( $sub->matcher, true ) ); + } + $valid_modifiers = array( + null, + \WP_CSS_Attribute_Selector::MODIFIER_CASE_SENSITIVE, + \WP_CSS_Attribute_Selector::MODIFIER_CASE_INSENSITIVE, + ); + if ( ! in_array( $sub->modifier, $valid_modifiers, true ) ) { + throw new \UnexpectedValueException( 'Attribute selector has unknown modifier: ' . var_export( $sub->modifier, true ) ); + } + if ( ( null === $sub->matcher ) !== ( null === $sub->value ) ) { + throw new \UnexpectedValueException( 'Attribute selector matcher/value nullness mismatch.' ); + } + return array( + 'kind' => 'attr', + 'name' => $sub->name, + 'matcher' => $sub->matcher, + 'value' => $sub->value, + 'modifier' => $sub->modifier, + ); + } + throw new \UnexpectedValueException( 'Unknown subclass selector: ' . self::describe( $sub ) ); + } + + private static function get_private( $object, string $property, string $declaring_class ) { + $reflection = new \ReflectionProperty( $declaring_class, $property ); + $reflection->setAccessible( true ); + $value = $reflection->getValue( $object ); + if ( ! is_array( $value ) ) { + throw new \UnexpectedValueException( "Property {$property} is not an array." ); + } + return $value; + } + + private static function describe( $value ): string { + return is_object( $value ) ? get_class( $value ) : gettype( $value ); + } +} diff --git a/tools/css-selector-fuzz/lib/Bootstrap.php b/tools/css-selector-fuzz/lib/Bootstrap.php new file mode 100644 index 0000000000000..6d33b4de7c4e9 --- /dev/null +++ b/tools/css-selector-fuzz/lib/Bootstrap.php @@ -0,0 +1,63 @@ + */ + public static function doing_it_wrong_calls(): array { + return $GLOBALS['css_selector_fuzz_doing_it_wrong']; + } +} diff --git a/tools/css-selector-fuzz/lib/DocumentGenerator.php b/tools/css-selector-fuzz/lib/DocumentGenerator.php new file mode 100644 index 0000000000000..70e3ab80d2a39 --- /dev/null +++ b/tools/css-selector-fuzz/lib/DocumentGenerator.php @@ -0,0 +1,450 @@ +prng = $prng; + $this->max_elements = $max_elements; + $this->pools = array( + 'tags' => array(), + 'classes' => array(), + 'ids' => array(), + 'attrNames' => array(), + 'attrValues' => array(), + ); + } + + /** + * @return array{model: array, html: string, quirks: bool, pools: array} + */ + public static function generate( Prng $prng ): array { + $generator = new self( $prng, $prng->int( 8, 40 ) ); + return $generator->build(); + } + + private function build(): array { + $has_doctype = $this->prng->chance( 85 ); + + $head_children = array(); + if ( $this->prng->chance( 60 ) ) { + $head_children[] = $this->make_element( 'title', array(), array() ); + } + if ( $this->prng->chance( 30 ) ) { + $head_children[] = $this->make_element( 'meta', $this->random_attrs(), array() ); + } + + $body_children = array(); + $child_budget = $this->prng->int( 1, 6 ); + for ( $i = 0; $i < $child_budget && $this->element_count < $this->max_elements; $i++ ) { + $body_children[] = $this->random_subtree( 0 ); + } + + $head = $this->make_element( 'head', array(), $head_children ); + $body = $this->make_element( 'body', $this->prng->chance( 30 ) ? $this->random_attrs() : array(), $body_children ); + $html = $this->make_element( 'html', $this->prng->chance( 20 ) ? $this->random_attrs() : array(), array( $head, $body ) ); + + $rendered = ( $has_doctype ? '' : '' ) . $this->render_element( $html ); + + foreach ( $this->pools as $key => $values ) { + $this->pools[ $key ] = array_values( array_unique( $values ) ); + } + + return array( + 'model' => $html, + 'html' => $rendered, + 'quirks' => ! $has_doctype, + 'pools' => $this->pools, + ); + } + + private function random_subtree( int $depth ): array { + ++$this->element_count; + + if ( $depth >= 7 || $this->element_count >= $this->max_elements || $this->prng->chance( 25 ) ) { + // Leaf. + if ( $this->prng->chance( 25 ) ) { + return $this->make_element( $this->prng->choice( self::VOID_TAGS ), $this->random_attrs(), array(), true ); + } + return $this->make_element( $this->prng->choice( self::SAFE_TAGS ), $this->random_attrs(), array() ); + } + + $children = array(); + $child_count = $this->prng->int( 1, 4 ); + for ( $i = 0; $i < $child_count && $this->element_count < $this->max_elements; $i++ ) { + $children[] = $this->random_subtree( $depth + 1 ); + } + + return $this->make_element( $this->prng->choice( self::SAFE_TAGS ), $this->random_attrs(), $children ); + } + + private function make_element( string $tag, array $attrs, array $children, bool $is_void = false ): array { + $fid = 'e' . $this->fid_counter++; + + $written_tag = $this->prng->chance( 15 ) ? $this->random_case( $tag ) : $tag; + + $this->pools['tags'][] = $tag; + + return array( + 'tag' => $written_tag, + 'fid' => $fid, + 'attrs' => $attrs, + 'children' => $children, + 'void' => $is_void || in_array( strtolower( $tag ), array( 'meta', 'br', 'hr', 'img', 'wbr', 'input', 'embed' ), true ), + ); + } + + /** @return array name/value pairs in source order. */ + private function random_attrs(): array { + $attrs = array(); + $count = $this->prng->weighted( + array( + 0 => 15, + 1 => 30, + 2 => 30, + 3 => 15, + 4 => 10, + ) + ); + + $used_names = array(); + for ( $i = 0; $i < $count; $i++ ) { + $name = $this->prng->choice( self::ATTR_NAMES ); + + // Occasionally repeat an attribute name: the processor keeps the first. + $is_duplicate = isset( $used_names[ ascii_strtolower( $name ) ] ); + if ( $is_duplicate && ! $this->prng->chance( 20 ) ) { + continue; + } + $used_names[ ascii_strtolower( $name ) ] = true; + + if ( $this->prng->chance( 12 ) ) { + $name = $this->random_case( $name ); + } + + $lower = ascii_strtolower( $name ); + if ( 'class' === $lower ) { + $value = $this->random_class_value(); + } elseif ( 'id' === $lower ) { + $value = $this->prng->chance( 85 ) ? $this->random_id_value() : ( $this->prng->chance( 50 ) ? '' : true ); + } elseif ( in_array( $lower, array( 'disabled', 'hidden' ), true ) ) { + $value = $this->prng->chance( 70 ) ? true : $this->prng->choice( array( '', 'disabled', 'true' ) ); + } else { + $value = $this->prng->chance( 12 ) ? true : $this->random_attr_value(); + } + + $this->pools['attrNames'][] = ascii_strtolower( $name ); + if ( is_string( $value ) ) { + $this->pools['attrValues'][] = $value; + } + + $attrs[] = array( $name, $value ); + } + + return $attrs; + } + + private function random_class_value(): string { + $count = $this->prng->int( 1, 4 ); + $classes = array(); + for ( $i = 0; $i < $count; $i++ ) { + $class = $this->random_word( true ); + $classes[] = $class; + $this->pools['classes'][] = $class; + } + + $ws = array( ' ', ' ', ' ', "\t", "\n", "\f", ' ' ); + $value = $this->prng->chance( 20 ) ? $this->prng->choice( $ws ) : ''; + foreach ( $classes as $i => $class ) { + if ( $i > 0 ) { + $value .= $this->prng->choice( $ws ); + } + $value .= $class; + } + if ( $this->prng->chance( 20 ) ) { + $value .= $this->prng->choice( $ws ); + } + return $value; + } + + private function random_id_value(): string { + $id = $this->random_word( true ); + $this->pools['ids'][] = $id; + return $id; + } + + private function random_attr_value(): string { + $kind = $this->prng->weighted( + array( + 'word' => 35, + 'words' => 20, + 'hyphenated' => 15, + 'empty' => 8, + 'spicy' => 12, + 'unicode' => 10, + ) + ); + + switch ( $kind ) { + case 'word': + return $this->random_word( true ); + case 'words': + $parts = array(); + $n = $this->prng->int( 2, 4 ); + for ( $i = 0; $i < $n; $i++ ) { + $parts[] = $this->random_word( true ); + } + return implode( $this->prng->choice( array( ' ', ' ', "\t", "\n" ) ), $parts ); + case 'hyphenated': + return $this->random_word( false ) . '-' . $this->random_word( false ); + case 'empty': + return ''; + case 'spicy': + $spice = array( 'a"b', "a'b", 'a&b', 'ab', 'a=b', 'a b c', '&', '"x', '100%', 'semi;colon', 'a,b' ); + return $this->prng->choice( $spice ); + case 'unicode': + $unicode = array( 'héllo', 'ÄÖÜ', '✓done', 'naïve', 'Ωmega', '\u{1F600}smile' ); + $value = $this->prng->choice( $unicode ); + return str_replace( '\u{1F600}', "\u{1F600}", $value ); + } + return 'fallback'; + } + + private function random_word( bool $allow_mixed_case ): string { + $stems = array( 'alpha', 'beta', 'gamma', 'delta', 'box', 'col', 'item', 'note', 'wide', 'main-item', 'x', 'a', '-lead', '--var', '_under', 'Über', 'mixedCase' ); + $word = $this->prng->choice( $stems ); + if ( $this->prng->chance( 30 ) ) { + $word .= (string) $this->prng->int( 0, 99 ); + } + if ( $allow_mixed_case && $this->prng->chance( 15 ) ) { + $word = $this->random_case( $word ); + } + return $word; + } + + private function random_case( string $input ): string { + $out = ''; + for ( $i = 0; $i < strlen( $input ); $i++ ) { + $c = $input[ $i ]; + $out .= $this->prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c ); + } + return $out; + } + + /* + * --------- + * Rendering + * --------- + */ + + private function render_element( array $element ): string { + $out = '<' . $element['tag']; + + $rendered_attrs = array( ' data-fid="' . $element['fid'] . '"' ); + foreach ( $element['attrs'] as $attr ) { + $rendered_attrs[] = ' ' . $this->render_attr( $attr[0], $attr[1] ); + } + $out .= implode( '', $rendered_attrs ); + + if ( $element['void'] ) { + $out .= $this->prng->chance( 25 ) ? ' />' : '>'; + return $out; + } + + $out .= '>'; + + $child_bits = array(); + foreach ( $element['children'] as $child ) { + $child_bits[] = $this->render_element( $child ); + } + + /* + * Sprinkle text and comments between children — but never directly + * inside `html` or `head`, where character tokens would trigger + * insertion-mode changes (early body creation, head popping) that + * desynchronize the model from the parsed tree. + */ + $lower_tag = strtolower( $element['tag'] ); + $may_have_filler = ! in_array( $lower_tag, array( 'html', 'head' ), true ); + $filler_options = array( + '', + 'text', + ' more text ', + "\n ", + '& <escaped>', + '', + 'café ✓', + ); + $content = ''; + foreach ( $child_bits as $bit ) { + if ( $may_have_filler && $this->prng->chance( 40 ) ) { + $content .= $this->prng->choice( $filler_options ); + } + $content .= $bit; + } + if ( $may_have_filler && $this->prng->chance( 40 ) ) { + $content .= $this->prng->choice( $filler_options ); + } + if ( 'title' === $lower_tag ) { + // RAWTEXT: keep it plain. + $content = $this->prng->chance( 60 ) ? 'Fuzz Title' : ''; + } + + return $out . $content . ''; + } + + /** @param string|true $value */ + private function render_attr( string $name, $value ): string { + if ( true === $value ) { + return $name; + } + + $style = $this->prng->weighted( + array( + 'double' => 60, + 'single' => 20, + 'unquoted' => 20, + ) + ); + + if ( 'unquoted' === $style && ( '' === $value || strlen( $value ) !== strspn( $value, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._:-' ) ) ) { + $style = 'double'; + } + + switch ( $style ) { + case 'unquoted': + return $name . '=' . $value; + case 'single': + return $name . "='" . str_replace( array( '&', "'", '<' ), array( '&', ''', '<' ), $value ) . "'"; + default: + return $name . '="' . str_replace( array( '&', '"', '<' ), array( '&', '"', '<' ), $value ) . '"'; + } + } + + /* + * ---------------- + * Model utilities + * ---------------- + */ + + /** Pre-order (document order) list of elements. */ + public static function flatten( array $element ): array { + $out = array( $element ); + foreach ( $element['children'] as $child ) { + foreach ( self::flatten( $child ) as $descendant ) { + $out[] = $descendant; + } + } + return $out; + } + + /** + * Pre-order list of ( element, ancestors ) pairs where ancestors is the + * chain from nearest ancestor to root — the same orientation as + * WP_HTML_Processor::get_breadcrumbs() reversed past self. + */ + public static function flatten_with_ancestors( array $element, array $ancestors = array() ): array { + $out = array( array( $element, $ancestors ) ); + $next_ancestors = array_merge( array( $element ), $ancestors ); + foreach ( $element['children'] as $child ) { + foreach ( self::flatten_with_ancestors( $child, $next_ancestors ) as $pair ) { + $out[] = $pair; + } + } + return $out; + } + + /** First attribute value for a name, ASCII case-insensitive; null if absent. */ + public static function get_attribute_value( array $element, string $name ) { + $comparable = ascii_strtolower( $name ); + foreach ( $element['attrs'] as $attr ) { + if ( ascii_strtolower( $attr[0] ) === $comparable ) { + return $attr[1]; + } + } + return null; + } +} diff --git a/tools/css-selector-fuzz/lib/Prng.php b/tools/css-selector-fuzz/lib/Prng.php new file mode 100644 index 0000000000000..b8d8737304277 --- /dev/null +++ b/tools/css-selector-fuzz/lib/Prng.php @@ -0,0 +1,65 @@ +key = $seed . "\x1f" . $label; + } + + /** Derives an independent child stream; consuming it does not affect this stream. */ + public function fork( string $label ): Prng { + return new Prng( $this->key, $label . ':' . $this->uint32() ); + } + + public function bytes( int $length ): string { + while ( strlen( $this->buffer ) < $length ) { + $this->buffer .= hash( 'sha256', $this->key . ':' . $this->counter++, true ); + } + $out = substr( $this->buffer, 0, $length ); + $this->buffer = substr( $this->buffer, $length ); + return $out; + } + + public function uint32(): int { + $parts = unpack( 'Nvalue', $this->bytes( 4 ) ); + return (int) $parts['value']; + } + + public function int( int $min, int $max ): int { + if ( $max <= $min ) { + return $min; + } + return $min + ( $this->uint32() % ( $max - $min + 1 ) ); + } + + public function chance( int $numerator, int $denominator = 100 ): bool { + return $this->int( 1, $denominator ) <= $numerator; + } + + public function choice( array $values ) { + return $values[ $this->int( 0, count( $values ) - 1 ) ]; + } + + /** @param array $weights value => weight */ + public function weighted( array $weights ) { + $total = array_sum( $weights ); + $pick = $this->int( 1, max( 1, (int) $total ) ); + foreach ( $weights as $value => $weight ) { + $pick -= $weight; + if ( $pick <= 0 ) { + return $value; + } + } + return array_key_first( $weights ); + } +} diff --git a/tools/css-selector-fuzz/lib/ReferenceMatcher.php b/tools/css-selector-fuzz/lib/ReferenceMatcher.php new file mode 100644 index 0000000000000..fd834a543041d --- /dev/null +++ b/tools/css-selector-fuzz/lib/ReferenceMatcher.php @@ -0,0 +1,253 @@ +' === $combinator ) { + return self::type_matches( $type, $ancestor_tags[0] ) + && self::explore_context( $rest, array_slice( $ancestor_tags, 1 ) ); + } + + // Descendant: try every matching ancestor. + $count = count( $ancestor_tags ); + for ( $i = 0; $i < $count; $i++ ) { + if ( + self::type_matches( $type, $ancestor_tags[ $i ] ) && + self::explore_context( $rest, array_slice( $ancestor_tags, $i + 1 ) ) + ) { + return true; + } + } + return false; + } + + public static function compound_matches( array $compound, array $element, bool $quirks ): bool { + if ( null !== $compound['type'] && ! self::type_matches( $compound['type'], $element['tag'] ) ) { + return false; + } + foreach ( (array) $compound['subs'] as $sub ) { + if ( ! self::sub_matches( $sub, $element, $quirks ) ) { + return false; + } + } + return true; + } + + private static function type_matches( string $type, string $tag ): bool { + return '*' === $type || ascii_strtolower( $type ) === ascii_strtolower( $tag ); + } + + private static function sub_matches( array $sub, array $element, bool $quirks ): bool { + switch ( $sub['kind'] ) { + case 'class': + return self::class_matches( $sub['name'], $element, $quirks ); + case 'id': + return self::id_matches( $sub['name'], $element, $quirks ); + case 'attr': + return self::attr_matches( $sub, $element ); + } + return false; + } + + private static function class_matches( string $wanted, array $element, bool $quirks ): bool { + $class_value = DocumentGenerator::get_attribute_value( $element, 'class' ); + if ( ! is_string( $class_value ) ) { + return false; + } + + $length = strlen( $class_value ); + $at = 0; + while ( $at < $length ) { + $at += strspn( $class_value, self::WHITESPACE, $at ); + if ( $at >= $length ) { + break; + } + $word_length = strcspn( $class_value, self::WHITESPACE, $at ); + $word = substr( $class_value, $at, $word_length ); + $at += $word_length; + + if ( + $quirks + ? ascii_strtolower( $word ) === ascii_strtolower( $wanted ) + : $word === $wanted + ) { + return true; + } + } + return false; + } + + private static function id_matches( string $wanted, array $element, bool $quirks ): bool { + $id = DocumentGenerator::get_attribute_value( $element, 'id' ); + if ( ! is_string( $id ) ) { + return false; + } + return $quirks + ? ascii_strtolower( $id ) === ascii_strtolower( $wanted ) + : $id === $wanted; + } + + private static function attr_matches( array $sub, array $element ): bool { + $attr_value = DocumentGenerator::get_attribute_value( $element, $sub['name'] ); + if ( null === $attr_value ) { + return false; + } + if ( null === $sub['matcher'] ) { + return true; + } + if ( true === $attr_value ) { + $attr_value = ''; + } + + $wanted = (string) $sub['value']; + $case_insensitive = 'case-insensitive' === $sub['modifier']; + if ( $case_insensitive ) { + $attr_value = ascii_strtolower( $attr_value ); + $wanted = ascii_strtolower( $wanted ); + } + + switch ( $sub['matcher'] ) { + case 'exact': + return $attr_value === $wanted; + + case 'one-of': + if ( '' === $wanted || strlen( $wanted ) !== strcspn( $wanted, self::WHITESPACE ) ) { + return false; + } + $length = strlen( $attr_value ); + $at = 0; + while ( $at < $length ) { + $at += strspn( $attr_value, self::WHITESPACE, $at ); + if ( $at >= $length ) { + break; + } + $word_length = strcspn( $attr_value, self::WHITESPACE, $at ); + if ( substr( $attr_value, $at, $word_length ) === $wanted ) { + return true; + } + $at += $word_length; + } + return false; + + case 'exact-or-hyphen-suffixed': + if ( $attr_value === $wanted ) { + return true; + } + return 0 === strncmp( $attr_value, $wanted . '-', strlen( $wanted ) + 1 ); + + case 'prefixed': + if ( '' === $wanted ) { + return false; + } + return 0 === strncmp( $attr_value, $wanted, strlen( $wanted ) ); + + case 'suffixed': + if ( '' === $wanted ) { + return false; + } + return strlen( $attr_value ) >= strlen( $wanted ) + && substr( $attr_value, -strlen( $wanted ) ) === $wanted; + + case 'contains': + if ( '' === $wanted ) { + return false; + } + return false !== strpos( $attr_value, $wanted ); + } + + return false; + } +} diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php new file mode 100644 index 0000000000000..53347c083e79b --- /dev/null +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -0,0 +1,899 @@ +prng = $prng; + $this->pools = $pools; + } + + /** + * @param array $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ). + * @return array{ + * bucket: string, + * selector: string, + * expectCompound: bool|null, + * expectComplex: bool|null, + * ast: array|null, + * } + */ + public static function generate( Prng $prng, array $pools, ?string $bucket = null ): array { + $generator = new self( $prng, $pools ); + + if ( null === $bucket ) { + $bucket = $prng->weighted( + array( + 'supported-compound' => 30, + 'supported-complex' => 25, + 'unsupported' => 15, + 'invalid' => 12, + 'chaos' => 8, + 'mutated' => 10, + ) + ); + } + + switch ( $bucket ) { + case 'supported-compound': + $ast = $generator->gen_complex_list( false ); + return array( + 'bucket' => $bucket, + 'selector' => $generator->render_complex_list( $ast ), + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => $ast, + ); + + case 'supported-complex': + $ast = $generator->gen_complex_list( true ); + return array( + 'bucket' => $bucket, + 'selector' => $generator->render_complex_list( $ast ), + 'expectCompound' => false, + 'expectComplex' => true, + 'ast' => $ast, + ); + + case 'unsupported': + return array( + 'bucket' => $bucket, + 'selector' => $generator->gen_unsupported(), + 'expectCompound' => false, + 'expectComplex' => false, + 'ast' => null, + ); + + case 'invalid': + return array( + 'bucket' => $bucket, + 'selector' => $generator->gen_invalid(), + 'expectCompound' => false, + 'expectComplex' => false, + 'ast' => null, + ); + + case 'chaos': + return array( + 'bucket' => $bucket, + 'selector' => $generator->gen_chaos(), + 'expectCompound' => null, + 'expectComplex' => null, + 'ast' => null, + ); + + case 'mutated': + default: + $ast = $generator->gen_complex_list( $generator->prng->chance( 50 ) ); + $rendered = $generator->render_complex_list( $ast ); + return array( + 'bucket' => 'mutated', + 'selector' => $generator->mutate( $rendered ), + 'expectCompound' => null, + 'expectComplex' => null, + 'ast' => null, + ); + } + } + + /* + * -------------- + * AST generation + * -------------- + * + * Canonical AST shapes (matching what AstExtractor produces from + * parsed WP_CSS_* objects): + * + * list: array of complex + * complex: array( 'context' => array( array( type, combinator ) ... right-to-left ), 'self' => compound ) + * compound: array( 'type' => string|null, 'subs' => array|null ) + * sub: array( 'kind' => 'class'|'id', 'name' => string ) + * | array( 'kind' => 'attr', 'name' => string, 'matcher' => string|null, + * 'value' => string|null, 'modifier' => string|null ) + */ + + private function gen_complex_list( bool $require_combinator ): array { + $count = $this->prng->weighted( + array( + 1 => 55, + 2 => 30, + 3 => 15, + ) + ); + + $list = array(); + $combinator_at = $require_combinator ? $this->prng->int( 0, $count - 1 ) : -1; + for ( $i = 0; $i < $count; $i++ ) { + $wants_combinators = $i === $combinator_at || ( $require_combinator && $this->prng->chance( 30 ) ); + $list[] = $this->gen_complex( $require_combinator ? $wants_combinators : false ); + } + return $list; + } + + private function gen_complex( bool $with_combinators ): array { + $context = array(); + if ( $with_combinators ) { + $context_count = $this->prng->int( 1, 3 ); + for ( $i = 0; $i < $context_count; $i++ ) { + $context[] = array( + $this->gen_type_name( true ), + $this->prng->chance( 50 ) ? ' ' : '>', + ); + } + } + + return array( + 'context' => $context, + 'self' => $this->gen_compound(), + ); + } + + private function gen_compound(): array { + $has_type = $this->prng->chance( 65 ); + $sub_count = $this->prng->weighted( + array( + 0 => 30, + 1 => 40, + 2 => 20, + 3 => 10, + ) + ); + if ( ! $has_type && 0 === $sub_count ) { + if ( $this->prng->chance( 50 ) ) { + $has_type = true; + } else { + $sub_count = 1; + } + } + + $subs = array(); + for ( $i = 0; $i < $sub_count; $i++ ) { + $subs[] = $this->gen_subclass(); + } + + return array( + 'type' => $has_type ? $this->gen_type_name( false ) : null, + 'subs' => array() === $subs ? null : $subs, + ); + } + + private function gen_type_name( bool $for_context ): string { + if ( $this->prng->chance( $for_context ? 25 : 12 ) ) { + return '*'; + } + $pool = $this->pools['tags'] ?? array(); + if ( array() !== $pool && $this->prng->chance( 70 ) ) { + $name = $this->prng->choice( $pool ); + return $this->prng->chance( 25 ) ? $this->random_case( $name ) : $name; + } + return $this->prng->choice( array( 'video', 'table', 'x-absent', 'object', 'span' ) ); + } + + private function gen_subclass(): array { + $kind = $this->prng->weighted( + array( + 'class' => 40, + 'id' => 25, + 'attr' => 35, + ) + ); + + switch ( $kind ) { + case 'class': + return array( + 'kind' => 'class', + 'name' => $this->pick_name( 'classes' ), + ); + case 'id': + return array( + 'kind' => 'id', + 'name' => $this->pick_name( 'ids' ), + ); + default: + return $this->gen_attr_selector(); + } + } + + private function gen_attr_selector(): array { + $name = $this->pick_name( 'attrNames' ); + + $matcher = $this->prng->weighted( + array( + '' => 25, + 'exact' => 20, + 'one-of' => 12, + 'exact-or-hyphen-suffixed' => 11, + 'prefixed' => 11, + 'suffixed' => 11, + 'contains' => 10, + ) + ); + $matcher = '' === $matcher ? null : $matcher; + + if ( null === $matcher ) { + return array( + 'kind' => 'attr', + 'name' => $name, + 'matcher' => null, + 'value' => null, + 'modifier' => null, + ); + } + + $modifier = $this->prng->weighted( + array( + '' => 70, + 'case-insensitive' => 18, + 'case-sensitive' => 12, + ) + ); + + return array( + 'kind' => 'attr', + 'name' => $name, + 'matcher' => $matcher, + 'value' => $this->gen_attr_value(), + 'modifier' => '' === $modifier ? null : $modifier, + ); + } + + private function gen_attr_value(): string { + $pool = $this->pools['attrValues'] ?? array(); + + $kind = $this->prng->weighted( + array( + 'pool' => 35, + 'pool-part' => 20, + 'pool-case' => 10, + 'empty' => 10, + 'word' => 15, + 'tricky' => 10, + ) + ); + + if ( in_array( $kind, array( 'pool', 'pool-part', 'pool-case' ), true ) && array() === $pool ) { + $kind = 'word'; + } + + switch ( $kind ) { + case 'pool': + return $this->prng->choice( $pool ); + + case 'pool-part': + $value = $this->prng->choice( $pool ); + if ( '' === $value ) { + return ''; + } + $points = utf8_codepoints( $value ); + $total = count( $points ); + $start = $this->prng->int( 0, max( 0, $total - 1 ) ); + $length = $this->prng->int( 1, $total - $start ); + $part = ''; + for ( $i = $start; $i < $start + $length; $i++ ) { + $part .= $points[ $i ][0]; + } + return $part; + + case 'pool-case': + return $this->random_case( $this->prng->choice( $pool ) ); + + case 'empty': + return ''; + + case 'word': + return $this->prng->choice( array( 'alpha', 'beta9', 'value', 'main-item', 'Z', 'i', 's', 'one two', 'x-y-z' ) ); + + case 'tricky': + default: + return $this->prng->choice( + array( + 'a b', + " lead", + "trail ", + "tab\there", + "line\nbreak", + 'quote"inside', + "apos'inside", + 'back\\slash', + '-', + '--', + '0digit', + 'ünïcode', + ) + ); + } + } + + private function pick_name( string $pool_key ): string { + $pool = $this->pools[ $pool_key ] ?? array(); + if ( array() !== $pool && $this->prng->chance( 65 ) ) { + $name = $this->prng->choice( $pool ); + if ( '' !== $name && $this->prng->chance( 20 ) ) { + $name = $this->random_case( $name ); + } + if ( '' !== $name ) { + return $name; + } + } + return $this->prng->choice( + array( + 'absent', + 'no-such-thing', + 'x', + '-lead', + '--double', + '_under', + 'Ünïcode', + 'with space', + '9starts-with-digit', + '-9hyphen-digit', + 'mixedCase', + ) + ); + } + + /* + * --------- + * Rendering + * --------- + */ + + private function render_complex_list( array $list ): string { + $bits = array(); + foreach ( $list as $complex ) { + $bits[] = $this->render_complex( $complex ); + } + + $out = $this->maybe_ws( 25 ); + foreach ( $bits as $i => $bit ) { + if ( $i > 0 ) { + $out .= $this->maybe_ws( 40 ) . ',' . $this->maybe_ws( 60 ); + } + $out .= $bit; + } + return $out . $this->maybe_ws( 25 ); + } + + private function render_complex( array $complex ): string { + $out = ''; + // Context selectors are stored right-to-left; render left-to-right. + $reversed = array_reverse( $complex['context'] ); + foreach ( $reversed as $pair ) { + list( $type, $combinator ) = $pair; + $out .= '*' === $type ? '*' : $this->render_ident( $type ); + if ( '>' === $combinator ) { + $out .= $this->maybe_ws( 50 ) . '>' . $this->maybe_ws( 50 ); + } else { + $out .= $this->ws(); + } + } + return $out . $this->render_compound( $complex['self'] ); + } + + private function render_compound( array $compound ): string { + $out = ''; + if ( null !== $compound['type'] ) { + $out .= '*' === $compound['type'] ? '*' : $this->render_ident( $compound['type'] ); + } + foreach ( (array) $compound['subs'] as $sub ) { + switch ( $sub['kind'] ) { + case 'class': + $out .= '.' . $this->render_ident( $sub['name'] ); + break; + case 'id': + $out .= '#' . $this->render_ident( $sub['name'] ); + break; + case 'attr': + $out .= $this->render_attr_selector( $sub ); + break; + } + } + return $out; + } + + private function render_attr_selector( array $sub ): string { + $out = '[' . $this->maybe_ws( 20 ) . $this->render_ident( $sub['name'] ) . $this->maybe_ws( 20 ); + + if ( null === $sub['matcher'] ) { + return $out . ']'; + } + + $matcher_strings = array( + 'exact' => '=', + 'one-of' => '~=', + 'exact-or-hyphen-suffixed' => '|=', + 'prefixed' => '^=', + 'suffixed' => '$=', + 'contains' => '*=', + ); + $out .= $matcher_strings[ $sub['matcher'] ] . $this->maybe_ws( 25 ); + + $value = $sub['value']; + $value_as_ident = '' !== $value && $this->can_render_as_ident( $value ) && $this->prng->chance( 45 ); + if ( $value_as_ident ) { + $out .= $this->render_ident( $value ); + } else { + $out .= $this->render_string( $value ); + } + + if ( null !== $sub['modifier'] ) { + // After an ident value, whitespace is mandatory before the modifier. + $out .= $value_as_ident ? $this->ws() : $this->maybe_ws( 60 ); + + if ( 'case-insensitive' === $sub['modifier'] ) { + $out .= $this->prng->chance( 70 ) ? 'i' : 'I'; + } else { + $out .= $this->prng->chance( 70 ) ? 's' : 'S'; + } + } + + return $out . $this->maybe_ws( 25 ) . ']'; + } + + /** + * Whether a value contains only codepoints this renderer is willing to + * put in an ident token (everything can be escaped, but a value ending + * in whitespace as an ident is fragile to read — strings handle those). + */ + private function can_render_as_ident( string $value ): bool { + return '' !== $value; + } + + /** + * Renders a name as a CSS ident token, escaping wherever required and + * sometimes where merely allowed. Parsing the result must yield $name. + */ + private function render_ident( string $name ): string { + $points = utf8_codepoints( $name ); + $count = count( $points ); + $out = ''; + + foreach ( $points as $i => $point ) { + list( $char, $cp ) = $point; + + $is_digit = $cp >= 0x30 && $cp <= 0x39; + $is_ident_char = ( + '-' === $char || + '_' === $char || + $is_digit || + ( $cp >= 0x41 && $cp <= 0x5A ) || + ( $cp >= 0x61 && $cp <= 0x7A ) || + $cp > 0x7F + ); + + $must_escape = ! $is_ident_char + || ( 0 === $i && $is_digit ) + || ( 1 === $i && '-' === $points[0][0] && $is_digit ) + || ( 1 === $count && '-' === $char ); + + if ( $must_escape || $this->prng->chance( 8 ) ) { + $out .= $this->render_escape( $char, $cp ); + } else { + $out .= $char; + } + } + + return $out; + } + + /** + * Renders one codepoint as a CSS escape sequence that decodes back to it. + */ + private function render_escape( string $char, int $cp ): string { + $is_hex_digit = ( $cp >= 0x30 && $cp <= 0x39 ) + || ( $cp >= 0x41 && $cp <= 0x46 ) + || ( $cp >= 0x61 && $cp <= 0x66 ); + $is_newline_like = "\n" === $char || "\r" === $char || "\f" === $char; + + /* + * Identity escapes are only safe for single-byte chars that are not + * hex digits (they would start a hex escape) and not newlines + * (backslash-newline is not a valid escape). + */ + $identity_ok = ! $is_hex_digit && ! $is_newline_like && $cp >= 0x20; + + if ( $identity_ok && $this->prng->chance( 35 ) ) { + return '\\' . $char; + } + + $hex = dechex( $cp ); + if ( $this->prng->chance( 25 ) && strlen( $hex ) < 6 ) { + $hex = str_pad( $hex, $this->prng->int( strlen( $hex ), 6 ), '0', STR_PAD_LEFT ); + } + if ( $this->prng->chance( 30 ) ) { + $hex = strtoupper( $hex ); + } + + // The trailing space is always emitted; it is consumed by the escape. + return '\\' . $hex . ' '; + } + + /** + * Renders a value as a CSS string token. Parsing must yield $value. + */ + private function render_string( string $value ): string { + $quote = $this->prng->chance( 60 ) ? '"' : "'"; + $out = $quote; + $points = utf8_codepoints( $value ); + + foreach ( $points as $point ) { + list( $char, $cp ) = $point; + + if ( "\n" === $char || "\r" === $char || "\f" === $char ) { + // Literal newlines end (break) the string; always hex-escape. + $out .= '\\' . dechex( $cp ) . ' '; + continue; + } + if ( $char === $quote || '\\' === $char ) { + $out .= $this->prng->chance( 60 ) ? '\\' . $char : '\\' . dechex( $cp ) . ' '; + continue; + } + if ( $this->prng->chance( 5 ) ) { + $out .= $this->render_escape( $char, $cp ); + continue; + } + $out .= $char; + } + + // Rarely add a backslash-newline line continuation (decodes to nothing). + if ( $this->prng->chance( 4 ) ) { + $out .= "\\\n"; + } + + return $out . $quote; + } + + private function ws(): string { + $options = array( ' ', ' ', ' ', "\t", "\n", "\f", "\r", ' ', " \t " ); + return $this->prng->choice( $options ); + } + + private function maybe_ws( int $percent ): string { + return $this->prng->chance( $percent ) ? $this->ws() : ''; + } + + private function random_case( string $input ): string { + $out = ''; + for ( $i = 0; $i < strlen( $input ); $i++ ) { + $c = $input[ $i ]; + $out .= $this->prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c ); + } + return $out; + } + + /* + * ------------------- + * Unsupported selectors + * ------------------- + */ + + private function gen_unsupported(): string { + $kind = $this->prng->weighted( + array( + 'pseudo-class' => 25, + 'pseudo-element' => 15, + 'sibling-combinator' => 20, + 'column-combinator' => 8, + 'namespace-type' => 12, + 'namespace-attr' => 8, + 'non-type-context' => 12, + ) + ); + + switch ( $kind ) { + case 'pseudo-class': + $pseudo = $this->prng->choice( + array( + ':hover', + ':focus', + ':first-child', + ':last-child', + ':nth-child(2n+1)', + ':nth-of-type(3)', + ':not(.excluded)', + ':is(div, span)', + ':where(*)', + ':root', + ':empty', + ':checked', + ':lang(en)', + ':has(> img)', + ) + ); + return $this->render_compound( $this->gen_compound() ) . $pseudo; + + case 'pseudo-element': + $pseudo = $this->prng->choice( array( '::before', '::after', '::first-line', '::first-letter', '::marker', '::placeholder' ) ); + return $this->render_compound( $this->gen_compound() ) . $pseudo; + + case 'sibling-combinator': + $combinator = $this->prng->choice( array( '+', '~' ) ); + return $this->render_compound( $this->gen_compound() ) + . $this->maybe_ws( 60 ) . $combinator . $this->maybe_ws( 60 ) + . $this->render_compound( $this->gen_compound() ); + + case 'column-combinator': + return $this->gen_type_name( true ) + . $this->maybe_ws( 50 ) . '||' . $this->maybe_ws( 50 ) + . $this->gen_type_name( true ); + + case 'namespace-type': + $ns = $this->prng->choice( array( 'svg', 'html', '*', '' ) ); + return $ns . '|' . $this->prng->choice( array( 'title', 'a', 'circle', 'div' ) ); + + case 'namespace-attr': + // `[ns|name]` — must not be confused with the `|=` matcher, + // so the char after `|` must not be `=`. + $ns = $this->prng->choice( array( 'xlink', 'svg', 'xml' ) ); + return '[' . $ns . '|href]'; + + case 'non-type-context': + default: + // A context selector that is not a bare type selector. + $context = $this->prng->choice( array( '.ctx', '#ctx', '[ctx]', 'div.ctx', 'div#ctx', 'div[ctx]', '*.ctx' ) ); + $joiner = $this->prng->chance( 50 ) + ? $this->ws() + : $this->maybe_ws( 50 ) . '>' . $this->maybe_ws( 50 ); + return $context . $joiner . $this->render_compound( $this->gen_compound() ); + } + } + + /* + * ----------------- + * Invalid selectors + * ----------------- + */ + + private function gen_invalid(): string { + $kind = $this->prng->weighted( + array( + 'template' => 45, + 'trailing-garbage' => 25, + 'leading-garbage' => 15, + 'comma-trouble' => 15, + ) + ); + + switch ( $kind ) { + case 'template': + return $this->prng->choice( + array( + '', + ' ', + "\t\n\f ", + '.', + '#', + '[', + ']', + '[]', + '[ ]', + '.5x', + '#5', + '. x', + '..a', + '.#a', + '[a', + '[a=', + '[a=]', + '[=b]', + '[a==b]', + '[a~b]', + '[a!=b]', + '[a=b', + '[a="b]', + "[a='b]", + "[a=\"b\nc\"]", + '[a=b x]', + '[a=b ix]', + '[a=b i', + '[5=b]', + 'a >', + '> a', + 'a > > b', + 'a >> b', + '>', + '-', + '\\', + "a\\\nb", + 'a/**/b', + '/* comment */ a', + '!important', + '@media screen', + '{}', + ';', + 'a;b', + 'a{color:red}', + '()', + 'a()', + '*5', + '%', + 'a%', + ) + ); + + case 'trailing-garbage': + $garbage = $this->prng->choice( array( ':', '(', ')', '{', '}', ';', '!', '@', '%', '/', '=', '|', '^', '$' ) ); + return $this->render_compound( $this->gen_compound() ) . $garbage; + + case 'leading-garbage': + $garbage = $this->prng->choice( array( '%', ';', ')', '}', '=', '~', '+', '/', ',' ) ); + return $garbage . $this->render_compound( $this->gen_compound() ); + + case 'comma-trouble': + default: + $compound = $this->render_compound( $this->gen_compound() ); + return $this->prng->choice( + array( + $compound . ',', + ',' . $compound, + $compound . ',,' . $compound, + $compound . ', ,' . $compound, + $compound . ' , ', + ) + ); + } + } + + /* + * ----- + * Chaos + * ----- + */ + + private function gen_chaos(): string { + $alphabets = array( + 'css' => '.#[]=~|^$*>+,:()"\'\\ \t\n-_', + 'ident' => 'abcXYZ019-_', + 'mixed' => '.#[]=~|^$*>+,:()"\'\\ abcXYZ019-_iIsS', + 'unicode' => '✓Ωé🙂', + ); + + $alphabet = $alphabets[ $this->prng->weighted( + array( + 'css' => 25, + 'ident' => 15, + 'mixed' => 45, + 'unicode' => 15, + ) + ) ]; + + if ( 'unicode' === $alphabet ) { + $points = utf8_codepoints( $alphabet . '.#[]= aZ9' ); + $length = $this->prng->int( 0, 24 ); + $out = ''; + for ( $i = 0; $i < $length; $i++ ) { + $out .= $this->prng->choice( $points )[0]; + } + return $out; + } + + $length = $this->prng->int( 0, 40 ); + $out = ''; + for ( $i = 0; $i < $length; $i++ ) { + $out .= $alphabet[ $this->prng->int( 0, strlen( $alphabet ) - 1 ) ]; + } + return $out; + } + + /* + * -------- + * Mutation + * -------- + */ + + private function mutate( string $selector ): string { + $mutation_count = $this->prng->int( 1, 4 ); + $alphabet = '.#[]=~|^$*>+,:()"\'\\ \t\niIsSabcXYZ019-_'; + + for ( $m = 0; $m < $mutation_count; $m++ ) { + $length = strlen( $selector ); + $kind = $this->prng->weighted( + array( + 'insert' => 30, + 'delete' => 25, + 'replace' => 25, + 'duplicate' => 10, + 'case-flip' => 10, + ) + ); + + switch ( $kind ) { + case 'insert': + $at = $this->prng->int( 0, $length ); + $char = $alphabet[ $this->prng->int( 0, strlen( $alphabet ) - 1 ) ]; + $selector = substr( $selector, 0, $at ) . $char . substr( $selector, $at ); + break; + + case 'delete': + if ( $length > 0 ) { + $at = $this->prng->int( 0, $length - 1 ); + $selector = substr( $selector, 0, $at ) . substr( $selector, $at + 1 ); + } + break; + + case 'replace': + if ( $length > 0 ) { + $at = $this->prng->int( 0, $length - 1 ); + $char = $alphabet[ $this->prng->int( 0, strlen( $alphabet ) - 1 ) ]; + $selector = substr( $selector, 0, $at ) . $char . substr( $selector, $at + 1 ); + } + break; + + case 'duplicate': + if ( $length > 0 ) { + $start = $this->prng->int( 0, $length - 1 ); + $span = $this->prng->int( 1, min( 6, $length - $start ) ); + $selector = substr( $selector, 0, $start + $span ) + . substr( $selector, $start, $span ) + . substr( $selector, $start + $span ); + } + break; + + case 'case-flip': + if ( $length > 0 ) { + $at = $this->prng->int( 0, $length - 1 ); + $char = $selector[ $at ]; + $flip = ctype_lower( $char ) ? strtoupper( $char ) : strtolower( $char ); + $selector = substr( $selector, 0, $at ) . $flip . substr( $selector, $at + 1 ); + } + break; + } + } + + return $selector; + } +} diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php new file mode 100644 index 0000000000000..bfa1ec2a580e2 --- /dev/null +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -0,0 +1,589 @@ +fork( 'document' ) ); + $selector = SelectorGenerator::generate( $prng->fork( 'selector' ), $document['pools'] ); + + $failures = array(); + $record = static function ( string $invariant, array $detail ) use ( &$failures ) { + $failures[] = array( + 'invariant' => $invariant, + 'detail' => $detail, + ); + }; + + self::check_document_model( $document, $record ); + + $selector_string = $selector['selector']; + + // --- Parse phase ------------------------------------------------- + + list( $compound_list, $compound_error ) = self::guard( + static function () use ( $selector_string ) { + return \WP_CSS_Compound_Selector_List::from_selectors( $selector_string ); + } + ); + list( $complex_list, $complex_error ) = self::guard( + static function () use ( $selector_string ) { + return \WP_CSS_Complex_Selector_List::from_selectors( $selector_string ); + } + ); + + if ( null !== $compound_error ) { + $record( 'parse-error', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $compound_error ) ) ); + } + if ( null !== $complex_error ) { + $record( 'parse-error', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $complex_error ) ) ); + } + + if ( null === $compound_error && null !== $selector['expectCompound'] && $selector['expectCompound'] !== ( null !== $compound_list ) ) { + $record( + 'parse-expectation', + array( + 'grammar' => 'compound', + 'expected' => $selector['expectCompound'] ? 'parse' : 'null', + 'actual' => null !== $compound_list ? 'parse' : 'null', + ) + ); + } + if ( null === $complex_error && null !== $selector['expectComplex'] && $selector['expectComplex'] !== ( null !== $complex_list ) ) { + $record( + 'parse-expectation', + array( + 'grammar' => 'complex', + 'expected' => $selector['expectComplex'] ? 'parse' : 'null', + 'actual' => null !== $complex_list ? 'parse' : 'null', + ) + ); + } + + if ( null !== $compound_list && null === $complex_list && null === $complex_error ) { + $record( 'compound-implies-complex', array() ); + } + + // Parse determinism: a second parse must agree with the first. + list( $compound_again, ) = self::guard( + static function () use ( $selector_string ) { + return \WP_CSS_Compound_Selector_List::from_selectors( $selector_string ); + } + ); + list( $complex_again, ) = self::guard( + static function () use ( $selector_string ) { + return \WP_CSS_Complex_Selector_List::from_selectors( $selector_string ); + } + ); + if ( ( null === $compound_list ) !== ( null === $compound_again ) || ( null === $complex_list ) !== ( null === $complex_again ) ) { + $record( 'parse-determinism', array( 'note' => 'null-ness changed between identical parses' ) ); + } + + // --- AST extraction ---------------------------------------------- + + $compound_ast = null; + $complex_ast = null; + + if ( null !== $compound_list ) { + list( $compound_ast, $shape_error ) = self::guard( + static function () use ( $compound_list ) { + return AstExtractor::from_compound_list( $compound_list ); + } + ); + if ( null !== $shape_error ) { + $record( 'ast-shape', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $shape_error ) ) ); + } + } + if ( null !== $complex_list ) { + list( $complex_ast, $shape_error ) = self::guard( + static function () use ( $complex_list ) { + return AstExtractor::from_complex_list( $complex_list ); + } + ); + if ( null !== $shape_error ) { + $record( 'ast-shape', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $shape_error ) ) ); + } + } + + if ( null !== $compound_ast && null !== $complex_ast && $compound_ast !== $complex_ast ) { + $record( + 'ast-cross-grammar', + array( + 'compoundAst' => $compound_ast, + 'complexAst' => $complex_ast, + ) + ); + } + + if ( null !== $selector['ast'] && null !== $complex_ast && $selector['ast'] !== $complex_ast ) { + $record( + 'ast-mismatch', + array( + 'generatedAst' => $selector['ast'], + 'parsedAst' => $complex_ast, + ) + ); + } + + // --- Match phase --------------------------------------------------- + + if ( null !== $complex_ast ) { + $expected = ReferenceMatcher::expected_html_processor_matches( $complex_ast, $document['model'], $document['quirks'] ); + self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); + } elseif ( null === $complex_list && null === $complex_error ) { + self::check_select_rejection( 'html', $selector_string, $document, $record ); + } + + if ( null !== $compound_ast ) { + $expected = ReferenceMatcher::expected_tag_processor_matches( $compound_ast, $document['model'] ); + self::check_select_matches( 'tag', $selector_string, $document, $expected, $record ); + } elseif ( null === $compound_list && null === $compound_error ) { + self::check_select_rejection( 'tag', $selector_string, $document, $record ); + } + + $digest = sha1( + json_encode_safe( + array( + $selector_string, + $document['html'], + null !== $compound_list, + null !== $complex_list, + $compound_ast, + $complex_ast, + array_map( + static function ( $failure ) { + return $failure['invariant']; + }, + $failures + ), + ) + ) + ); + + return array( + 'seed' => $seed, + 'bucket' => $selector['bucket'], + 'digest' => $digest, + 'failures' => $failures, + 'selector' => $selector_string, + 'html' => $document['html'], + ); + } + + /** + * Verifies that both processors see exactly the modeled element list — + * this guards the oracle itself against renderer/model drift. + */ + private static function check_document_model( array $document, callable $record ): void { + $expected = array(); + foreach ( DocumentGenerator::flatten_with_ancestors( $document['model'] ) as $pair ) { + list( $element, $ancestors ) = $pair; + $expected[] = array( + strtoupper( ascii_strtolower( $element['tag'] ) ), + $element['fid'], + count( $ancestors ) + 1, + ); + } + + list( $actual, $error ) = self::guard( + static function () use ( $document ) { + $processor = \WP_HTML_Processor::create_full_parser( $document['html'] ); + $out = array(); + while ( $processor->next_tag() ) { + $fid = $processor->get_attribute( 'data-fid' ); + $out[] = array( + (string) $processor->get_tag(), + is_string( $fid ) ? $fid : '(missing)', + count( $processor->get_breadcrumbs() ), + ); + } + if ( null !== $processor->get_last_error() ) { + throw new \RuntimeException( 'Processor error: ' . $processor->get_last_error() ); + } + return $out; + } + ); + + if ( null !== $error ) { + $record( 'model-desync', array( 'processor' => 'html', 'error' => self::describe_throwable( $error ) ) ); + return; + } + + if ( $actual !== $expected ) { + $record( + 'model-desync', + array( + 'processor' => 'html', + 'expected' => $expected, + 'actual' => $actual, + ) + ); + } + + // The tag processor must see the same elements ( without breadcrumbs ). + $expected_tags = array(); + foreach ( $expected as $row ) { + $expected_tags[] = array( $row[0], $row[1] ); + } + + list( $actual_tags, $tag_error ) = self::guard( + static function () use ( $document ) { + $processor = new \WP_HTML_Tag_Processor( $document['html'] ); + $out = array(); + while ( $processor->next_tag() ) { + $fid = $processor->get_attribute( 'data-fid' ); + $out[] = array( + (string) $processor->get_tag(), + is_string( $fid ) ? $fid : '(missing)', + ); + } + return $out; + } + ); + + if ( null !== $tag_error ) { + $record( 'model-desync', array( 'processor' => 'tag', 'error' => self::describe_throwable( $tag_error ) ) ); + return; + } + + if ( $actual_tags !== $expected_tags ) { + $record( + 'model-desync', + array( + 'processor' => 'tag', + 'expected' => $expected_tags, + 'actual' => $actual_tags, + ) + ); + } + } + + /** + * Runs a select() loop on a parseable selector and compares the match set + * against the reference matcher. + * + * @param string $target 'html' or 'tag'. + */ + private static function check_select_matches( string $target, string $selector_string, array $document, array $expected, callable $record ): void { + Bootstrap::reset_doing_it_wrong(); + + list( $actual, $error ) = self::guard( + static function () use ( $target, $selector_string, $document ) { + $processor = 'html' === $target + ? \WP_HTML_Processor::create_full_parser( $document['html'] ) + : new \WP_HTML_Tag_Processor( $document['html'] ); + + $matches = array(); + $iterations = 0; + while ( $processor->select( $selector_string ) ) { + $fid = $processor->get_attribute( 'data-fid' ); + $matches[] = is_string( $fid ) ? $fid : '(missing-fid:' . $processor->get_tag() . ')'; + if ( ++$iterations > self::SELECT_ITERATION_LIMIT ) { + throw new \RuntimeException( 'select() did not terminate within the iteration limit.' ); + } + } + + if ( $processor instanceof \WP_HTML_Processor ) { + if ( null !== $processor->get_last_error() ) { + throw new \RuntimeException( 'Processor error state: ' . $processor->get_last_error() ); + } + if ( null !== $processor->get_unsupported_exception() ) { + throw new \RuntimeException( 'Processor unsupported state: ' . $processor->get_unsupported_exception()->getMessage() ); + } + } + + return $matches; + } + ); + + if ( null !== $error ) { + $record( + 'match-error', + array( + 'target' => $target, + 'error' => self::describe_throwable( $error ), + ) + ); + return; + } + + $doing_it_wrong = Bootstrap::doing_it_wrong_calls(); + if ( array() !== $doing_it_wrong ) { + $record( + 'doing-it-wrong-unexpected', + array( + 'target' => $target, + 'calls' => $doing_it_wrong, + ) + ); + } + + if ( $actual !== $expected ) { + $record( + 'match-mismatch-' . $target, + array( + 'expected' => $expected, + 'actual' => $actual, + ) + ); + } + } + + /** + * For unparseable selectors: select() must return false, leave the + * processor usable, and report misuse exactly once per call. + */ + private static function check_select_rejection( string $target, string $selector_string, array $document, callable $record ): void { + Bootstrap::reset_doing_it_wrong(); + + list( $results, $error ) = self::guard( + static function () use ( $target, $selector_string, $document ) { + $processor = 'html' === $target + ? \WP_HTML_Processor::create_full_parser( $document['html'] ) + : new \WP_HTML_Tag_Processor( $document['html'] ); + + // Two calls: the second exercises the parse cache. + return array( $processor->select( $selector_string ), $processor->select( $selector_string ) ); + } + ); + + if ( null !== $error ) { + $record( + 'match-error', + array( + 'target' => $target, + 'rejected' => true, + 'error' => self::describe_throwable( $error ), + ) + ); + return; + } + + if ( array( false, false ) !== $results ) { + $record( + 'select-on-null', + array( + 'target' => $target, + 'results' => $results, + ) + ); + } + + $doing_it_wrong = Bootstrap::doing_it_wrong_calls(); + if ( 2 !== count( $doing_it_wrong ) ) { + $record( + 'doing-it-wrong-missing', + array( + 'target' => $target, + 'expectedCalls' => 2, + 'calls' => $doing_it_wrong, + ) + ); + } + } + + /* + * ------------- + * Batch running + * ------------- + */ + + /** + * Runs a batch of sequential seeds. + * + * @return array Summary. + */ + public static function run_batch( array $options ): array { + Bootstrap::load(); + + $start_seed = option_int( $options, 'start-seed', 1 ); + $count = option_int( $options, 'count', 100 ); + $failures_out = option_string( $options, 'failures-out', null ); + $progress_file = option_string( $options, 'progress-file', null ); + $determinism_every = option_int( $options, 'determinism-every', 16 ); + $max_failures = option_int( $options, 'max-failures', 200 ); + + $started_at = microtime( true ); + $failures = 0; + $buckets = array(); + $signatures = array(); + $last_seed = null; + $stop_reason = 'completed'; + + for ( $seed = $start_seed; $seed < $start_seed + $count; $seed++ ) { + if ( $max_failures > 0 && $failures >= $max_failures ) { + $stop_reason = 'max-failures'; + break; + } + if ( null !== $progress_file ) { + file_put_contents( $progress_file, (string) $seed ); + } + + $result = self::run_case( $seed ); + + if ( $determinism_every > 0 && 0 === $seed % $determinism_every ) { + $repeat = self::run_case( $seed ); + if ( $repeat['digest'] !== $result['digest'] ) { + $result['failures'][] = array( + 'invariant' => 'case-determinism', + 'detail' => array( + 'firstDigest' => $result['digest'], + 'secondDigest' => $repeat['digest'], + ), + ); + } + } + + $buckets[ $result['bucket'] ] = ( $buckets[ $result['bucket'] ] ?? 0 ) + 1; + $last_seed = $seed; + + foreach ( $result['failures'] as $failure ) { + ++$failures; + $signature = self::signature( $failure ); + $signatures[ $signature ] = ( $signatures[ $signature ] ?? 0 ) + 1; + + $entry = array( + 'kind' => 'css-selector-fuzz-failure', + 'seed' => $result['seed'], + 'bucket' => $result['bucket'], + 'invariant' => $failure['invariant'], + 'signature' => $signature, + 'selector' => printable_bytes( $result['selector'] ), + 'selectorBase64' => base64_encode( $result['selector'] ), + 'htmlBase64' => base64_encode( $result['html'] ), + 'detail' => $failure['detail'], + ); + if ( null !== $failures_out ) { + append_ndjson( $failures_out, $entry ); + } else { + fwrite( STDERR, json_encode_safe( $entry ) . "\n" ); + } + } + } + + return array( + 'kind' => 'css-selector-fuzz-batch-summary', + 'startSeed' => $start_seed, + 'count' => $count, + 'lastSeed' => $last_seed, + 'failures' => $failures, + 'buckets' => $buckets, + 'signatures' => $signatures, + 'stopReason' => $stop_reason, + 'durationMs' => (int) round( 1000 * ( microtime( true ) - $started_at ) ), + ); + } + + /** Stable identity for de-duplicating equivalent failures. */ + private static function signature( array $failure ): string { + $parts = array( $failure['invariant'] ); + if ( isset( $failure['detail']['grammar'] ) ) { + $parts[] = $failure['detail']['grammar']; + } + if ( isset( $failure['detail']['target'] ) ) { + $parts[] = $failure['detail']['target']; + } + if ( isset( $failure['detail']['error']['class'] ) ) { + $parts[] = $failure['detail']['error']['class']; + $parts[] = preg_replace( '/[0-9]+/', 'N', (string) ( $failure['detail']['error']['message'] ?? '' ) ); + } + return substr( sha1( implode( '|', $parts ) ), 0, 12 ) . ':' . $failure['invariant']; + } + + /* + * ------- + * Helpers + * ------- + */ + + /** + * Calls $fn with PHP warnings/notices converted to exceptions. + * + * @return array{0: mixed, 1: \Throwable|null} + */ + private static function guard( callable $fn ): array { + set_error_handler( + static function ( $severity, $message, $file, $line ) { + if ( E_DEPRECATED === $severity || E_USER_DEPRECATED === $severity ) { + return true; + } + throw new \ErrorException( $message, 0, $severity, $file, $line ); + } + ); + try { + return array( $fn(), null ); + } catch ( \Throwable $e ) { + return array( null, $e ); + } finally { + restore_error_handler(); + } + } + + public static function describe_throwable( \Throwable $e ): array { + $root = repo_root() . DIRECTORY_SEPARATOR; + return array( + 'class' => get_class( $e ), + 'message' => $e->getMessage(), + 'at' => str_replace( $root, '', $e->getFile() ) . ':' . $e->getLine(), + 'trace' => array_slice( + array_map( + static function ( $frame ) use ( $root ) { + $location = isset( $frame['file'] ) + ? str_replace( $root, '', $frame['file'] ) . ':' . ( $frame['line'] ?? '?' ) + : '[internal]'; + $callable = ( $frame['class'] ?? '' ) . ( $frame['type'] ?? '' ) . ( $frame['function'] ?? '' ); + return $location . ' ' . $callable; + }, + $e->getTrace() + ), + 0, + 6 + ), + ); + } +} diff --git a/tools/css-selector-fuzz/lib/autoload.php b/tools/css-selector-fuzz/lib/autoload.php new file mode 100644 index 0000000000000..ffc0e572ed9c1 --- /dev/null +++ b/tools/css-selector-fuzz/lib/autoload.php @@ -0,0 +1,9 @@ + array() ); + $count = count( $argv ); + for ( $i = 1; $i < $count; $i++ ) { + $arg = $argv[ $i ]; + if ( 0 === strpos( $arg, '--' ) ) { + $name = substr( $arg, 2 ); + if ( false !== strpos( $name, '=' ) ) { + list( $name, $value ) = explode( '=', $name, 2 ); + $options[ $name ] = $value; + } elseif ( $i + 1 < $count && 0 !== strpos( $argv[ $i + 1 ], '--' ) ) { + $options[ $name ] = $argv[ ++$i ]; + } else { + $options[ $name ] = true; + } + } else { + $options['_'][] = $arg; + } + } + return $options; +} + +function option_string( array $options, string $name, ?string $default = null ): ?string { + if ( ! array_key_exists( $name, $options ) || true === $options[ $name ] ) { + return $default; + } + return (string) $options[ $name ]; +} + +function option_int( array $options, string $name, int $default ): int { + $value = option_string( $options, $name, null ); + return null === $value ? $default : (int) $value; +} + +function option_float( array $options, string $name, float $default ): float { + $value = option_string( $options, $name, null ); + return null === $value ? $default : (float) $value; +} + +function option_bool( array $options, string $name, bool $default ): bool { + if ( ! array_key_exists( $name, $options ) ) { + return $default; + } + $value = $options[ $name ]; + if ( true === $value ) { + return true; + } + return in_array( strtolower( (string) $value ), array( '1', 'true', 'yes', 'on' ), true ); +} + +function ensure_dir( string $dir ): void { + if ( ! is_dir( $dir ) && ! mkdir( $dir, 0777, true ) && ! is_dir( $dir ) ) { + throw new \RuntimeException( "Could not create directory: {$dir}" ); + } +} + +function json_encode_safe( $value ): string { + $encoded = json_encode( $value, JSON_UNESCAPED_SLASHES | JSON_INVALID_UTF8_SUBSTITUTE ); + if ( false === $encoded ) { + $encoded = json_encode( array( 'jsonError' => json_last_error_msg() ) ); + } + return $encoded; +} + +function write_json_file( string $path, $value ): void { + file_put_contents( $path, json_encode_safe( $value ) . "\n" ); +} + +function read_json_file( string $path ): ?array { + if ( ! is_file( $path ) ) { + return null; + } + $decoded = json_decode( (string) file_get_contents( $path ), true ); + return is_array( $decoded ) ? $decoded : null; +} + +function append_ndjson( string $path, array $value ): void { + file_put_contents( $path, json_encode_safe( $value ) . "\n", FILE_APPEND | LOCK_EX ); +} + +function timestamp(): string { + return gmdate( 'Ymd-His' ); +} + +/** + * Renders bytes for human inspection: printable ASCII passes through, + * everything else becomes \xHH. + */ +function printable_bytes( string $bytes, int $max_length = 4096 ): string { + $out = ''; + $truncated = strlen( $bytes ) > $max_length; + $bytes = substr( $bytes, 0, $max_length ); + for ( $i = 0; $i < strlen( $bytes ); $i++ ) { + $c = $bytes[ $i ]; + $o = ord( $c ); + if ( $o >= 0x20 && $o <= 0x7E ) { + $out .= '\\' === $c ? '\\\\' : $c; + } else { + $out .= sprintf( '\\x%02X', $o ); + } + } + return $out . ( $truncated ? '…(truncated)' : '' ); +} + +function git_metadata(): array { + $head = trim( (string) shell_exec( 'git -C ' . escapeshellarg( repo_root() ) . ' rev-parse HEAD 2>/dev/null' ) ); + $branch = trim( (string) shell_exec( 'git -C ' . escapeshellarg( repo_root() ) . ' rev-parse --abbrev-ref HEAD 2>/dev/null' ) ); + return array( + 'head' => '' !== $head ? $head : null, + 'branch' => '' !== $branch ? $branch : null, + ); +} + +function ascii_strtolower( string $input ): string { + return strtr( $input, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz' ); +} + +/** + * Splits a valid UTF-8 string into codepoints. + * + * @return array Pairs of ( utf8 bytes, codepoint value ). + */ +function utf8_codepoints( string $input ): array { + $out = array(); + $len = strlen( $input ); + $i = 0; + while ( $i < $len ) { + $byte = ord( $input[ $i ] ); + if ( $byte < 0x80 ) { + $size = 1; + $cp = $byte; + } elseif ( 0xC0 === ( $byte & 0xE0 ) ) { + $size = 2; + $cp = $byte & 0x1F; + } elseif ( 0xE0 === ( $byte & 0xF0 ) ) { + $size = 3; + $cp = $byte & 0x0F; + } else { + $size = 4; + $cp = $byte & 0x07; + } + $size = min( $size, $len - $i ); + for ( $j = 1; $j < $size; $j++ ) { + $cp = ( $cp << 6 ) | ( ord( $input[ $i + $j ] ) & 0x3F ); + } + $out[] = array( substr( $input, $i, $size ), $cp ); + $i += $size; + } + return $out; +} diff --git a/tools/css-selector-fuzz/lib/wp-stubs.php b/tools/css-selector-fuzz/lib/wp-stubs.php new file mode 100644 index 0000000000000..ec9b154ee58d6 --- /dev/null +++ b/tools/css-selector-fuzz/lib/wp-stubs.php @@ -0,0 +1,62 @@ + (string) $function_name, + 'message' => (string) $message, + ); + } +} + +if ( ! function_exists( '_deprecated_argument' ) ) { + function _deprecated_argument( $function_name, $version, $message = '' ) { + } +} + +if ( ! function_exists( 'wp_trigger_error' ) ) { + function wp_trigger_error( $function_name, $message, $error_level = E_USER_NOTICE ) { + $GLOBALS['css_selector_fuzz_doing_it_wrong'][] = array( + 'function' => (string) $function_name, + 'message' => (string) $message, + ); + } +} + +if ( ! function_exists( 'wp_kses_uri_attributes' ) ) { + function wp_kses_uri_attributes() { + return array( + 'action', + 'archive', + 'background', + 'cite', + 'classid', + 'codebase', + 'data', + 'formaction', + 'href', + 'icon', + 'longdesc', + 'manifest', + 'poster', + 'profile', + 'src', + 'usemap', + 'xmlns', + ); + } +} diff --git a/tools/css-selector-fuzz/replay.php b/tools/css-selector-fuzz/replay.php new file mode 100644 index 0000000000000..38ffb8a43678e --- /dev/null +++ b/tools/css-selector-fuzz/replay.php @@ -0,0 +1,91 @@ +#!/usr/bin/env php + bar' [--html '
'] + */ + +require_once __DIR__ . '/lib/autoload.php'; + +use CssSelectorFuzz\Bootstrap; +use CssSelectorFuzz\Worker; +use function CssSelectorFuzz\json_encode_safe; +use function CssSelectorFuzz\option_bool; +use function CssSelectorFuzz\option_int; +use function CssSelectorFuzz\option_string; +use function CssSelectorFuzz\parse_cli_options; +use function CssSelectorFuzz\printable_bytes; + +$options = parse_cli_options( $argv ); + +$probe_selector = option_string( $options, 'selector', null ); +if ( null !== $probe_selector ) { + // Quick probe mode: parse a selector and report what the API does with it. + Bootstrap::load(); + + $compound = \WP_CSS_Compound_Selector_List::from_selectors( $probe_selector ); + $complex = \WP_CSS_Complex_Selector_List::from_selectors( $probe_selector ); + + $report = array( + 'selector' => printable_bytes( $probe_selector ), + 'compoundList' => null === $compound ? null : \CssSelectorFuzz\AstExtractor::from_compound_list( $compound ), + 'complexList' => null === $complex ? null : \CssSelectorFuzz\AstExtractor::from_complex_list( $complex ), + ); + + $html = option_string( $options, 'html', null ); + if ( null !== $html && null !== $complex ) { + $processor = \WP_HTML_Processor::create_full_parser( $html ); + $matches = array(); + while ( $processor->select( $probe_selector ) ) { + $matches[] = array( + 'tag' => $processor->get_tag(), + 'breadcrumbs' => $processor->get_breadcrumbs(), + ); + } + $report['htmlProcessorMatches'] = $matches; + } + + echo json_encode_safe( $report ) . "\n"; + exit( 0 ); +} + +$seed = option_int( $options, 'seed', -1 ); +if ( $seed < 0 ) { + echo "Usage: php tools/css-selector-fuzz/replay.php --seed N [--json] [--show-html]\n"; + echo " php tools/css-selector-fuzz/replay.php --selector 'div > .cls' [--html '
']\n"; + exit( 1 ); +} + +$result = Worker::run_case( $seed ); + +if ( option_bool( $options, 'json', false ) ) { + echo json_encode_safe( $result ) . "\n"; + exit( array() === $result['failures'] ? 0 : 2 ); +} + +echo "seed: {$result['seed']}\n"; +echo "bucket: {$result['bucket']}\n"; +echo 'selector: ' . printable_bytes( $result['selector'] ) . "\n"; +echo "digest: {$result['digest']}\n"; + +if ( option_bool( $options, 'show-html', false ) ) { + echo "html: " . printable_bytes( $result['html'] ) . "\n"; +} + +if ( array() === $result['failures'] ) { + echo "failures: none\n"; + exit( 0 ); +} + +echo 'failures: ' . count( $result['failures'] ) . "\n"; +foreach ( $result['failures'] as $i => $failure ) { + echo "--- failure {$i}: {$failure['invariant']} ---\n"; + echo json_encode_safe( $failure['detail'] ) . "\n"; +} +exit( 2 ); diff --git a/tools/css-selector-fuzz/runner.php b/tools/css-selector-fuzz/runner.php new file mode 100644 index 0000000000000..3dbdf0ee66cbe --- /dev/null +++ b/tools/css-selector-fuzz/runner.php @@ -0,0 +1,267 @@ +#!/usr/bin/env php + array( 'pipe', 'r' ), + 1 => array( 'pipe', 'w' ), + 2 => array( 'pipe', 'w' ), + ); + + $started = microtime( true ); + $proc = proc_open( $command, $descriptors, $pipes, repo_root() ); + if ( ! is_resource( $proc ) ) { + return array( + 'code' => null, + 'timedOut' => false, + 'stdout' => '', + 'stderr' => 'proc_open failed', + 'durationMs' => 0, + ); + } + + fclose( $pipes[0] ); + stream_set_blocking( $pipes[1], false ); + stream_set_blocking( $pipes[2], false ); + + $stdout = ''; + $stderr = ''; + $timed_out = false; + $deadline = $started + $timeout_ms / 1000; + + while ( true ) { + $status = proc_get_status( $proc ); + $stdout .= (string) stream_get_contents( $pipes[1] ); + $stderr .= (string) stream_get_contents( $pipes[2] ); + + if ( ! $status['running'] ) { + $code = $status['exitcode']; + break; + } + if ( microtime( true ) > $deadline ) { + $timed_out = true; + proc_terminate( $proc, 9 ); + $code = null; + break; + } + usleep( 10000 ); + } + + $stdout .= (string) stream_get_contents( $pipes[1] ); + $stderr .= (string) stream_get_contents( $pipes[2] ); + fclose( $pipes[1] ); + fclose( $pipes[2] ); + proc_close( $proc ); + + return array( + 'code' => $code, + 'timedOut' => $timed_out, + 'stdout' => $stdout, + 'stderr' => $stderr, + 'durationMs' => (int) round( 1000 * ( microtime( true ) - $started ) ), + ); +} + +/** Extracts the batch summary from worker stdout, or null. */ +function css_selector_fuzz_worker_summary( string $stdout ): ?array { + foreach ( array_reverse( explode( "\n", trim( $stdout ) ) ) as $line ) { + $decoded = json_decode( $line, true ); + if ( is_array( $decoded ) && 'css-selector-fuzz-batch-summary' === ( $decoded['kind'] ?? null ) ) { + return $decoded; + } + } + return null; +} + +$options = parse_cli_options( $argv ); +if ( option_bool( $options, 'help', false ) || option_bool( $options, 'h', false ) ) { + echo "Usage: php tools/css-selector-fuzz/runner.php [--start-seed N] [--max-seeds N] [--duration-seconds N] [--chunk-size N] [--timeout-ms N] [--output-dir DIR] [--stop-on-failure]\n"; + exit( 0 ); +} + +$start_seed = option_int( $options, 'start-seed', 1 ); +$max_seeds = option_int( $options, 'max-seeds', 1000 ); +$duration_seconds = option_int( $options, 'duration-seconds', 120 ); +$chunk_size = max( 1, option_int( $options, 'chunk-size', 200 ) ); +$timeout_ms = option_int( $options, 'timeout-ms', 0 ); +$stop_on_failure = option_bool( $options, 'stop-on-failure', false ); +$output_dir = option_string( $options, 'output-dir', repo_root() . '/artifacts/css-selector-fuzz/run-' . timestamp() ); + +if ( $max_seeds < 1 ) { + fwrite( STDERR, "--max-seeds must be at least 1; refusing to run unbounded.\n" ); + exit( 1 ); +} +if ( 0 === $timeout_ms ) { + // Generous per-chunk budget: ~50ms per case plus startup. + $timeout_ms = $chunk_size * 50 + 10000; +} + +ensure_dir( $output_dir ); +$failures_path = $output_dir . '/failures.ndjson'; +$state_path = $output_dir . '/state.json'; +$worker_script = __DIR__ . '/worker.php'; + +$state = array( + 'kind' => 'css-selector-fuzz-runner-state', + 'startedAt' => gmdate( 'c' ), + 'updatedAt' => gmdate( 'c' ), + 'git' => git_metadata(), + 'phpVersion' => PHP_VERSION, + 'outputDir' => $output_dir, + 'startSeed' => $start_seed, + 'maxSeeds' => $max_seeds, + 'durationSeconds' => $duration_seconds, + 'chunkSize' => $chunk_size, + 'casesCompleted' => 0, + 'failures' => 0, + 'crashes' => 0, + 'buckets' => array(), + 'signatures' => array(), + 'nextSeed' => $start_seed, + 'stopReason' => null, +); +write_json_file( $state_path, $state ); + +$deadline = $duration_seconds > 0 ? microtime( true ) + $duration_seconds : null; +$seed = $start_seed; +$end_seed = $start_seed + $max_seeds; + +while ( $seed < $end_seed ) { + if ( null !== $deadline && microtime( true ) > $deadline ) { + $state['stopReason'] = 'duration-elapsed'; + break; + } + + $count = min( $chunk_size, $end_seed - $seed ); + $args = array( + $worker_script, + '--start-seed', + (string) $seed, + '--count', + (string) $count, + '--failures-out', + $failures_path, + '--progress-file', + $output_dir . '/progress.txt', + ); + + $proc = css_selector_fuzz_run_php( $args, $timeout_ms ); + $summary = css_selector_fuzz_worker_summary( $proc['stdout'] ); + + if ( null === $summary ) { + /* + * The worker crashed, hung, or died fatally. Re-run each seed of the + * chunk in its own process to attribute the crash. + */ + fwrite( STDERR, "chunk seed={$seed} count={$count}: worker crashed/hung; isolating…\n" ); + for ( $isolated = $seed; $isolated < $seed + $count; $isolated++ ) { + $single = css_selector_fuzz_run_php( + array( + $worker_script, + '--start-seed', + (string) $isolated, + '--count', + '1', + '--failures-out', + $failures_path, + '--determinism-every', + '0', + ), + max( 5000, (int) ( $timeout_ms / $count ) + 5000 ) + ); + $single_summary = css_selector_fuzz_worker_summary( $single['stdout'] ); + if ( null === $single_summary ) { + ++$state['crashes']; + ++$state['failures']; + append_ndjson( + $failures_path, + array( + 'kind' => 'css-selector-fuzz-failure', + 'seed' => $isolated, + 'invariant' => $single['timedOut'] ? 'worker-timeout' : 'worker-crash', + 'signature' => $single['timedOut'] ? 'worker-timeout' : 'worker-crash', + 'exitCode' => $single['code'], + 'stderrTail' => substr( $single['stderr'], -2000 ), + ) + ); + $key = $single['timedOut'] ? 'worker-timeout' : 'worker-crash'; + $state['signatures'][ $key ] = ( $state['signatures'][ $key ] ?? 0 ) + 1; + } else { + ++$state['casesCompleted']; + $state['failures'] += $single_summary['failures']; + foreach ( $single_summary['signatures'] as $signature => $signature_count ) { + $state['signatures'][ $signature ] = ( $state['signatures'][ $signature ] ?? 0 ) + $signature_count; + } + } + } + } else { + $state['casesCompleted'] += array_sum( $summary['buckets'] ); + $state['failures'] += $summary['failures']; + foreach ( $summary['buckets'] as $bucket => $bucket_count ) { + $state['buckets'][ $bucket ] = ( $state['buckets'][ $bucket ] ?? 0 ) + $bucket_count; + } + foreach ( $summary['signatures'] as $signature => $signature_count ) { + $state['signatures'][ $signature ] = ( $state['signatures'][ $signature ] ?? 0 ) + $signature_count; + } + } + + $seed += $count; + $state['nextSeed'] = $seed; + $state['updatedAt'] = gmdate( 'c' ); + write_json_file( $state_path, $state ); + + if ( $stop_on_failure && $state['failures'] > 0 ) { + $state['stopReason'] = 'stop-on-failure'; + break; + } +} + +if ( null === $state['stopReason'] ) { + $state['stopReason'] = 'max-seeds'; +} +$state['updatedAt'] = gmdate( 'c' ); +write_json_file( $state_path, $state ); + +echo json_encode_safe( $state ) . "\n"; +exit( 0 === $state['failures'] ? 0 : 2 ); diff --git a/tools/css-selector-fuzz/tests/self-check.php b/tools/css-selector-fuzz/tests/self-check.php new file mode 100644 index 0000000000000..e92cc3ecd3f7c --- /dev/null +++ b/tools/css-selector-fuzz/tests/self-check.php @@ -0,0 +1,131 @@ +#!/usr/bin/env php +bytes( 64 ) === $b->bytes( 64 ), 'Identical seeds produce identical streams.' ); + +$c = new Prng( '42', 'label' ); +$d = new Prng( '43', 'label' ); +check( $c->bytes( 64 ) !== $d->bytes( 64 ), 'Different seeds produce different streams.' ); + +$e = new Prng( '42', 'fork-test' ); +$f = new Prng( '42', 'fork-test' ); +$fork1 = $e->fork( 'x' ); +$fork2 = $f->fork( 'x' ); +check( $fork1->bytes( 32 ) === $fork2->bytes( 32 ), 'Forked streams are deterministic.' ); + +// --- utf8_codepoints -------------------------------------------------------- + +$points = utf8_codepoints( "a\u{E9}\u{1F600}" ); +check( 3 === count( $points ), 'utf8_codepoints splits into 3 codepoints.' ); +check( 0x61 === $points[0][1] && 0xE9 === $points[1][1] && 0x1F600 === $points[2][1], 'utf8_codepoints decodes values.' ); + +// --- Document generator: model matches parse for many seeds --------------- +// ( Worker::run_case checks this per case as model-desync; here only a couple +// of seeds are sampled for a fast signal. ) + +for ( $seed = 1; $seed <= 3; $seed++ ) { + $document = DocumentGenerator::generate( new Prng( (string) $seed, 'self-check-doc' ) ); + check( is_string( $document['html'] ) && '' !== $document['html'], "Document {$seed} renders." ); + check( str_contains( $document['html'], 'data-fid' ) || false !== strpos( $document['html'], 'data-fid' ), "Document {$seed} has fids." ); +} + +// --- Selector generator expectations over many seeds ----------------------- + +$by_bucket = array(); +for ( $seed = 1; $seed <= 400; $seed++ ) { + $prng = new Prng( (string) $seed, 'self-check-selector' ); + $document = DocumentGenerator::generate( $prng->fork( 'doc' ) ); + $selector = SelectorGenerator::generate( $prng->fork( 'sel' ), $document['pools'] ); + + $by_bucket[ $selector['bucket'] ] = ( $by_bucket[ $selector['bucket'] ] ?? 0 ) + 1; + + $compound = WP_CSS_Compound_Selector_List::from_selectors( $selector['selector'] ); + $complex = WP_CSS_Complex_Selector_List::from_selectors( $selector['selector'] ); + + if ( null !== $selector['expectCompound'] ) { + check( + $selector['expectCompound'] === ( null !== $compound ), + "Seed {$seed} ({$selector['bucket']}): compound parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] ) + ); + } + if ( null !== $selector['expectComplex'] ) { + check( + $selector['expectComplex'] === ( null !== $complex ), + "Seed {$seed} ({$selector['bucket']}): complex parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] ) + ); + } +} + +check( count( $by_bucket ) >= 5, 'Bucket variety: saw ' . count( $by_bucket ) . ' buckets.' ); + +// --- Known-answer matching cases ------------------------------------------- + +$known_html = '' + . '
' + . '
' + . ''; + +function select_fids( string $html, string $selector ): array { + $processor = WP_HTML_Processor::create_full_parser( $html ); + $out = array(); + while ( $processor->select( $selector ) ) { + $out[] = $processor->get_attribute( 'data-fid' ); + } + return $out; +} + +check( array( 'e4' ) === select_fids( $known_html, '#x' ), 'Known: #x.' ); +check( array( 'e3', 'e4' ) === select_fids( $known_html, '.b' ), 'Known: .b.' ); +check( array( 'e4' ) === select_fids( $known_html, 'div > span.b' ), 'Known: div > span.b.' ); +check( array( 'e7' ) === select_fids( $known_html, 'section em' ), 'Known: section em.' ); +check( array() === select_fids( $known_html, 'section > em' ), 'Known: section > em matches nothing.' ); +check( array( 'e4' ) === select_fids( $known_html, '[data-v|="hello"]' ), 'Known: [data-v|=hello].' ); +check( array( 'e7' ) === select_fids( $known_html, '[lang^="en"]' ), 'Known: [lang^=en].' ); + +// --- Worker end-to-end on a few seeds --------------------------------------- + +for ( $seed = 1; $seed <= 5; $seed++ ) { + $first = Worker::run_case( $seed ); + $second = Worker::run_case( $seed ); + check( $first['digest'] === $second['digest'], "Seed {$seed}: case digest is deterministic." ); +} + +if ( 0 === $failures ) { + echo "self-check OK\n"; + exit( 0 ); +} +echo "self-check FAILED: {$failures} failure(s)\n"; +exit( 1 ); diff --git a/tools/css-selector-fuzz/worker.php b/tools/css-selector-fuzz/worker.php new file mode 100644 index 0000000000000..bdcde442aa943 --- /dev/null +++ b/tools/css-selector-fuzz/worker.php @@ -0,0 +1,34 @@ +#!/usr/bin/env php + 'css-selector-fuzz-worker-fatal', + 'error' => \CssSelectorFuzz\Worker::describe_throwable( $e ), + ) + ) . "\n" + ); + exit( 1 ); +} From d01451c0f1584663881435fbe13b2e9b3dbbc175 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 13:00:32 +0200 Subject: [PATCH 157/187] CSS selector fuzz: add metamorphic invariants Oracle-free relations checked on every otherwise-clean case whose selector parses: meaning-preserving transforms (re-render with aggressive no-op escapes, type-name case fold, subclass reorder, explicit universal, list-branch duplication) must keep the select() match set byte-identical, and AST-preserving transforms must parse to exactly the transformed AST. Validated two ways: against core with the three FINDINGS.md fixes applied, 1000 seeds run clean; against unpatched core the transforms independently re-find Bug 1 (identity escapes after multibyte) and Bug 3 (off-by-one length guard) without consulting the reference matcher. ASTs containing invalid UTF-8 (parseable chaos/mutated inputs pass raw bytes through into AST names) are excluded: the renderer can only round-trip valid UTF-8. --- tools/css-selector-fuzz/README.md | 9 + tools/css-selector-fuzz/lib/Metamorph.php | 165 ++++++++++++++++++ .../lib/SelectorGenerator.php | 15 +- tools/css-selector-fuzz/lib/Worker.php | 160 +++++++++++++++-- tools/css-selector-fuzz/lib/autoload.php | 1 + 5 files changed, 337 insertions(+), 13 deletions(-) create mode 100644 tools/css-selector-fuzz/lib/Metamorph.php diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 03c2c51d654f7..291bec6cab6f9 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -37,6 +37,15 @@ produces the same document, the same selector, and the same verdict. `_doing_it_wrong` fires exactly once per call (also via the parse cache), and the processor remains usable. - The processor ends with no `get_last_error()`/unsupported state. + - Metamorphic relations (oracle-free, run on otherwise-clean cases whose + selector parsed): meaning-preserving transforms of the selector must + select exactly the same elements as the original, and AST-preserving + transforms must parse to exactly the transformed AST. Transforms: + re-render with fresh whitespace/quoting and aggressive no-op escapes, + ASCII-case-fold of type names, subclass reordering within a compound, + explicit `*` for an omitted type, and selector-list branch duplication. + Skipped for ASTs containing invalid UTF-8 (reachable only from + chaos/mutated inputs), which the renderer cannot round-trip. - Repeating a case yields a byte-identical result digest (determinism). ## Usage diff --git a/tools/css-selector-fuzz/lib/Metamorph.php b/tools/css-selector-fuzz/lib/Metamorph.php new file mode 100644 index 0000000000000..017b65fdd09f5 --- /dev/null +++ b/tools/css-selector-fuzz/lib/Metamorph.php @@ -0,0 +1,165 @@ + + */ + public static function variants( array $list_ast, Prng $prng ): array { + /* + * The WP parser passes raw bytes through: a selector that is not + * valid UTF-8 yields AST names that are not valid UTF-8 (it does + * not substitute U+FFFD). The renderer can only round-trip valid + * UTF-8 names, so such ASTs (only reachable from chaos/mutated + * inputs) are not transformable. + */ + if ( ! self::ast_strings_are_utf8( $list_ast ) ) { + return array(); + } + + $out = array(); + + $out[] = array( + 'name' => 'rerender', + 'selector' => SelectorGenerator::render( $prng->fork( 'rerender' ), $list_ast, true ), + 'ast' => $list_ast, + 'astMustMatch' => true, + ); + + $typecase = self::map_types( + $list_ast, + static function ( string $type ) use ( $prng ): string { + if ( '*' === $type ) { + return $type; + } + $out = ''; + for ( $i = 0; $i < strlen( $type ); $i++ ) { + $c = $type[ $i ]; + $out .= $prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c ); + } + return $out; + } + ); + if ( $typecase !== $list_ast ) { + $out[] = array( + 'name' => 'typecase', + 'selector' => SelectorGenerator::render( $prng->fork( 'typecase' ), $typecase ), + 'ast' => $typecase, + 'astMustMatch' => true, + ); + } + + $reordered = self::rotate_subs( $list_ast ); + if ( $reordered !== $list_ast ) { + $out[] = array( + 'name' => 'subs-reorder', + 'selector' => SelectorGenerator::render( $prng->fork( 'subs-reorder' ), $reordered ), + 'ast' => $reordered, + 'astMustMatch' => true, + ); + } + + $universal = self::explicit_universal( $list_ast ); + if ( $universal !== $list_ast ) { + $out[] = array( + 'name' => 'universal', + 'selector' => SelectorGenerator::render( $prng->fork( 'universal' ), $universal ), + 'ast' => $universal, + 'astMustMatch' => true, + ); + } + + $duplicated = $list_ast; + $duplicated[] = $list_ast[ $prng->int( 0, count( $list_ast ) - 1 ) ]; + $out[] = array( + 'name' => 'dup-branch', + 'selector' => SelectorGenerator::render( $prng->fork( 'dup-branch' ), $duplicated ), + 'ast' => $duplicated, + 'astMustMatch' => true, + ); + + return $out; + } + + /** Whether every string anywhere in the AST is valid UTF-8. */ + private static function ast_strings_are_utf8( $node ): bool { + if ( is_string( $node ) ) { + return (bool) preg_match( '//u', $node ); + } + if ( is_array( $node ) ) { + foreach ( $node as $child ) { + if ( ! self::ast_strings_are_utf8( $child ) ) { + return false; + } + } + } + return true; + } + + /** Applies $fn to every type-selector name: compound types and context types. */ + private static function map_types( array $list_ast, callable $fn ): array { + foreach ( $list_ast as &$complex ) { + foreach ( $complex['context'] as &$pair ) { + $pair[0] = $fn( $pair[0] ); + } + unset( $pair ); + if ( null !== $complex['self']['type'] ) { + $complex['self']['type'] = $fn( $complex['self']['type'] ); + } + } + unset( $complex ); + return $list_ast; + } + + /** Rotates the subclass list of every compound that has two or more. */ + private static function rotate_subs( array $list_ast ): array { + foreach ( $list_ast as &$complex ) { + $subs = $complex['self']['subs']; + if ( is_array( $subs ) && count( $subs ) >= 2 ) { + $subs[] = array_shift( $subs ); + $complex['self']['subs'] = $subs; + } + } + unset( $complex ); + return $list_ast; + } + + /** Writes an explicit `*` wherever a compound omitted its type selector. */ + private static function explicit_universal( array $list_ast ): array { + foreach ( $list_ast as &$complex ) { + if ( null === $complex['self']['type'] && null !== $complex['self']['subs'] ) { + $complex['self']['type'] = '*'; + } + } + unset( $complex ); + return $list_ast; + } +} diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 53347c083e79b..0b8f0c5c7a5f2 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -36,12 +36,25 @@ class SelectorGenerator { private $prng; /** @var array */ private $pools; + /** @var bool Escape ident codepoints aggressively when rendering. */ + private $escape_boost = false; private function __construct( Prng $prng, array $pools ) { $this->prng = $prng; $this->pools = $pools; } + /** + * Renders a canonical complex-list AST to a selector string. Parsing the + * result must yield exactly the given AST. With $escape_boost, idents are + * escaped far more often (exercises the escape decoder on no-op escapes). + */ + public static function render( Prng $prng, array $list_ast, bool $escape_boost = false ): string { + $generator = new self( $prng, array() ); + $generator->escape_boost = $escape_boost; + return $generator->render_complex_list( $list_ast ); + } + /** * @param array $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ). * @return array{ @@ -520,7 +533,7 @@ private function render_ident( string $name ): string { || ( 1 === $i && '-' === $points[0][0] && $is_digit ) || ( 1 === $count && '-' === $char ); - if ( $must_escape || $this->prng->chance( 8 ) ) { + if ( $must_escape || $this->prng->chance( $this->escape_boost ? 50 : 8 ) ) { $out .= $this->render_escape( $char, $cp ); } else { $out .= $char; diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index bfa1ec2a580e2..15542649e0709 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -28,6 +28,13 @@ * - select-on-null: select() returned true for an unparseable selector. * - processor-error: the processor entered an error/unsupported state. * - case-determinism: running the full case twice gave different digests. + * - metamorphic-parse: a meaning-preserving transform of a parseable + * selector no longer parses. + * - metamorphic-ast: an AST-preserving transform parsed to a + * different AST. + * - metamorphic-mismatch: a meaning-preserving transform selected a + * different element set than the original. + * - metamorphic-error: parsing/matching a transformed selector raised. */ class Worker { @@ -172,9 +179,10 @@ static function () use ( $complex_list ) { // --- Match phase --------------------------------------------------- + $html_matches = null; if ( null !== $complex_ast ) { - $expected = ReferenceMatcher::expected_html_processor_matches( $complex_ast, $document['model'], $document['quirks'] ); - self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); + $expected = ReferenceMatcher::expected_html_processor_matches( $complex_ast, $document['model'], $document['quirks'] ); + $html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); } elseif ( null === $complex_list && null === $complex_error ) { self::check_select_rejection( 'html', $selector_string, $document, $record ); } @@ -186,6 +194,15 @@ static function () use ( $complex_list ) { self::check_select_rejection( 'tag', $selector_string, $document, $record ); } + // --- Metamorphic phase ---------------------------------------------- + // Oracle-free relations: meaning-preserving transforms of the selector + // must select exactly the same elements. Run only on otherwise-clean + // cases so a single root cause does not multiply into noise. + + if ( null !== $complex_ast && null !== $html_matches && array() === $failures ) { + self::check_metamorphic( $complex_ast, $html_matches, $document, $prng->fork( 'metamorph' ), $record ); + } + $digest = sha1( json_encode_safe( array( @@ -304,19 +321,17 @@ static function () use ( $document ) { } /** - * Runs a select() loop on a parseable selector and compares the match set - * against the reference matcher. + * Runs a select() loop over the document, collecting matched data-fids. * * @param string $target 'html' or 'tag'. + * @return array{0: string[]|null, 1: \Throwable|null} */ - private static function check_select_matches( string $target, string $selector_string, array $document, array $expected, callable $record ): void { - Bootstrap::reset_doing_it_wrong(); - - list( $actual, $error ) = self::guard( - static function () use ( $target, $selector_string, $document ) { + private static function collect_matches( string $target, string $selector_string, string $html ): array { + return self::guard( + static function () use ( $target, $selector_string, $html ) { $processor = 'html' === $target - ? \WP_HTML_Processor::create_full_parser( $document['html'] ) - : new \WP_HTML_Tag_Processor( $document['html'] ); + ? \WP_HTML_Processor::create_full_parser( $html ) + : new \WP_HTML_Tag_Processor( $html ); $matches = array(); $iterations = 0; @@ -340,6 +355,19 @@ static function () use ( $target, $selector_string, $document ) { return $matches; } ); + } + + /** + * Runs a select() loop on a parseable selector and compares the match set + * against the reference matcher. + * + * @param string $target 'html' or 'tag'. + * @return string[]|null The actual match set, or null when matching failed. + */ + private static function check_select_matches( string $target, string $selector_string, array $document, array $expected, callable $record ): ?array { + Bootstrap::reset_doing_it_wrong(); + + list( $actual, $error ) = self::collect_matches( $target, $selector_string, $document['html'] ); if ( null !== $error ) { $record( @@ -349,7 +377,7 @@ static function () use ( $target, $selector_string, $document ) { 'error' => self::describe_throwable( $error ), ) ); - return; + return null; } $doing_it_wrong = Bootstrap::doing_it_wrong_calls(); @@ -372,6 +400,111 @@ static function () use ( $target, $selector_string, $document ) { ) ); } + + return $actual; + } + + /** + * Checks the metamorphic relations: each meaning-preserving transform of + * the parsed selector must parse, must (for AST-preserving transforms) + * parse to exactly the transformed AST, and must select exactly the same + * elements the original selector selected. + * + * @param array $complex_ast Canonical AST of the original selector. + * @param string[] $html_matches The original's WP_HTML_Processor match set. + */ + private static function check_metamorphic( array $complex_ast, array $html_matches, array $document, Prng $prng, callable $record ): void { + foreach ( Metamorph::variants( $complex_ast, $prng ) as $variant ) { + $transform = $variant['name']; + $variant_selector = $variant['selector']; + + list( $variant_list, $parse_error ) = self::guard( + static function () use ( $variant_selector ) { + return \WP_CSS_Complex_Selector_List::from_selectors( $variant_selector ); + } + ); + + if ( null !== $parse_error ) { + $record( + 'metamorphic-error', + array( + 'transform' => $transform, + 'selector' => printable_bytes( $variant_selector ), + 'error' => self::describe_throwable( $parse_error ), + ) + ); + continue; + } + + if ( null === $variant_list ) { + $record( + 'metamorphic-parse', + array( + 'transform' => $transform, + 'selector' => printable_bytes( $variant_selector ), + ) + ); + continue; + } + + if ( $variant['astMustMatch'] ) { + list( $variant_ast, $shape_error ) = self::guard( + static function () use ( $variant_list ) { + return AstExtractor::from_complex_list( $variant_list ); + } + ); + if ( null !== $shape_error ) { + $record( + 'metamorphic-error', + array( + 'transform' => $transform, + 'selector' => printable_bytes( $variant_selector ), + 'error' => self::describe_throwable( $shape_error ), + ) + ); + continue; + } + if ( $variant_ast !== $variant['ast'] ) { + $record( + 'metamorphic-ast', + array( + 'transform' => $transform, + 'selector' => printable_bytes( $variant_selector ), + 'expectedAst' => $variant['ast'], + 'parsedAst' => $variant_ast, + ) + ); + continue; + } + } + + Bootstrap::reset_doing_it_wrong(); + list( $variant_matches, $match_error ) = self::collect_matches( 'html', $variant_selector, $document['html'] ); + + if ( null !== $match_error ) { + $record( + 'metamorphic-error', + array( + 'transform' => $transform, + 'selector' => printable_bytes( $variant_selector ), + 'error' => self::describe_throwable( $match_error ), + ) + ); + continue; + } + + if ( $variant_matches !== $html_matches ) { + $record( + 'metamorphic-mismatch', + array( + 'transform' => $transform, + 'selector' => printable_bytes( $variant_selector ), + 'expected' => $html_matches, + 'actual' => $variant_matches, + ) + ); + } + } } /** @@ -528,6 +661,9 @@ private static function signature( array $failure ): string { if ( isset( $failure['detail']['target'] ) ) { $parts[] = $failure['detail']['target']; } + if ( isset( $failure['detail']['transform'] ) ) { + $parts[] = $failure['detail']['transform']; + } if ( isset( $failure['detail']['error']['class'] ) ) { $parts[] = $failure['detail']['error']['class']; $parts[] = preg_replace( '/[0-9]+/', 'N', (string) ( $failure['detail']['error']['message'] ?? '' ) ); diff --git a/tools/css-selector-fuzz/lib/autoload.php b/tools/css-selector-fuzz/lib/autoload.php index ffc0e572ed9c1..bc22e73f42f9c 100644 --- a/tools/css-selector-fuzz/lib/autoload.php +++ b/tools/css-selector-fuzz/lib/autoload.php @@ -6,4 +6,5 @@ require_once __DIR__ . '/SelectorGenerator.php'; require_once __DIR__ . '/AstExtractor.php'; require_once __DIR__ . '/ReferenceMatcher.php'; +require_once __DIR__ . '/Metamorph.php'; require_once __DIR__ . '/Worker.php'; From 43d2f68521025c36ef223da039a8a668bf93bb6d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 13:07:07 +0200 Subject: [PATCH 158/187] CSS selector fuzz: add path-directed generation bucket Synthesizes selectors from a real element of the generated model tree: type from its tag, subclasses from its actual classes/id/attributes (with operators derived from the real value: prefixes, suffixes, substrings, whitespace words, hyphen prefixes, case-flipped operands under the i modifier), and a context chain drawn from its actual ancestors where > is only used for the immediately-next ancestor. The element is guaranteed by construction to be in the match set; a near-miss flip (wrong type/class/attribute, combinator tighten/loosen) inverts or preserves that guarantee. The guarantee is checked against the reference matcher as the new path-expectation invariant, so a generator/oracle disagreement is itself a finding. Positive-match rate for combinator-bearing selectors: 68.3% in this bucket vs 13.9% in supported-complex (3000-seed measurement); 1000 seeds run clean against core with the three known fixes applied. --- tools/css-selector-fuzz/README.md | 11 +- .../lib/SelectorGenerator.php | 348 +++++++++++++++++- tools/css-selector-fuzz/lib/Worker.php | 37 +- 3 files changed, 383 insertions(+), 13 deletions(-) diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 291bec6cab6f9..e8a0f918a0852 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -12,10 +12,19 @@ produces the same document, the same selector, and the same verdict. 1. Generate a random HTML document from a structurally "safe" element set so the model tree is provably identical to the parsed tree (this is itself verified every case — `model-desync`). -2. Generate a selector in one of six buckets: +2. Generate a selector in one of seven buckets: - `supported-compound` — must parse in both grammars; carries intended AST. - `supported-complex` — uses `>`/descendant combinators; must parse only in the complex grammar; carries intended AST. + - `path-directed` — synthesized from a real element of the generated tree + (type from its tag, subclasses from its actual classes/id/attributes, + context chain from its actual ancestors), guaranteed by construction to + match that element — or flipped into a near-miss (wrong type/class/attr + guarantees a non-match; loosening `>` to descendant must keep matching). + The guarantee is asserted against the reference matcher + (`path-expectation`), making most match assertions non-vacuous: + measured positive-match rate for combinator selectors is ~68% in this + bucket vs ~14% in `supported-complex`. - `unsupported` — valid CSS the API intentionally rejects (pseudo-classes and -elements, `+`/`~`/`||` combinators, namespaces, non-type context selectors); must not parse. diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 0b8f0c5c7a5f2..25490e4a90bc2 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -26,6 +26,7 @@ class SelectorGenerator { const BUCKETS = array( 'supported-compound', 'supported-complex', + 'path-directed', 'unsupported', 'invalid', 'chaos', @@ -56,31 +57,48 @@ public static function render( Prng $prng, array $list_ast, bool $escape_boost = } /** - * @param array $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ). + * @param array $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ). + * @param array|null $model Root element model; enables the path-directed bucket. * @return array{ * bucket: string, * selector: string, * expectCompound: bool|null, * expectComplex: bool|null, * ast: array|null, + * mustMatchFid: string|null, + * mustNotMatchFid: string|null, * } */ - public static function generate( Prng $prng, array $pools, ?string $bucket = null ): array { + public static function generate( Prng $prng, array $pools, ?array $model = null, ?string $bucket = null ): array { $generator = new self( $prng, $pools ); if ( null === $bucket ) { $bucket = $prng->weighted( - array( - 'supported-compound' => 30, - 'supported-complex' => 25, - 'unsupported' => 15, - 'invalid' => 12, - 'chaos' => 8, - 'mutated' => 10, - ) + null === $model + ? array( + 'supported-compound' => 30, + 'supported-complex' => 25, + 'unsupported' => 15, + 'invalid' => 12, + 'chaos' => 8, + 'mutated' => 10, + ) + : array( + 'supported-compound' => 24, + 'supported-complex' => 20, + 'path-directed' => 22, + 'unsupported' => 12, + 'invalid' => 10, + 'chaos' => 6, + 'mutated' => 6, + ) ); } + if ( 'path-directed' === $bucket && null === $model ) { + $bucket = 'supported-complex'; + } + switch ( $bucket ) { case 'supported-compound': $ast = $generator->gen_complex_list( false ); @@ -102,6 +120,9 @@ public static function generate( Prng $prng, array $pools, ?string $bucket = nul 'ast' => $ast, ); + case 'path-directed': + return $generator->gen_path_directed( $model ); + case 'unsupported': return array( 'bucket' => $bucket, @@ -399,6 +420,313 @@ private function pick_name( string $pool_key ): string { ); } + /* + * ------------------------ + * Path-directed generation + * ------------------------ + * + * Synthesizes a selector from a real element of the model tree so that + * the selector is guaranteed (by construction) to match that element: + * the type comes from its tag, subclasses from its actual classes / id / + * attributes, and the context chain from its actual ancestor tags with + * combinators consistent with the real nesting. Optionally one feature + * is then flipped into a "near-miss" that is guaranteed NOT to match + * the element ( or, for combinator loosening, still guaranteed to ). + */ + + private function gen_path_directed( array $model ): array { + $pairs = DocumentGenerator::flatten_with_ancestors( $model ); + + // Bias toward elements deep enough for a meaningful context chain. + $deep = array(); + foreach ( $pairs as $pair ) { + if ( count( $pair[1] ) >= 2 ) { + $deep[] = $pair; + } + } + if ( array() !== $deep && $this->prng->chance( 75 ) ) { + $pair = $this->prng->choice( $deep ); + } else { + $pair = $this->prng->choice( $pairs ); + } + list( $element, $ancestors ) = $pair; + + $compound = $this->path_compound_for( $element ); + $context = array() !== $ancestors && $this->prng->chance( 75 ) + ? $this->path_context_for( $ancestors ) + : array(); + + $list = array( + array( + 'context' => $context, + 'self' => $compound, + ), + ); + + $must_match = $element['fid']; + $must_not_match = null; + + if ( $this->prng->chance( 40 ) ) { + list( $list, $must_match, $must_not_match ) = $this->path_near_miss( $list, $element ); + } elseif ( $this->prng->chance( 20 ) ) { + // Extra unrelated branch: a list union can only add matches. + $list[] = $this->gen_complex( $this->prng->chance( 30 ) ); + } + + $has_context = false; + foreach ( $list as $complex ) { + if ( array() !== $complex['context'] ) { + $has_context = true; + break; + } + } + + return array( + 'bucket' => 'path-directed', + 'selector' => $this->render_complex_list( $list ), + 'expectCompound' => ! $has_context, + 'expectComplex' => true, + 'ast' => $list, + 'mustMatchFid' => $must_match, + 'mustNotMatchFid' => $must_not_match, + ); + } + + /** A compound selector built only from features the element really has. */ + private function path_compound_for( array $element ): array { + $tag = ascii_strtolower( $element['tag'] ); + + $features = array(); + + $class_value = DocumentGenerator::get_attribute_value( $element, 'class' ); + if ( is_string( $class_value ) ) { + foreach ( preg_split( '/[ \t\n\f\r]+/', $class_value, -1, PREG_SPLIT_NO_EMPTY ) as $word ) { + $features[] = array( 'kind' => 'class', 'name' => $word ); + } + } + + $id_value = DocumentGenerator::get_attribute_value( $element, 'id' ); + if ( is_string( $id_value ) && '' !== $id_value ) { + $features[] = array( 'kind' => 'id', 'name' => $id_value ); + } + + $seen_attrs = array(); + foreach ( $element['attrs'] as $attr ) { + $lower = ascii_strtolower( $attr[0] ); + if ( isset( $seen_attrs[ $lower ] ) || 'data-fid' === $lower ) { + continue; + } + $seen_attrs[ $lower ] = true; + $features[] = $this->path_attr_feature( $lower, $attr[1] ); + } + + $subs = array(); + $available = count( $features ); + if ( $available > 0 ) { + $want = min( $available, $this->prng->weighted( array( 0 => 25, 1 => 40, 2 => 25, 3 => 10 ) ) ); + for ( $i = 0; $i < $want; $i++ ) { + $at = $this->prng->int( 0, count( $features ) - 1 ); + $subs[] = $features[ $at ]; + array_splice( $features, $at, 1 ); + } + } + + $type = null; + if ( array() === $subs || $this->prng->chance( 70 ) ) { + $type = $this->prng->chance( 12 ) ? '*' : ( $this->prng->chance( 30 ) ? $this->random_case( $tag ) : $tag ); + } + + return array( + 'type' => $type, + 'subs' => array() === $subs ? null : $subs, + ); + } + + /** An attribute selector that the (name, value) pair satisfies. */ + private function path_attr_feature( string $name, $value ): array { + $presence = array( + 'kind' => 'attr', + 'name' => $this->prng->chance( 15 ) ? $this->random_case( $name ) : $name, + 'matcher' => null, + 'value' => null, + 'modifier' => null, + ); + + if ( true === $value ) { + // A boolean attribute has the empty string as its value. + $value = ''; + } + if ( ! is_string( $value ) || $this->prng->chance( 30 ) ) { + return $presence; + } + + $points = utf8_codepoints( $value ); + $total = count( $points ); + + $candidates = array( array( 'exact', $value ) ); + + foreach ( preg_split( '/[ \t\n\f\r]+/', $value, -1, PREG_SPLIT_NO_EMPTY ) as $word ) { + $candidates[] = array( 'one-of', $word ); + break; + } + + $hyphen_at = strpos( $value, '-' ); + $candidates[] = array( 'exact-or-hyphen-suffixed', false === $hyphen_at ? $value : substr( $value, 0, $hyphen_at ) ); + + if ( $total > 0 ) { + $slice = static function ( array $points, int $start, int $length ): string { + $out = ''; + for ( $i = $start; $i < $start + $length; $i++ ) { + $out .= $points[ $i ][0]; + } + return $out; + }; + + $candidates[] = array( 'prefixed', $slice( $points, 0, $this->prng->int( 1, $total ) ) ); + $length = $this->prng->int( 1, $total ); + $candidates[] = array( 'suffixed', $slice( $points, $total - $length, $length ) ); + $start = $this->prng->int( 0, $total - 1 ); + $candidates[] = array( 'contains', $slice( $points, $start, $this->prng->int( 1, $total - $start ) ) ); + } + + list( $matcher, $operand ) = $this->prng->choice( $candidates ); + + /* + * `|=` with an operand cut at a hyphen only matches when the operand + * is non-empty and actually a value prefix; an operand equal to the + * value always matches. Guard the degenerate empty-operand cases. + */ + if ( 'exact-or-hyphen-suffixed' === $matcher && '' === $operand && '' !== $value ) { + $matcher = 'exact'; + $operand = $value; + } + if ( in_array( $matcher, array( 'one-of', 'prefixed', 'suffixed', 'contains' ), true ) && '' === $operand ) { + return $presence; + } + + $modifier = null; + if ( $this->prng->chance( 25 ) ) { + if ( $this->prng->chance( 60 ) ) { + $modifier = 'case-insensitive'; + $operand = $this->random_case( $operand ); + } else { + $modifier = 'case-sensitive'; + } + } + + return array( + 'kind' => 'attr', + 'name' => $presence['name'], + 'matcher' => $matcher, + 'value' => $operand, + 'modifier' => $modifier, + ); + } + + /** + * A context chain ( right-to-left ( type, combinator ) pairs ) drawn from + * the element's real ancestors so the chain is satisfied by construction: + * `>` is only used for the immediately-next ancestor, descendant + * combinators may skip generations. + * + * @param array $ancestors Nearest-first ancestor elements. + */ + private function path_context_for( array $ancestors ): array { + $chain = array(); + $pos = 0; + $count = count( $ancestors ); + + while ( $pos < $count && ( array() === $chain || $this->prng->chance( 45 ) ) ) { + $jump = $this->prng->chance( 65 ) ? 0 : $this->prng->int( 0, $count - 1 - $pos ); + $at = $pos + $jump; + + $combinator = ( 0 === $jump && $this->prng->chance( 55 ) ) ? '>' : ' '; + $tag = ascii_strtolower( $ancestors[ $at ]['tag'] ); + $type = $this->prng->chance( 12 ) + ? '*' + : ( $this->prng->chance( 25 ) ? $this->random_case( $tag ) : $tag ); + + $chain[] = array( $type, $combinator ); + $pos = $at + 1; + } + + return $chain; + } + + /** + * Flips one feature of the guaranteed-match selector. Most flips + * guarantee the element no longer matches; loosening a `>` to a + * descendant combinator must keep it matching. + * + * @return array{0: array, 1: string|null, 2: string|null} list, mustMatchFid, mustNotMatchFid. + */ + private function path_near_miss( array $list, array $element ): array { + $complex = $list[0]; + $compound = $complex['self']; + $fid = $element['fid']; + + $flips = array( 'wrong-class', 'wrong-attr' ); + if ( null !== $compound['type'] && '*' !== $compound['type'] ) { + $flips[] = 'wrong-type'; + } + foreach ( $complex['context'] as $pair ) { + if ( '>' === $pair[1] ) { + $flips[] = 'loosen-combinator'; + } + $flips[] = 'tighten-combinator'; + break; + } + + switch ( $this->prng->choice( $flips ) ) { + case 'wrong-type': + $tag = ascii_strtolower( $element['tag'] ); + do { + $other = $this->prng->choice( DocumentGenerator::SAFE_TAGS ); + } while ( $other === $tag ); + $complex['self']['type'] = $this->prng->chance( 25 ) ? $this->random_case( $other ) : $other; + return array( array( $complex ), null, $fid ); + + case 'wrong-attr': + $subs = (array) $complex['self']['subs']; + $subs[] = array( + 'kind' => 'attr', + 'name' => 'zz-no-such-attr', + 'matcher' => null, + 'value' => null, + 'modifier' => null, + ); + $complex['self']['subs'] = $subs; + return array( array( $complex ), null, $fid ); + + case 'loosen-combinator': + // Replacing every `>` with a descendant combinator can only + // widen the context; the element must still match. + foreach ( $complex['context'] as &$pair ) { + $pair[1] = ' '; + } + unset( $pair ); + $list[0] = $complex; + return array( $list, $fid, null ); + + case 'tighten-combinator': + // May or may not still match; no membership expectation. + $at = $this->prng->int( 0, count( $complex['context'] ) - 1 ); + $complex['context'][ $at ][1] = '>'; + $list[0] = $complex; + return array( $list, null, null ); + + case 'wrong-class': + default: + $subs = (array) $complex['self']['subs']; + $subs[] = array( + 'kind' => 'class', + 'name' => 'zz-no-such-class', + ); + $complex['self']['subs'] = $subs; + return array( array( $complex ), null, $fid ); + } + } + /* * --------- * Rendering diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 15542649e0709..59982794d4aa5 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -35,6 +35,9 @@ * - metamorphic-mismatch: a meaning-preserving transform selected a * different element set than the original. * - metamorphic-error: parsing/matching a transformed selector raised. + * - path-expectation: a path-directed selector's guaranteed + * (non-)membership does not hold in the reference + * matcher ( generator/oracle defect ). */ class Worker { @@ -57,7 +60,7 @@ public static function run_case( int $seed ): array { $prng = new Prng( (string) $seed, 'css-selector-fuzz-case' ); $document = DocumentGenerator::generate( $prng->fork( 'document' ) ); - $selector = SelectorGenerator::generate( $prng->fork( 'selector' ), $document['pools'] ); + $selector = SelectorGenerator::generate( $prng->fork( 'selector' ), $document['pools'], $document['model'] ); $failures = array(); $record = static function ( string $invariant, array $detail ) use ( &$failures ) { @@ -181,7 +184,37 @@ static function () use ( $complex_list ) { $html_matches = null; if ( null !== $complex_ast ) { - $expected = ReferenceMatcher::expected_html_processor_matches( $complex_ast, $document['model'], $document['quirks'] ); + $expected = ReferenceMatcher::expected_html_processor_matches( $complex_ast, $document['model'], $document['quirks'] ); + + /* + * Path-directed selectors are guaranteed by construction to match + * ( or, for near-misses, not to match ) a specific element. The + * reference matcher disagreeing means the generator or the + * reference matcher itself is wrong — a fuzzer-side defect. + */ + $must_match = $selector['mustMatchFid'] ?? null; + $must_not_match = $selector['mustNotMatchFid'] ?? null; + if ( null !== $must_match && ! in_array( $must_match, $expected, true ) ) { + $record( + 'path-expectation', + array( + 'expectation' => 'must-match', + 'fid' => $must_match, + 'expected' => $expected, + ) + ); + } + if ( null !== $must_not_match && in_array( $must_not_match, $expected, true ) ) { + $record( + 'path-expectation', + array( + 'expectation' => 'must-not-match', + 'fid' => $must_not_match, + 'expected' => $expected, + ) + ); + } + $html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); } elseif ( null === $complex_list && null === $complex_error ) { self::check_select_rejection( 'html', $selector_string, $document, $record ); From c97d0714e79e99e9ee67c8f076405eb353593e84 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 13:21:15 +0200 Subject: [PATCH 159/187] CSS selector fuzz: parser-derived oracle tree and wild HTML MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the model==parse-tree precondition with TreeCapture: the processor's own parse, captured once per case as flat rows in visit order (tag, attributes, nearest-first ancestor tags — context selectors are type-only, so rows are everything matching can observe). The reference matcher and path-directed generator now consume rows, which also keeps match comparison correct under restructuring: select() emits matches in visit (token) order, not final-DOM order. For safe documents the capture must still agree with the generated model (model-desync, now also covering attributes and quirks mode); that per-case soundness check is what justifies trusting the capture on wild documents. Add WildDocumentGenerator: misnesting, implied end tags and table sections, stray/unclosed tags, foreign content, and five doctype variants, tuned around the processor's unsupported constructs (it bails on foster parenting, complex adoption-agency runs, non-whitespace table text, FORM end tags over open elements); residual bails are absorbed by bounded deterministic regeneration. 1500 seeds clean against core with the three known fixes applied; all three known bug classes still detected on unpatched core. --- tools/css-selector-fuzz/README.md | 19 +- .../lib/DocumentGenerator.php | 37 ++ .../lib/ReferenceMatcher.php | 99 ++--- .../lib/SelectorGenerator.php | 46 +-- tools/css-selector-fuzz/lib/TreeCapture.php | 114 ++++++ .../lib/WildDocumentGenerator.php | 362 ++++++++++++++++++ tools/css-selector-fuzz/lib/Worker.php | 180 +++++---- tools/css-selector-fuzz/lib/autoload.php | 2 + 8 files changed, 717 insertions(+), 142 deletions(-) create mode 100644 tools/css-selector-fuzz/lib/TreeCapture.php create mode 100644 tools/css-selector-fuzz/lib/WildDocumentGenerator.php diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index e8a0f918a0852..48d5192927a59 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -9,10 +9,19 @@ produces the same document, the same selector, and the same verdict. ## What a case does -1. Generate a random HTML document from a structurally "safe" element set so - the model tree is provably identical to the parsed tree (this is itself - verified every case — `model-desync`). -2. Generate a selector in one of seven buckets: +1. Generate a random HTML document — 70% from a structurally "safe" element + set with a known model tree, 30% "wild" (misnested, implied-end-tag, + foreign-content, varied-doctype token soup with no model). +2. Capture the processor's own view of the document as the matching oracle's + ground truth (`TreeCapture`): a flat list of rows in visit order, each + carrying the element's tag, attributes, and ancestor tag list (context + selectors are type-only, so that is everything matching can observe). + For safe documents the capture must agree with the generated model + (`model-desync`) — that soundness check is what justifies trusting the + capture on wild documents. Wild documents that hit a construct the + processor bails on (foster parenting, complex adoption-agency runs) are + deterministically regenerated a bounded number of times. +3. Generate a selector in one of seven buckets: - `supported-compound` — must parse in both grammars; carries intended AST. - `supported-complex` — uses `>`/descendant combinators; must parse only in the complex grammar; carries intended AST. @@ -32,7 +41,7 @@ produces the same document, the same selector, and the same verdict. - `chaos` — arbitrary bytes; no parse expectation. - `mutated` — a supported selector with random byte mutations; no parse expectation. -3. Check invariants: +4. Check invariants: - No PHP error/warning/exception from parsing or matching, ever. - Parse result (instance vs `null`) matches the bucket's expectation. - Anything the compound grammar parses, the complex grammar parses, and diff --git a/tools/css-selector-fuzz/lib/DocumentGenerator.php b/tools/css-selector-fuzz/lib/DocumentGenerator.php index 70e3ab80d2a39..e435edce409c9 100644 --- a/tools/css-selector-fuzz/lib/DocumentGenerator.php +++ b/tools/css-selector-fuzz/lib/DocumentGenerator.php @@ -437,6 +437,43 @@ public static function flatten_with_ancestors( array $element, array $ancestors return $out; } + /** + * Flat element rows ( the TreeCapture row shape ) derived from a model: + * pre-order, tags uppercased, attribute names lowercased with the first + * of duplicates winning — directly comparable to a TreeCapture of the + * rendered document. + */ + public static function rows_from_model( array $model ): array { + $rows = array(); + foreach ( self::flatten_with_ancestors( $model ) as $pair ) { + list( $element, $ancestors ) = $pair; + + $attrs = array(); + $seen = array(); + foreach ( $element['attrs'] as $attr ) { + $lower = ascii_strtolower( $attr[0] ); + if ( isset( $seen[ $lower ] ) ) { + continue; + } + $seen[ $lower ] = true; + $attrs[] = array( $lower, $attr[1] ); + } + + $ancestor_tags = array(); + foreach ( $ancestors as $ancestor ) { + $ancestor_tags[] = strtoupper( ascii_strtolower( $ancestor['tag'] ) ); + } + + $rows[] = array( + 'tag' => strtoupper( ascii_strtolower( $element['tag'] ) ), + 'fid' => $element['fid'], + 'attrs' => $attrs, + 'ancestorTags' => $ancestor_tags, + ); + } + return $rows; + } + /** First attribute value for a name, ASCII case-insensitive; null if absent. */ public static function get_attribute_value( array $element, string $name ) { $comparable = ascii_strtolower( $name ); diff --git a/tools/css-selector-fuzz/lib/ReferenceMatcher.php b/tools/css-selector-fuzz/lib/ReferenceMatcher.php index fd834a543041d..6af3301cd080b 100644 --- a/tools/css-selector-fuzz/lib/ReferenceMatcher.php +++ b/tools/css-selector-fuzz/lib/ReferenceMatcher.php @@ -2,9 +2,14 @@ namespace CssSelectorFuzz; /** - * Independent implementation of the supported CSS selector semantics, - * operating on the document model produced by DocumentGenerator and the - * canonical selector AST. + * Independent implementation of the supported CSS selector semantics. + * + * Operates on flat element "rows" in visit order — either derived from the + * generated document model or captured from the processor itself + * ( TreeCapture ). Each row carries the element's tag, attributes, and + * ( for the html processor view ) its nearest-first ancestor tag list, + * which is all the supported grammar can observe: context selectors are + * type-only. * * Semantics follow the CSS Selectors Level 4 specification: * - Tag names match ASCII case-insensitively (HTML documents). @@ -24,19 +29,18 @@ class ReferenceMatcher { const WHITESPACE = " \t\r\n\f"; /** - * Expected match list for WP_HTML_Processor::select() over a full document. + * Expected match list for WP_HTML_Processor::select(). * * @param array $list_ast Canonical complex selector list AST. - * @param array $model Root element model ( the `html` element ). + * @param array $rows Element rows in visit order, with ancestorTags. * @param bool $quirks Whether the document parses in quirks mode. - * @return string[] data-fid values in document order. + * @return string[] data-fid values in visit order. */ - public static function expected_html_processor_matches( array $list_ast, array $model, bool $quirks ): array { + public static function expected_html_matches_rows( array $list_ast, array $rows, bool $quirks ): array { $out = array(); - foreach ( DocumentGenerator::flatten_with_ancestors( $model ) as $pair ) { - list( $element, $ancestors ) = $pair; - if ( self::list_matches( $list_ast, $element, $ancestors, $quirks ) ) { - $out[] = $element['fid']; + foreach ( $rows as $row ) { + if ( self::list_matches_row( $list_ast, $row, $quirks ) ) { + $out[] = $row['fid']; } } return $out; @@ -48,39 +52,48 @@ public static function expected_html_processor_matches( array $list_ast, array $ * compound selector list never inspects ancestors. * * @param array $list_ast Canonical complex selector list AST ( contexts must be empty ). - * @param array $model Root element model. - * @return string[] data-fid values in document order. + * @param array $rows Tag-view element rows in token order. + * @return string[] data-fid values in token order. */ - public static function expected_tag_processor_matches( array $list_ast, array $model ): array { + public static function expected_tag_matches_rows( array $list_ast, array $rows ): array { $out = array(); - foreach ( DocumentGenerator::flatten( $model ) as $element ) { - if ( self::list_matches( $list_ast, $element, array(), false ) ) { - $out[] = $element['fid']; + foreach ( $rows as $row ) { + $matched = false; + foreach ( $list_ast as $complex ) { + if ( self::compound_matches( $complex['self'], $row, false ) ) { + $matched = true; + break; + } + } + if ( $matched ) { + $out[] = $row['fid']; } } return $out; } - public static function list_matches( array $list_ast, array $element, array $ancestors, bool $quirks ): bool { + /** Back-compat: expected html-processor matches from a generated model. */ + public static function expected_html_processor_matches( array $list_ast, array $model, bool $quirks ): array { + return self::expected_html_matches_rows( $list_ast, DocumentGenerator::rows_from_model( $model ), $quirks ); + } + + /** Back-compat: expected tag-processor matches from a generated model. */ + public static function expected_tag_processor_matches( array $list_ast, array $model ): array { + return self::expected_tag_matches_rows( $list_ast, DocumentGenerator::rows_from_model( $model ) ); + } + + public static function list_matches_row( array $list_ast, array $row, bool $quirks ): bool { foreach ( $list_ast as $complex ) { - if ( self::complex_matches( $complex, $element, $ancestors, $quirks ) ) { + if ( + self::compound_matches( $complex['self'], $row, $quirks ) && + self::explore_context( $complex['context'], $row['ancestorTags'] ) + ) { return true; } } return false; } - private static function complex_matches( array $complex, array $element, array $ancestors, bool $quirks ): bool { - if ( ! self::compound_matches( $complex['self'], $element, $quirks ) ) { - return false; - } - $ancestor_tags = array(); - foreach ( $ancestors as $ancestor ) { - $ancestor_tags[] = $ancestor['tag']; - } - return self::explore_context( $complex['context'], $ancestor_tags ); - } - /** * @param array $context Right-to-left ( type, combinator ) pairs. * @param string[] $ancestor_tags Nearest-ancestor-first tag names. @@ -114,12 +127,12 @@ private static function explore_context( array $context, array $ancestor_tags ): return false; } - public static function compound_matches( array $compound, array $element, bool $quirks ): bool { - if ( null !== $compound['type'] && ! self::type_matches( $compound['type'], $element['tag'] ) ) { + public static function compound_matches( array $compound, array $row, bool $quirks ): bool { + if ( null !== $compound['type'] && ! self::type_matches( $compound['type'], $row['tag'] ) ) { return false; } foreach ( (array) $compound['subs'] as $sub ) { - if ( ! self::sub_matches( $sub, $element, $quirks ) ) { + if ( ! self::sub_matches( $sub, $row, $quirks ) ) { return false; } } @@ -130,20 +143,20 @@ private static function type_matches( string $type, string $tag ): bool { return '*' === $type || ascii_strtolower( $type ) === ascii_strtolower( $tag ); } - private static function sub_matches( array $sub, array $element, bool $quirks ): bool { + private static function sub_matches( array $sub, array $row, bool $quirks ): bool { switch ( $sub['kind'] ) { case 'class': - return self::class_matches( $sub['name'], $element, $quirks ); + return self::class_matches( $sub['name'], $row, $quirks ); case 'id': - return self::id_matches( $sub['name'], $element, $quirks ); + return self::id_matches( $sub['name'], $row, $quirks ); case 'attr': - return self::attr_matches( $sub, $element ); + return self::attr_matches( $sub, $row ); } return false; } - private static function class_matches( string $wanted, array $element, bool $quirks ): bool { - $class_value = DocumentGenerator::get_attribute_value( $element, 'class' ); + private static function class_matches( string $wanted, array $row, bool $quirks ): bool { + $class_value = DocumentGenerator::get_attribute_value( $row, 'class' ); if ( ! is_string( $class_value ) ) { return false; } @@ -170,8 +183,8 @@ private static function class_matches( string $wanted, array $element, bool $qui return false; } - private static function id_matches( string $wanted, array $element, bool $quirks ): bool { - $id = DocumentGenerator::get_attribute_value( $element, 'id' ); + private static function id_matches( string $wanted, array $row, bool $quirks ): bool { + $id = DocumentGenerator::get_attribute_value( $row, 'id' ); if ( ! is_string( $id ) ) { return false; } @@ -180,8 +193,8 @@ private static function id_matches( string $wanted, array $element, bool $quirks : $id === $wanted; } - private static function attr_matches( array $sub, array $element ): bool { - $attr_value = DocumentGenerator::get_attribute_value( $element, $sub['name'] ); + private static function attr_matches( array $sub, array $row ): bool { + $attr_value = DocumentGenerator::get_attribute_value( $row, $sub['name'] ); if ( null === $attr_value ) { return false; } diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 25490e4a90bc2..a7956ce709e11 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -58,7 +58,8 @@ public static function render( Prng $prng, array $list_ast, bool $escape_boost = /** * @param array $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ). - * @param array|null $model Root element model; enables the path-directed bucket. + * @param array|null $rows Element rows ( TreeCapture shape ) with real + * fids; enables the path-directed bucket. * @return array{ * bucket: string, * selector: string, @@ -69,12 +70,12 @@ public static function render( Prng $prng, array $list_ast, bool $escape_boost = * mustNotMatchFid: string|null, * } */ - public static function generate( Prng $prng, array $pools, ?array $model = null, ?string $bucket = null ): array { + public static function generate( Prng $prng, array $pools, ?array $rows = null, ?string $bucket = null ): array { $generator = new self( $prng, $pools ); if ( null === $bucket ) { $bucket = $prng->weighted( - null === $model + null === $rows || array() === $rows ? array( 'supported-compound' => 30, 'supported-complex' => 25, @@ -95,7 +96,7 @@ public static function generate( Prng $prng, array $pools, ?array $model = null, ); } - if ( 'path-directed' === $bucket && null === $model ) { + if ( 'path-directed' === $bucket && ( null === $rows || array() === $rows ) ) { $bucket = 'supported-complex'; } @@ -121,7 +122,7 @@ public static function generate( Prng $prng, array $pools, ?array $model = null, ); case 'path-directed': - return $generator->gen_path_directed( $model ); + return $generator->gen_path_directed( $rows ); case 'unsupported': return array( @@ -434,26 +435,21 @@ private function pick_name( string $pool_key ): string { * the element ( or, for combinator loosening, still guaranteed to ). */ - private function gen_path_directed( array $model ): array { - $pairs = DocumentGenerator::flatten_with_ancestors( $model ); - + private function gen_path_directed( array $rows ): array { // Bias toward elements deep enough for a meaningful context chain. $deep = array(); - foreach ( $pairs as $pair ) { - if ( count( $pair[1] ) >= 2 ) { - $deep[] = $pair; + foreach ( $rows as $row ) { + if ( count( $row['ancestorTags'] ) >= 2 ) { + $deep[] = $row; } } - if ( array() !== $deep && $this->prng->chance( 75 ) ) { - $pair = $this->prng->choice( $deep ); - } else { - $pair = $this->prng->choice( $pairs ); - } - list( $element, $ancestors ) = $pair; + $element = array() !== $deep && $this->prng->chance( 75 ) + ? $this->prng->choice( $deep ) + : $this->prng->choice( $rows ); $compound = $this->path_compound_for( $element ); - $context = array() !== $ancestors && $this->prng->chance( 75 ) - ? $this->path_context_for( $ancestors ) + $context = array() !== $element['ancestorTags'] && $this->prng->chance( 75 ) + ? $this->path_context_for( $element['ancestorTags'] ) : array(); $list = array( @@ -492,7 +488,7 @@ private function gen_path_directed( array $model ): array { ); } - /** A compound selector built only from features the element really has. */ + /** A compound selector built only from features the element row really has. */ private function path_compound_for( array $element ): array { $tag = ascii_strtolower( $element['tag'] ); @@ -513,7 +509,7 @@ private function path_compound_for( array $element ): array { $seen_attrs = array(); foreach ( $element['attrs'] as $attr ) { $lower = ascii_strtolower( $attr[0] ); - if ( isset( $seen_attrs[ $lower ] ) || 'data-fid' === $lower ) { + if ( isset( $seen_attrs[ $lower ] ) ) { continue; } $seen_attrs[ $lower ] = true; @@ -629,19 +625,19 @@ private function path_attr_feature( string $name, $value ): array { * `>` is only used for the immediately-next ancestor, descendant * combinators may skip generations. * - * @param array $ancestors Nearest-first ancestor elements. + * @param string[] $ancestor_tags Nearest-first ancestor tag names. */ - private function path_context_for( array $ancestors ): array { + private function path_context_for( array $ancestor_tags ): array { $chain = array(); $pos = 0; - $count = count( $ancestors ); + $count = count( $ancestor_tags ); while ( $pos < $count && ( array() === $chain || $this->prng->chance( 45 ) ) ) { $jump = $this->prng->chance( 65 ) ? 0 : $this->prng->int( 0, $count - 1 - $pos ); $at = $pos + $jump; $combinator = ( 0 === $jump && $this->prng->chance( 55 ) ) ? '>' : ' '; - $tag = ascii_strtolower( $ancestors[ $at ]['tag'] ); + $tag = ascii_strtolower( $ancestor_tags[ $at ] ); $type = $this->prng->chance( 12 ) ? '*' : ( $this->prng->chance( 25 ) ? $this->random_case( $tag ) : $tag ); diff --git a/tools/css-selector-fuzz/lib/TreeCapture.php b/tools/css-selector-fuzz/lib/TreeCapture.php new file mode 100644 index 0000000000000..9edc3b0541757 --- /dev/null +++ b/tools/css-selector-fuzz/lib/TreeCapture.php @@ -0,0 +1,114 @@ +, + * ancestorTags: string[] nearest-first ) + * tag row: same without ancestorTags. + */ +class TreeCapture { + + const CAPTURE_ITERATION_LIMIT = 20000; + + /** + * @return array{ + * htmlRows: array|null, + * tagRows: array|null, + * quirks: bool, + * error: string|null, + * } + */ + public static function capture( string $html ): array { + $out = array( + 'htmlRows' => null, + 'tagRows' => null, + 'quirks' => false, + 'error' => null, + ); + + $processor = \WP_HTML_Processor::create_full_parser( $html ); + $rows = array(); + $iterations = 0; + while ( $processor->next_tag() ) { + if ( ++$iterations > self::CAPTURE_ITERATION_LIMIT ) { + $out['error'] = 'html-capture-iteration-limit'; + return $out; + } + $breadcrumbs = $processor->get_breadcrumbs(); + array_pop( $breadcrumbs ); + $rows[] = array( + 'tag' => (string) $processor->get_tag(), + 'fid' => self::fid_of( $processor ), + 'attrs' => self::attrs_of( $processor ), + 'ancestorTags' => array_reverse( $breadcrumbs ), + ); + } + + if ( null !== $processor->get_last_error() ) { + $out['error'] = 'html-processor-error: ' . $processor->get_last_error(); + return $out; + } + if ( null !== $processor->get_unsupported_exception() ) { + $out['error'] = 'html-processor-unsupported: ' . $processor->get_unsupported_exception()->getMessage(); + return $out; + } + + $out['htmlRows'] = $rows; + $out['quirks'] = $processor->is_quirks_mode(); + + $tag_processor = new \WP_HTML_Tag_Processor( $html ); + $tag_rows = array(); + $iterations = 0; + while ( $tag_processor->next_tag() ) { + if ( ++$iterations > self::CAPTURE_ITERATION_LIMIT ) { + $out['error'] = 'tag-capture-iteration-limit'; + return $out; + } + $tag_rows[] = array( + 'tag' => (string) $tag_processor->get_tag(), + 'fid' => self::fid_of( $tag_processor ), + 'attrs' => self::attrs_of( $tag_processor ), + ); + } + $out['tagRows'] = $tag_rows; + + return $out; + } + + /** The element's data-fid, or the same placeholder collect_matches() uses. */ + private static function fid_of( $processor ): string { + $fid = $processor->get_attribute( 'data-fid' ); + return is_string( $fid ) ? $fid : '(missing-fid:' . $processor->get_tag() . ')'; + } + + /** + * All attributes as ( lowercase name, decoded value ) pairs, excluding + * data-fid ( stored separately, mirroring the generated model's shape ). + * + * @return array + */ + private static function attrs_of( $processor ): array { + $attrs = array(); + foreach ( (array) $processor->get_attribute_names_with_prefix( '' ) as $name ) { + if ( 'data-fid' === $name ) { + continue; + } + $value = $processor->get_attribute( $name ); + $attrs[] = array( $name, true === $value ? true : (string) $value ); + } + return $attrs; + } +} diff --git a/tools/css-selector-fuzz/lib/WildDocumentGenerator.php b/tools/css-selector-fuzz/lib/WildDocumentGenerator.php new file mode 100644 index 0000000000000..78ae5a329f162 --- /dev/null +++ b/tools/css-selector-fuzz/lib/WildDocumentGenerator.php @@ -0,0 +1,362 @@ + '', + 'html' => '', + 'legacy-compat' => '', + 'quirky' => '', + 'limited' => '', + ); + + /** @var Prng */ + private $prng; + private $fid_counter = 0; + private $pools; + + private function __construct( Prng $prng ) { + $this->prng = $prng; + $this->pools = array( + 'tags' => array( 'html', 'head', 'body' ), + 'classes' => array(), + 'ids' => array(), + 'attrNames' => array(), + 'attrValues' => array(), + ); + } + + /** + * @return array{model: null, html: string, pools: array, wild: true, doctype: string} + */ + public static function generate( Prng $prng ): array { + $generator = new self( $prng ); + return $generator->build(); + } + + private function build(): array { + $doctype_kind = $this->prng->weighted( + array( + 'none' => 25, + 'html' => 45, + 'legacy-compat' => 10, + 'quirky' => 12, + 'limited' => 8, + ) + ); + + $out = self::DOCTYPES[ $doctype_kind ]; + + if ( $this->prng->chance( 15 ) ) { + $out .= 'render_attrs( $this->random_attrs() ) . '>'; + } + if ( $this->prng->chance( 10 ) ) { + $out .= 'render_attrs( $this->random_attrs() ) . '>'; + } + + $max_elements = $this->prng->int( 4, 35 ); + $token_budget = $this->prng->int( 8, 70 ); + $open = array(); + + for ( $i = 0; $i < $token_budget; $i++ ) { + $in_table = $this->in_table_context( $open ); + + $kind = $this->prng->weighted( + array( + 'start' => 42, + 'void' => $in_table ? 0 : 8, + 'end' => 24, + 'text' => 16, + 'comment' => 5, + 'stray' => $in_table ? 0 : 5, + ) + ); + + switch ( $kind ) { + case 'start': + if ( $this->fid_counter >= $max_elements ) { + break; + } + $tag = $in_table + ? $this->prng->choice( array( 'caption', 'colgroup', 'thead', 'tbody', 'tfoot', 'tr', 'tr', 'td', 'td', 'th' ) ) + : $this->prng->choice( self::TAGS ); + if ( 'a' === $tag && in_array( 'a', $open, true ) ) { + // A nested immediately runs the adoption agency. + $tag = 'span'; + } + $this->pools['tags'][] = $tag; + $out .= '<' . $this->maybe_case( $tag ) + . ' data-fid="w' . $this->fid_counter++ . '"' + . $this->render_attrs( $this->random_attrs() ) . '>'; + $open[] = $tag; + break; + + case 'void': + if ( $this->fid_counter >= $max_elements ) { + break; + } + $tag = $this->prng->choice( self::VOID_TAGS ); + $this->pools['tags'][] = $tag; + $out .= '<' . $this->maybe_case( $tag ) + . ' data-fid="w' . $this->fid_counter++ . '"' + . $this->render_attrs( $this->random_attrs() ) + . ( $this->prng->chance( 25 ) ? ' />' : '>' ); + break; + + case 'end': + if ( array() === $open ) { + break; + } + $pick = $this->prng->weighted( + array( + 'top' => 60, + 'random' => 40, + ) + ); + if ( 'top' === $pick ) { + $tag = array_pop( $open ); + } else { + /* + * Close a non-top open element: misnesting. Never + * across a formatting element — the processor only + * supports the trivial adoption-agency cases and + * bails on the rest ( "any other end tag" / + * "common ancestor" / reconstruction-with-rewind ). + */ + $formatting = array( 'a', 'b', 'i', 'em', 'strong', 'u', 's', 'code', 'small' ); + $lowest = count( $open ) - 1; + while ( $lowest > 0 && ! in_array( $open[ $lowest ], $formatting, true ) ) { + $lowest--; + } + if ( in_array( $open[ $lowest ], $formatting, true ) ) { + $lowest++; + } + if ( $lowest > count( $open ) - 1 ) { + $tag = array_pop( $open ); + } else { + $at = $this->prng->int( $lowest, count( $open ) - 1 ); + $tag = $open[ $at ]; + array_splice( $open, $at, 1 ); + } + } + $out .= 'maybe_case( $tag ) . '>'; + break; + + case 'text': + // Non-whitespace text in table context is unsupported + // (pending-table-character-tokens), keep it whitespace. + $out .= $in_table + ? "\n " + : $this->prng->choice( + array( + 'text', + ' wild text ', + "\n", + '& <x>', + 'café ✓', + 'a < b', + ) + ); + break; + + case 'comment': + $out .= ''; + break; + + case 'stray': + // An end tag for something that is not open. + // No formatting tags here: a stray formatting end tag + // runs the adoption agency's unsupported branches. + $out .= 'prng->choice( array( 'div', 'p', 'table', 'tr', 'li', 'span', 'x-wild' ) ) . '>'; + break; + } + } + + // Leave roughly half of the still-open elements unclosed. + foreach ( array_reverse( $open ) as $tag ) { + if ( $this->prng->chance( 50 ) ) { + $out .= 'maybe_case( $tag ) . '>'; + } + } + + foreach ( $this->pools as $key => $values ) { + $this->pools[ $key ] = array_values( array_unique( $values ) ); + } + + return array( + 'model' => null, + 'html' => $out, + 'pools' => $this->pools, + 'wild' => true, + 'doctype' => $doctype_kind, + ); + } + + /** + * Whether the insertion point is in table context outside any cell or + * caption — where arbitrary content would foster-parent (unsupported). + */ + private function in_table_context( array $open ): bool { + for ( $i = count( $open ) - 1; $i >= 0; $i-- ) { + $tag = $open[ $i ]; + if ( in_array( $tag, array( 'td', 'th', 'caption' ), true ) ) { + return false; + } + if ( in_array( $tag, array( 'table', 'thead', 'tbody', 'tfoot', 'tr', 'colgroup' ), true ) ) { + return true; + } + } + return false; + } + + /** @return array */ + private function random_attrs(): array { + $attrs = array(); + $count = $this->prng->weighted( array( 0 => 30, 1 => 35, 2 => 25, 3 => 10 ) ); + + for ( $i = 0; $i < $count; $i++ ) { + $name = $this->prng->choice( DocumentGenerator::ATTR_NAMES ); + + $lower = ascii_strtolower( $name ); + if ( 'class' === $lower ) { + $words = array(); + $n = $this->prng->int( 1, 3 ); + for ( $j = 0; $j < $n; $j++ ) { + $word = $this->random_word(); + $words[] = $word; + $this->pools['classes'][] = $word; + } + $value = implode( ' ', $words ); + } elseif ( 'id' === $lower ) { + $value = $this->random_word(); + $this->pools['ids'][] = $value; + } elseif ( $this->prng->chance( 15 ) ) { + $value = true; + } else { + $value = $this->random_word(); + if ( $this->prng->chance( 20 ) ) { + $value .= ' ' . $this->random_word(); + } + } + + $this->pools['attrNames'][] = $lower; + if ( is_string( $value ) ) { + $this->pools['attrValues'][] = $value; + } + $attrs[] = array( $name, $value ); + } + + return $attrs; + } + + private function render_attrs( array $attrs ): string { + $out = ''; + foreach ( $attrs as $attr ) { + list( $name, $value ) = $attr; + if ( true === $value ) { + $out .= ' ' . $name; + continue; + } + $out .= ' ' . $name . '="' . str_replace( array( '&', '"', '<' ), array( '&', '"', '<' ), $value ) . '"'; + } + return $out; + } + + private function random_word(): string { + $stems = array( 'wild', 'soup', 'alpha', 'beta', 'item', 'note', 'x', 'mixedCase', 'Über', 'main-thing', '--var', '_u' ); + $word = $this->prng->choice( $stems ); + if ( $this->prng->chance( 30 ) ) { + $word .= (string) $this->prng->int( 0, 99 ); + } + return $word; + } + + private function maybe_case( string $tag ): string { + if ( ! $this->prng->chance( 15 ) ) { + return $tag; + } + $out = ''; + for ( $i = 0; $i < strlen( $tag ); $i++ ) { + $c = $tag[ $i ]; + $out .= $this->prng->chance( 50 ) ? strtoupper( $c ) : strtolower( $c ); + } + return $out; + } +} diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 59982794d4aa5..df7e48e8506e2 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -58,9 +58,8 @@ class Worker { public static function run_case( int $seed ): array { Bootstrap::load(); - $prng = new Prng( (string) $seed, 'css-selector-fuzz-case' ); - $document = DocumentGenerator::generate( $prng->fork( 'document' ) ); - $selector = SelectorGenerator::generate( $prng->fork( 'selector' ), $document['pools'], $document['model'] ); + $prng = new Prng( (string) $seed, 'css-selector-fuzz-case' ); + $is_wild = $prng->chance( 30 ); $failures = array(); $record = static function ( string $invariant, array $detail ) use ( &$failures ) { @@ -70,7 +69,70 @@ public static function run_case( int $seed ): array { ); }; - self::check_document_model( $document, $record ); + /* + * The processor's own parse is the matching oracle's ground truth. + * For safe (model-built) documents the model must agree with the + * capture — that soundness check is what lets the capture be trusted + * on wild documents, where no model exists. + * + * Wild documents that hit one of the processor's unsupported + * constructs (it bails on foster parenting, complex adoption-agency + * runs, …) are deterministically regenerated a bounded number of + * times so nearly every wild case carries a usable ground truth. + */ + $document = null; + $capture = null; + $capture_error = null; + $attempts = $is_wild ? 8 : 1; + for ( $attempt = 0; $attempt < $attempts; $attempt++ ) { + $document = $is_wild + ? WildDocumentGenerator::generate( $prng->fork( "wild-document:{$attempt}" ) ) + : DocumentGenerator::generate( $prng->fork( 'document' ) ); + + list( $capture, $capture_error ) = self::guard( + static function () use ( $document ) { + return TreeCapture::capture( $document['html'] ); + } + ); + + if ( null === $capture_error && null === $capture['error'] ) { + break; + } + } + + $rows = null; + $tag_rows = null; + $quirks = false; + + if ( null !== $capture_error ) { + $record( 'model-desync', array( 'phase' => 'capture', 'error' => self::describe_throwable( $capture_error ) ) ); + } elseif ( null !== $capture['error'] ) { + if ( ! $is_wild ) { + $record( 'model-desync', array( 'phase' => 'capture', 'error' => $capture['error'] ) ); + } + // Wild markup the processor cannot fully visit is skipped: + // parsing invariants still run, matching has no ground truth. + } else { + $rows = $capture['htmlRows']; + $tag_rows = $capture['tagRows']; + $quirks = $capture['quirks']; + + if ( ! $is_wild ) { + self::check_capture_against_model( $document, $capture, $record ); + } + } + + $path_rows = null; + if ( null !== $rows ) { + $path_rows = array(); + foreach ( $rows as $row ) { + if ( 0 !== strpos( $row['fid'], '(missing-fid:' ) ) { + $path_rows[] = $row; + } + } + } + + $selector = SelectorGenerator::generate( $prng->fork( 'selector' ), $document['pools'], $path_rows ); $selector_string = $selector['selector']; @@ -183,8 +245,8 @@ static function () use ( $complex_list ) { // --- Match phase --------------------------------------------------- $html_matches = null; - if ( null !== $complex_ast ) { - $expected = ReferenceMatcher::expected_html_processor_matches( $complex_ast, $document['model'], $document['quirks'] ); + if ( null !== $complex_ast && null !== $rows ) { + $expected = ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, $quirks ); /* * Path-directed selectors are guaranteed by construction to match @@ -220,8 +282,8 @@ static function () use ( $complex_list ) { self::check_select_rejection( 'html', $selector_string, $document, $record ); } - if ( null !== $compound_ast ) { - $expected = ReferenceMatcher::expected_tag_processor_matches( $compound_ast, $document['model'] ); + if ( null !== $compound_ast && null !== $tag_rows ) { + $expected = ReferenceMatcher::expected_tag_matches_rows( $compound_ast, $tag_rows ); self::check_select_matches( 'tag', $selector_string, $document, $expected, $record ); } elseif ( null === $compound_list && null === $compound_error ) { self::check_select_rejection( 'tag', $selector_string, $document, $record ); @@ -266,45 +328,38 @@ static function ( $failure ) { } /** - * Verifies that both processors see exactly the modeled element list — - * this guards the oracle itself against renderer/model drift. + * Verifies that the processor's captured view of a safe (model-built) + * document agrees with the generated model — this guards the oracle + * itself against renderer/model drift, and is what justifies trusting + * the capture on wild documents. */ - private static function check_document_model( array $document, callable $record ): void { - $expected = array(); - foreach ( DocumentGenerator::flatten_with_ancestors( $document['model'] ) as $pair ) { - list( $element, $ancestors ) = $pair; - $expected[] = array( - strtoupper( ascii_strtolower( $element['tag'] ) ), - $element['fid'], - count( $ancestors ) + 1, - ); - } - - list( $actual, $error ) = self::guard( - static function () use ( $document ) { - $processor = \WP_HTML_Processor::create_full_parser( $document['html'] ); - $out = array(); - while ( $processor->next_tag() ) { - $fid = $processor->get_attribute( 'data-fid' ); - $out[] = array( - (string) $processor->get_tag(), - is_string( $fid ) ? $fid : '(missing)', - count( $processor->get_breadcrumbs() ), - ); + private static function check_capture_against_model( array $document, array $capture, callable $record ): void { + $model_rows = DocumentGenerator::rows_from_model( $document['model'] ); + + $normalize = static function ( array $rows, bool $with_ancestors ): array { + $out = array(); + foreach ( $rows as $row ) { + $attrs = array(); + foreach ( $row['attrs'] as $attr ) { + $attrs[ $attr[0] ] = $attr[1]; } - if ( null !== $processor->get_last_error() ) { - throw new \RuntimeException( 'Processor error: ' . $processor->get_last_error() ); + ksort( $attrs ); + $normalized = array( + 'tag' => $row['tag'], + 'fid' => $row['fid'], + 'attrs' => $attrs, + ); + if ( $with_ancestors ) { + $normalized['ancestorTags'] = $row['ancestorTags']; } - return $out; + $out[] = $normalized; } - ); - - if ( null !== $error ) { - $record( 'model-desync', array( 'processor' => 'html', 'error' => self::describe_throwable( $error ) ) ); - return; - } + return $out; + }; - if ( $actual !== $expected ) { + $expected = $normalize( $model_rows, true ); + $actual = $normalize( $capture['htmlRows'], true ); + if ( $expected !== $actual ) { $record( 'model-desync', array( @@ -315,33 +370,9 @@ static function () use ( $document ) { ); } - // The tag processor must see the same elements ( without breadcrumbs ). - $expected_tags = array(); - foreach ( $expected as $row ) { - $expected_tags[] = array( $row[0], $row[1] ); - } - - list( $actual_tags, $tag_error ) = self::guard( - static function () use ( $document ) { - $processor = new \WP_HTML_Tag_Processor( $document['html'] ); - $out = array(); - while ( $processor->next_tag() ) { - $fid = $processor->get_attribute( 'data-fid' ); - $out[] = array( - (string) $processor->get_tag(), - is_string( $fid ) ? $fid : '(missing)', - ); - } - return $out; - } - ); - - if ( null !== $tag_error ) { - $record( 'model-desync', array( 'processor' => 'tag', 'error' => self::describe_throwable( $tag_error ) ) ); - return; - } - - if ( $actual_tags !== $expected_tags ) { + $expected_tags = $normalize( $model_rows, false ); + $actual_tags = $normalize( $capture['tagRows'], false ); + if ( $expected_tags !== $actual_tags ) { $record( 'model-desync', array( @@ -351,6 +382,17 @@ static function () use ( $document ) { ) ); } + + if ( $document['quirks'] !== $capture['quirks'] ) { + $record( + 'model-desync', + array( + 'processor' => 'quirks', + 'expected' => $document['quirks'], + 'actual' => $capture['quirks'], + ) + ); + } } /** diff --git a/tools/css-selector-fuzz/lib/autoload.php b/tools/css-selector-fuzz/lib/autoload.php index bc22e73f42f9c..2a26cbdb9f407 100644 --- a/tools/css-selector-fuzz/lib/autoload.php +++ b/tools/css-selector-fuzz/lib/autoload.php @@ -3,6 +3,8 @@ require_once __DIR__ . '/Prng.php'; require_once __DIR__ . '/Bootstrap.php'; require_once __DIR__ . '/DocumentGenerator.php'; +require_once __DIR__ . '/WildDocumentGenerator.php'; +require_once __DIR__ . '/TreeCapture.php'; require_once __DIR__ . '/SelectorGenerator.php'; require_once __DIR__ . '/AstExtractor.php'; require_once __DIR__ . '/ReferenceMatcher.php'; From 37ec7f0a238082ff0daef8d75f13ec5b421288ef Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 13:34:37 +0200 Subject: [PATCH 160/187] CSS selector fuzz: add lexbor differential oracle MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Third, independent matching opinion alongside the WP implementation and the fuzzer's ReferenceMatcher. A batched C harness (lexbor/harness.c, built by lexbor/build.sh against liblexbor pinned to v3.0.0) reads {html, selector} cases over a persistent pipe and answers with lexbor's element tree and matched data-fid sets; the worker auto-detects it. The differential runs on no-quirks documents whose selector parsed, is gated on WP and lexbor agreeing on the element tree (multiset of fid/tag/ancestry — isolating the selector layer from tree construction), and compares match-fid multisets (lexbor reports in document order, WP in visit order). Verdict: lexbor != reference is a fuzzer-oracle problem (lexbor-divergence); reference == lexbor != WP is a high-confidence WP finding (existing match-mismatch-html with no divergence on the case). Confirmed on known Bug 2: reference and lexbor both return the empty set for [x^=""] where WP matches elements. lexbor quirks compensated for (all candidate upstream reports): - #368, open at v3.0.0: class/#id match case-insensitively even in no-quirks mode. Detected by startup probe; lexbor is compared against the reference run with class/ID folding, and quirks documents are excluded from the differential. - Uppercase I/S attribute modifiers are rejected; the non-ASCII ident-codepoint table omits U+00B7 and U+00C0-U+00F6. Both sidestepped by handing lexbor a deterministic canonical re-render of the verified AST (lowercase modifiers, non-ASCII hex-escaped) — byte-level parsing is already covered by AST round-trip and metamorphic invariants. - One callback per matching list branch: LXB_SELECTORS_OPT_MATCH_FIRST. 800 seeds against patched core: 408 compared, 0 divergences. --- tools/css-selector-fuzz/README.md | 34 +++ tools/css-selector-fuzz/lexbor/build.sh | 42 +++ tools/css-selector-fuzz/lexbor/harness.c | 267 ++++++++++++++++++ tools/css-selector-fuzz/lib/LexborOracle.php | 191 +++++++++++++ tools/css-selector-fuzz/lib/Metamorph.php | 17 +- .../lib/SelectorGenerator.php | 100 +++++++ tools/css-selector-fuzz/lib/Worker.php | 116 ++++++++ tools/css-selector-fuzz/lib/autoload.php | 1 + tools/css-selector-fuzz/lib/util.php | 15 + 9 files changed, 767 insertions(+), 16 deletions(-) create mode 100644 tools/css-selector-fuzz/lexbor/build.sh create mode 100644 tools/css-selector-fuzz/lexbor/harness.c create mode 100644 tools/css-selector-fuzz/lib/LexborOracle.php diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 48d5192927a59..3f73c562a6857 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -64,8 +64,42 @@ produces the same document, the same selector, and the same verdict. explicit `*` for an omitted type, and selector-list branch duplication. Skipped for ASTs containing invalid UTF-8 (reachable only from chaos/mutated inputs), which the renderer cannot round-trip. + - lexbor differential (third, independent oracle; requires the harness — + see below): on no-quirks documents whose selector parsed, a canonical + re-render of the verified AST is matched by liblexbor and compared, + as a multiset of fids, against the reference matcher. Gated on WP and + lexbor building the same element tree (fid/tag/ancestry), so it tests + the selector layer, not tree construction. Verdicts: `lexbor-divergence` + (lexbor ≠ reference) is a fuzzer-oracle problem; `match-mismatch-html` + with no accompanying divergence means reference == lexbor ≠ WP — a + high-confidence WP finding. - Repeating a case yields a byte-identical result digest (determinism). +## lexbor harness + +Build with `sh tools/css-selector-fuzz/lexbor/build.sh` (clones and builds +liblexbor, pinned to v3.0.0 = `2ae88a1c6b52`). The worker auto-detects the +binary at `tools/css-selector-fuzz/lexbor/harness` and reports per-batch +tallies (`compared` / `tree-gated` / `skipped-quirks` / `off`). + +Known lexbor issues compensated for at this pin: + +- [#368](https://github.com/lexbor/lexbor/issues/368) (open at v3.0.0): + class and `#id` selectors match ASCII case-insensitively even in + no-quirks documents (`[id=…]` attribute matching is correctly + case-sensitive). Detected by a startup probe; when present, lexbor is + compared against the reference matcher run with quirks-style class/ID + folding, and quirks-mode documents are excluded from the differential + entirely (the reference matcher is the sole quirks authority). +- lexbor rejects uppercase `I`/`S` attribute-selector modifiers, and its + non-ASCII ident-codepoint table omits U+00B7 and U+00C0–U+00F6 (it + starts at U+00F8), rejecting e.g. `.Über` while accepting `.über`. + Both sidestepped by the canonical re-render (lowercase modifiers, all + non-ASCII hex-escaped); both are candidate upstream reports, not WP + findings. +- `lxb_selectors_find` reports a node once per matching selector-list + branch; `LXB_SELECTORS_OPT_MATCH_FIRST` dedupes. + ## Usage Bounded fuzz run (process-isolated chunks, crash/hang attribution): diff --git a/tools/css-selector-fuzz/lexbor/build.sh b/tools/css-selector-fuzz/lexbor/build.sh new file mode 100644 index 0000000000000..186a7e5b703b6 --- /dev/null +++ b/tools/css-selector-fuzz/lexbor/build.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Builds the lexbor differential harness. +# +# Pinned lexbor version: v3.0.0 (2ae88a1c6b5261830eff73ee12bb3cdf805f3cfe). +# Note: lexbor issue #368 ("Class/ID selectors are ASCII case-insensitive +# even in no-quirks mode") is still OPEN at this version; the PHP adapter +# detects it at startup and compensates (see LexborOracle.php). +# +# Usage: +# sh tools/css-selector-fuzz/lexbor/build.sh [lexbor-src-dir] +# +# Produces tools/css-selector-fuzz/lexbor/harness. + +set -e + +HERE="$(cd "$(dirname "$0")" && pwd)" +SRC="${1:-/tmp/lexbor-src}" +PIN="2ae88a1c6b5261830eff73ee12bb3cdf805f3cfe" + +if [ ! -d "$SRC" ]; then + echo "Cloning lexbor into $SRC ..." + git clone https://github.com/lexbor/lexbor "$SRC" +fi + +git -C "$SRC" checkout --quiet "$PIN" + +if [ ! -f "$SRC/build/liblexbor_static.a" ]; then + echo "Building liblexbor_static ..." + mkdir -p "$SRC/build" + cd "$SRC/build" + cmake -DCMAKE_BUILD_TYPE=Release -DLEXBOR_BUILD_SHARED=OFF \ + -DLEXBOR_BUILD_STATIC=ON -DLEXBOR_BUILD_TESTS=OFF \ + -DLEXBOR_BUILD_EXAMPLES=OFF .. > /dev/null + make -j8 lexbor_static > /dev/null + cd "$HERE" +fi + +cc -O2 -Wall -Wextra -o "$HERE/harness" "$HERE/harness.c" \ + -I "$SRC/source" "$SRC/build/liblexbor_static.a" + +echo "Built $HERE/harness (lexbor $PIN)" diff --git a/tools/css-selector-fuzz/lexbor/harness.c b/tools/css-selector-fuzz/lexbor/harness.c new file mode 100644 index 0000000000000..a33a198090ddf --- /dev/null +++ b/tools/css-selector-fuzz/lexbor/harness.c @@ -0,0 +1,267 @@ +/* + * lexbor differential harness for the CSS selector fuzzer. + * + * Reads one case per line from stdin: + * + * base64(html) "\t" base64(selector) "\n" + * + * For each case, parses the HTML with lexbor, parses the selector with the + * lexbor CSS selectors module, runs lxb_selectors_find over the whole + * document, and emits: + * + * R "\t" TAG "\t" FID "\t" ANC1,ANC2,... one per element, document + * pre-order; ancestors are + * nearest-first uppercase tags + * M "\t" FID one per match, in find order + * X "\t" parse selector did not parse + * X "\t" html html did not parse + * D end of case (then flush) + * + * FID is the element's data-fid attribute value, or "(missing-fid:TAG)" + * for elements without one (matching the fuzzer's placeholder convention). + * Tags are ASCII-uppercased. + * + * Build: see build.sh next to this file. Pinned lexbor version recorded + * there and in the fuzzer README. + */ + +#include +#include +#include + +#include +#include +#include + +#define MAX_DEPTH 512 + +static unsigned char * +b64_decode(const char *in, size_t in_len, size_t *out_len) +{ + static const signed char table[256] = { + ['A'] = 0, ['B'] = 1, ['C'] = 2, ['D'] = 3, ['E'] = 4, + ['F'] = 5, ['G'] = 6, ['H'] = 7, ['I'] = 8, ['J'] = 9, + ['K'] = 10, ['L'] = 11, ['M'] = 12, ['N'] = 13, ['O'] = 14, + ['P'] = 15, ['Q'] = 16, ['R'] = 17, ['S'] = 18, ['T'] = 19, + ['U'] = 20, ['V'] = 21, ['W'] = 22, ['X'] = 23, ['Y'] = 24, + ['Z'] = 25, ['a'] = 26, ['b'] = 27, ['c'] = 28, ['d'] = 29, + ['e'] = 30, ['f'] = 31, ['g'] = 32, ['h'] = 33, ['i'] = 34, + ['j'] = 35, ['k'] = 36, ['l'] = 37, ['m'] = 38, ['n'] = 39, + ['o'] = 40, ['p'] = 41, ['q'] = 42, ['r'] = 43, ['s'] = 44, + ['t'] = 45, ['u'] = 46, ['v'] = 47, ['w'] = 48, ['x'] = 49, + ['y'] = 50, ['z'] = 51, ['0'] = 52, ['1'] = 53, ['2'] = 54, + ['3'] = 55, ['4'] = 56, ['5'] = 57, ['6'] = 58, ['7'] = 59, + ['8'] = 60, ['9'] = 61, ['+'] = 62, ['/'] = 63, + }; + + unsigned char *out = malloc(in_len / 4 * 3 + 4); + size_t o = 0; + unsigned int acc = 0; + int bits = 0; + + if (out == NULL) { + return NULL; + } + + for (size_t i = 0; i < in_len; i++) { + unsigned char c = (unsigned char) in[i]; + if (c == '=' || c == '\n' || c == '\r') { + continue; + } + if (c != 'A' && table[c] == 0 && c != 'A') { + if (c != 'A') { + /* invalid chars are skipped; base64 here is machine-made */ + } + } + acc = (acc << 6) | (unsigned int) table[c]; + bits += 6; + if (bits >= 8) { + bits -= 8; + out[o++] = (unsigned char) ((acc >> bits) & 0xFF); + } + } + + *out_len = o; + return out; +} + +static void +put_upper(const lxb_char_t *name, size_t len) +{ + for (size_t i = 0; i < len; i++) { + unsigned char c = name[i]; + if (c >= 'a' && c <= 'z') { + c = (unsigned char) (c - 'a' + 'A'); + } + putchar(c); + } +} + +static void +put_fid(lxb_dom_node_t *node) +{ + lxb_dom_element_t *element = lxb_dom_interface_element(node); + size_t value_len = 0; + const lxb_char_t *value = lxb_dom_element_get_attribute( + element, (const lxb_char_t *) "data-fid", 8, &value_len); + + if (value != NULL) { + fwrite(value, 1, value_len, stdout); + return; + } + + size_t name_len = 0; + const lxb_char_t *name = lxb_dom_element_qualified_name(element, &name_len); + fputs("(missing-fid:", stdout); + put_upper(name, name_len); + putchar(')'); +} + +struct walk_state { + const lxb_char_t *stack[MAX_DEPTH]; /* uppercase emitted on the fly */ + size_t stack_len[MAX_DEPTH]; + int depth; +}; + +static void +walk(lxb_dom_node_t *node, struct walk_state *state) +{ + for (lxb_dom_node_t *child = node->first_child; child != NULL; + child = child->next) { + if (child->type != LXB_DOM_NODE_TYPE_ELEMENT) { + continue; + } + + size_t name_len = 0; + const lxb_char_t *name = lxb_dom_element_qualified_name( + lxb_dom_interface_element(child), &name_len); + + fputs("R\t", stdout); + put_upper(name, name_len); + putchar('\t'); + put_fid(child); + putchar('\t'); + for (int i = state->depth - 1; i >= 0; i--) { + put_upper(state->stack[i], state->stack_len[i]); + if (i > 0) { + putchar(','); + } + } + putchar('\n'); + + if (state->depth < MAX_DEPTH) { + state->stack[state->depth] = name; + state->stack_len[state->depth] = name_len; + state->depth++; + walk(child, state); + state->depth--; + } + } +} + +static lxb_status_t +find_callback(lxb_dom_node_t *node, lxb_css_selector_specificity_t spec, + void *ctx) +{ + (void) spec; + (void) ctx; + fputs("M\t", stdout); + put_fid(node); + putchar('\n'); + return LXB_STATUS_OK; +} + +int +main(void) +{ + char *line = NULL; + size_t line_cap = 0; + ssize_t line_len; + + while ((line_len = getline(&line, &line_cap, stdin)) > 0) { + char *tab = memchr(line, '\t', (size_t) line_len); + if (tab == NULL) { + fputs("X\tprotocol\nD\n", stdout); + fflush(stdout); + continue; + } + + size_t html_len = 0; + size_t selector_len = 0; + unsigned char *html = b64_decode(line, (size_t) (tab - line), &html_len); + unsigned char *selector = b64_decode( + tab + 1, (size_t) (line + line_len - tab - 1), &selector_len); + + if (html == NULL || selector == NULL) { + fputs("X\tprotocol\nD\n", stdout); + fflush(stdout); + free(html); + free(selector); + continue; + } + + lxb_html_document_t *document = lxb_html_document_create(); + if (lxb_html_document_parse(document, html, html_len) + != LXB_STATUS_OK) { + fputs("X\thtml\nD\n", stdout); + fflush(stdout); + lxb_html_document_destroy(document); + free(html); + free(selector); + continue; + } + + struct walk_state state = { .depth = 0 }; + walk(lxb_dom_interface_node(document), &state); + + /* + * Parser and selectors engine are created per case: + * lxb_css_selector_list_destroy_memory() releases the parser's + * whole arena, so reuse across cases is unsafe. + */ + lxb_css_parser_t *parser = lxb_css_parser_create(); + lxb_selectors_t *selectors = lxb_selectors_create(); + if (lxb_css_parser_init(parser, NULL) != LXB_STATUS_OK + || lxb_selectors_init(selectors) != LXB_STATUS_OK) { + fputs("X\tinit\nD\n", stdout); + fflush(stdout); + lxb_selectors_destroy(selectors, true); + lxb_css_parser_destroy(parser, true); + lxb_html_document_destroy(document); + free(html); + free(selector); + continue; + } + + /* Report each node once even when several list branches match. */ + lxb_selectors_opt_set(selectors, LXB_SELECTORS_OPT_MATCH_FIRST); + + lxb_css_selector_list_t *list = lxb_css_selectors_parse( + parser, selector, selector_len); + + if (parser->status != LXB_STATUS_OK || list == NULL) { + fputs("X\tparse\n", stdout); + } + else { + lxb_status_t status = lxb_selectors_find( + selectors, lxb_dom_interface_node(document), list, + find_callback, NULL); + if (status != LXB_STATUS_OK) { + fputs("X\tfind\n", stdout); + } + lxb_css_selector_list_destroy_memory(list); + } + + fputs("D\n", stdout); + fflush(stdout); + + lxb_selectors_destroy(selectors, true); + lxb_css_parser_destroy(parser, true); + lxb_html_document_destroy(document); + free(html); + free(selector); + } + + free(line); + return EXIT_SUCCESS; +} diff --git a/tools/css-selector-fuzz/lib/LexborOracle.php b/tools/css-selector-fuzz/lib/LexborOracle.php new file mode 100644 index 0000000000000..a7a6864aa62ab --- /dev/null +++ b/tools/css-selector-fuzz/lib/LexborOracle.php @@ -0,0 +1,191 @@ + fuzzer-oracle problem ( investigate + * the fuzzer, 'lexbor-divergence' ). + * reference == lexbor != WP => high-confidence WP finding ( the + * regular match-mismatch-html failure + * with no accompanying divergence ). + * + * Known bug compensated for: lexbor #368 — class and #id selectors match + * ASCII case-insensitively even in no-quirks mode ( attribute selectors + * like [id=x] are correctly case-sensitive ). Detected by probe at startup; + * when present, lexbor is compared against the reference matcher run with + * quirks-style class/ID folding. Open at the pinned v3.0.0. + */ +class LexborOracle { + + const READ_TIMEOUT_SECONDS = 5; + + /** @var resource|null */ + private static $process = null; + /** @var array|null */ + private static $pipes = null; + /** @var bool|null */ + private static $available = null; + /** @var bool */ + private static $issue368 = false; + + public static function harness_path(): string { + return dirname( __DIR__ ) . '/lexbor/harness'; + } + + /** Whether the harness is built, starts, and answered the probes. */ + public static function available(): bool { + if ( null !== self::$available ) { + return self::$available; + } + + self::$available = false; + if ( ! is_executable( self::harness_path() ) || ! self::start() ) { + return false; + } + + // Probe: sanity plus issue-#368 detection. + $sane = self::query( '
', 'div.a' ); + if ( null === $sane || array( 'x' ) !== $sane['matches'] ) { + self::stop(); + return false; + } + + $folded = self::query( '
', '.A' ); + self::$issue368 = null !== $folded && array( 'x' ) === $folded['matches']; + self::$available = true; + return true; + } + + /** Whether the pinned lexbor exhibits issue #368 ( class/ID case folding ). */ + public static function has_issue_368(): bool { + return self::$issue368; + } + + /** + * Runs one case through lexbor. + * + * @return array{ + * rows: array, + * matches: string[], + * error: string|null, + * }|null Null when the harness is unavailable or misbehaved ( the + * harness is stopped; the caller should skip the differential ). + */ + public static function query( string $html, string $selector ): ?array { + if ( null === self::$process && ! self::start() ) { + return null; + } + + $line = base64_encode( $html ) . "\t" . base64_encode( $selector ) . "\n"; + $written = fwrite( self::$pipes[0], $line ); + fflush( self::$pipes[0] ); + if ( strlen( $line ) !== $written ) { + self::stop(); + self::$available = false; + return null; + } + + $rows = array(); + $matches = array(); + $error = null; + + while ( true ) { + $response = self::read_line(); + if ( null === $response ) { + self::stop(); + self::$available = false; + return null; + } + if ( 'D' === $response ) { + break; + } + + $parts = explode( "\t", $response ); + switch ( $parts[0] ) { + case 'R': + $rows[] = array( + 'tag' => $parts[1] ?? '', + 'fid' => $parts[2] ?? '', + 'ancestorTags' => '' === ( $parts[3] ?? '' ) ? array() : explode( ',', $parts[3] ), + ); + break; + case 'M': + $matches[] = $parts[1] ?? ''; + break; + case 'X': + $error = $parts[1] ?? 'unknown'; + break; + } + } + + return array( + 'rows' => $rows, + 'matches' => $matches, + 'error' => $error, + ); + } + + private static function start(): bool { + $descriptors = array( + 0 => array( 'pipe', 'r' ), + 1 => array( 'pipe', 'w' ), + 2 => array( 'file', '/dev/null', 'w' ), + ); + + $process = proc_open( array( self::harness_path() ), $descriptors, $pipes ); + if ( ! is_resource( $process ) ) { + return false; + } + + self::$process = $process; + self::$pipes = $pipes; + stream_set_blocking( $pipes[1], false ); + return true; + } + + private static function stop(): void { + if ( null === self::$process ) { + return; + } + @fclose( self::$pipes[0] ); + @fclose( self::$pipes[1] ); + @proc_terminate( self::$process, 9 ); + @proc_close( self::$process ); + self::$process = null; + self::$pipes = null; + } + + /** Reads one newline-terminated line with a timeout; null on failure. */ + private static function read_line(): ?string { + $line = ''; + $deadline = microtime( true ) + self::READ_TIMEOUT_SECONDS; + + while ( true ) { + $read = array( self::$pipes[1] ); + $write = null; + $except = null; + $left = $deadline - microtime( true ); + if ( $left <= 0 ) { + return null; + } + $ready = stream_select( $read, $write, $except, 0, (int) ( $left * 1e6 ) ); + if ( false === $ready || 0 === $ready ) { + return null; + } + $chunk = fgets( self::$pipes[1] ); + if ( false === $chunk ) { + return null; + } + $line .= $chunk; + if ( str_ends_with( $line, "\n" ) ) { + return substr( $line, 0, -1 ); + } + } + } +} diff --git a/tools/css-selector-fuzz/lib/Metamorph.php b/tools/css-selector-fuzz/lib/Metamorph.php index 017b65fdd09f5..44e0e434ff4b2 100644 --- a/tools/css-selector-fuzz/lib/Metamorph.php +++ b/tools/css-selector-fuzz/lib/Metamorph.php @@ -41,7 +41,7 @@ public static function variants( array $list_ast, Prng $prng ): array { * UTF-8 names, so such ASTs (only reachable from chaos/mutated * inputs) are not transformable. */ - if ( ! self::ast_strings_are_utf8( $list_ast ) ) { + if ( ! ast_strings_are_utf8( $list_ast ) ) { return array(); } @@ -109,21 +109,6 @@ static function ( string $type ) use ( $prng ): string { return $out; } - /** Whether every string anywhere in the AST is valid UTF-8. */ - private static function ast_strings_are_utf8( $node ): bool { - if ( is_string( $node ) ) { - return (bool) preg_match( '//u', $node ); - } - if ( is_array( $node ) ) { - foreach ( $node as $child ) { - if ( ! self::ast_strings_are_utf8( $child ) ) { - return false; - } - } - } - return true; - } - /** Applies $fn to every type-selector name: compound types and context types. */ private static function map_types( array $list_ast, callable $fn ): array { foreach ( $list_ast as &$complex ) { diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index a7956ce709e11..131c3e970cefb 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -56,6 +56,106 @@ public static function render( Prng $prng, array $list_ast, bool $escape_boost = return $generator->render_complex_list( $list_ast ); } + /** + * Renders a canonical complex-list AST deterministically with minimal + * escaping: single spaces around combinators, `, ` between branches, + * double-quoted attribute values, lowercase `i`/`s` modifiers, and all + * non-ASCII codepoints hex-escaped. Used to hand a semantically-identical + * selector to external engines: lexbor rejects some byte-level forms WP + * correctly accepts ( uppercase I/S attribute modifiers; raw non-ASCII + * ident codepoints in U+00B7, U+00C0-U+00F6 — its non-ASCII ident table + * starts at U+00F8 ). Escaping sidesteps codepoint classification. + */ + public static function render_canonical( array $list_ast ): string { + $branches = array(); + foreach ( $list_ast as $complex ) { + $out = ''; + foreach ( array_reverse( $complex['context'] ) as $pair ) { + list( $type, $combinator ) = $pair; + $out .= '*' === $type ? '*' : self::canonical_ident( $type ); + $out .= '>' === $combinator ? ' > ' : ' '; + } + + $compound = $complex['self']; + if ( null !== $compound['type'] ) { + $out .= '*' === $compound['type'] ? '*' : self::canonical_ident( $compound['type'] ); + } + foreach ( (array) $compound['subs'] as $sub ) { + switch ( $sub['kind'] ) { + case 'class': + $out .= '.' . self::canonical_ident( $sub['name'] ); + break; + case 'id': + $out .= '#' . self::canonical_ident( $sub['name'] ); + break; + case 'attr': + $out .= '[' . self::canonical_ident( $sub['name'] ); + if ( null !== $sub['matcher'] ) { + $matchers = array( + 'exact' => '=', + 'one-of' => '~=', + 'exact-or-hyphen-suffixed' => '|=', + 'prefixed' => '^=', + 'suffixed' => '$=', + 'contains' => '*=', + ); + $out .= $matchers[ $sub['matcher'] ] . self::canonical_string( (string) $sub['value'] ); + if ( 'case-insensitive' === $sub['modifier'] ) { + $out .= ' i'; + } elseif ( 'case-sensitive' === $sub['modifier'] ) { + $out .= ' s'; + } + } + $out .= ']'; + break; + } + } + $branches[] = $out; + } + return implode( ', ', $branches ); + } + + private static function canonical_ident( string $name ): string { + $points = utf8_codepoints( $name ); + $count = count( $points ); + $out = ''; + + foreach ( $points as $i => $point ) { + list( $char, $cp ) = $point; + + $is_digit = $cp >= 0x30 && $cp <= 0x39; + $is_ident_char = ( + '-' === $char || + '_' === $char || + $is_digit || + ( $cp >= 0x41 && $cp <= 0x5A ) || + ( $cp >= 0x61 && $cp <= 0x7A ) + ); + + $must_escape = ! $is_ident_char + || ( 0 === $i && $is_digit ) + || ( 1 === $i && '-' === $points[0][0] && $is_digit ) + || ( 1 === $count && '-' === $char ); + + $out .= $must_escape ? '\\' . dechex( $cp ) . ' ' : $char; + } + + return $out; + } + + private static function canonical_string( string $value ): string { + $out = '"'; + foreach ( utf8_codepoints( $value ) as $point ) { + list( $char, $cp ) = $point; + if ( '"' === $char || '\\' === $char || $cp < 0x20 || $cp > 0x7E ) { + $out .= '\\' . dechex( $cp ) . ' '; + } else { + $out .= $char; + } + } + return $out . '"'; + } + /** * @param array $pools Pools from DocumentGenerator ( tags, classes, ids, attrNames, attrValues ). * @param array|null $rows Element rows ( TreeCapture shape ) with real diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index df7e48e8506e2..49b79fd39241a 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -245,6 +245,7 @@ static function () use ( $complex_list ) { // --- Match phase --------------------------------------------------- $html_matches = null; + $lexbor_state = 'off'; if ( null !== $complex_ast && null !== $rows ) { $expected = ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, $quirks ); @@ -278,6 +279,8 @@ static function () use ( $complex_list ) { } $html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); + + $lexbor_state = self::check_lexbor_differential( $complex_ast, $selector_string, $document, $rows, $quirks, $expected, $record ); } elseif ( null === $complex_list && null === $complex_error ) { self::check_select_rejection( 'html', $selector_string, $document, $record ); } @@ -324,6 +327,7 @@ static function ( $failure ) { 'failures' => $failures, 'selector' => $selector_string, 'html' => $document['html'], + 'lexbor' => $lexbor_state, ); } @@ -479,6 +483,115 @@ private static function check_select_matches( string $target, string $selector_s return $actual; } + /** + * Runs the lexbor differential — the THIRD, independent matching opinion. + * + * Quirks-mode documents are excluded ( lexbor #368 makes its quirks + * behavior untrustworthy and WP's quirks class/ID folding is owned by + * ReferenceMatcher ). The comparison only runs when lexbor built the + * same element tree as WP ( fid/tag/ancestry multiset ), so it tests + * the selector layer, not tree construction. + * + * Verdict triage: + * - 'lexbor-divergence' lexbor != reference: a fuzzer-oracle problem + * ( or an un-compensated lexbor bug ) — never a + * WP verdict on its own. + * - 'lexbor-parse-reject' lexbor refused a selector WP accepted. + * - match-mismatch-html with NO lexbor-divergence on the same case + * means reference == lexbor != WP: a + * high-confidence WP finding. + * + * @return string Tally state: off|skipped-quirks|error|tree-gated|compared. + */ + private static function check_lexbor_differential( array $complex_ast, string $selector_string, array $document, array $rows, bool $quirks, array $expected, callable $record ): string { + if ( ! LexborOracle::available() ) { + return 'off'; + } + if ( $quirks ) { + return 'skipped-quirks'; + } + + /* + * lexbor receives a canonical re-render of the (already verified) + * AST rather than the original byte form: the differential targets + * matching semantics, while byte-level parsing (escapes, whitespace, + * modifier case — lexbor e.g. rejects uppercase I/S modifiers) is + * covered by the AST round-trip and metamorphic invariants. ASTs + * containing invalid UTF-8 cannot be re-rendered and are skipped. + */ + if ( ! ast_strings_are_utf8( $complex_ast ) ) { + return 'skipped-utf8'; + } + $canonical = SelectorGenerator::render_canonical( $complex_ast ); + + $lex = LexborOracle::query( $document['html'], $canonical ); + if ( null === $lex ) { + return 'error'; + } + + if ( 'parse' === $lex['error'] ) { + $record( + 'lexbor-parse-reject', + array( + 'note' => 'lexbor rejected the canonical form of a selector the WP parser accepted', + 'canonical' => printable_bytes( $canonical ), + ) + ); + return 'compared'; + } + if ( null !== $lex['error'] ) { + return 'error'; + } + + if ( ! self::trees_agree( $rows, $lex['rows'] ) ) { + return 'tree-gated'; + } + + /* + * lexbor #368: class/#id match ASCII case-insensitively even in + * no-quirks documents. Compare lexbor against the reference run + * with quirks-style class/ID folding ( the only thing the flag + * affects ) so the rest of the semantics still get differential + * coverage; WP itself is still held to the strict expectation. + */ + $expected_for_lexbor = LexborOracle::has_issue_368() + ? ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, true ) + : $expected; + + // lexbor reports in document order, WP/reference in visit order — + // compare as multisets. + $lex_matches = $lex['matches']; + sort( $lex_matches ); + sort( $expected_for_lexbor ); + + if ( $lex_matches !== $expected_for_lexbor ) { + $record( + 'lexbor-divergence', + array( + 'reference' => $expected_for_lexbor, + 'lexbor' => $lex_matches, + 'issue368' => LexborOracle::has_issue_368(), + ) + ); + } + + return 'compared'; + } + + /** Multiset equality of ( tag, fid, ancestry ) between WP and lexbor rows. */ + private static function trees_agree( array $wp_rows, array $lexbor_rows ): bool { + $serialize = static function ( array $rows ): array { + $out = array(); + foreach ( $rows as $row ) { + $out[] = $row['tag'] . '|' . $row['fid'] . '|' . implode( ',', $row['ancestorTags'] ); + } + sort( $out ); + return $out; + }; + + return $serialize( $wp_rows ) === $serialize( $lexbor_rows ); + } + /** * Checks the metamorphic relations: each meaning-preserving transform of * the parsed selector must parse, must (for AST-preserving transforms) @@ -660,6 +773,7 @@ public static function run_batch( array $options ): array { $failures = 0; $buckets = array(); $signatures = array(); + $lexbor = array(); $last_seed = null; $stop_reason = 'completed'; @@ -688,6 +802,7 @@ public static function run_batch( array $options ): array { } $buckets[ $result['bucket'] ] = ( $buckets[ $result['bucket'] ] ?? 0 ) + 1; + $lexbor[ $result['lexbor'] ] = ( $lexbor[ $result['lexbor'] ] ?? 0 ) + 1; $last_seed = $seed; foreach ( $result['failures'] as $failure ) { @@ -722,6 +837,7 @@ public static function run_batch( array $options ): array { 'failures' => $failures, 'buckets' => $buckets, 'signatures' => $signatures, + 'lexbor' => $lexbor, 'stopReason' => $stop_reason, 'durationMs' => (int) round( 1000 * ( microtime( true ) - $started_at ) ), ); diff --git a/tools/css-selector-fuzz/lib/autoload.php b/tools/css-selector-fuzz/lib/autoload.php index 2a26cbdb9f407..6ebdcbc75d6c3 100644 --- a/tools/css-selector-fuzz/lib/autoload.php +++ b/tools/css-selector-fuzz/lib/autoload.php @@ -9,4 +9,5 @@ require_once __DIR__ . '/AstExtractor.php'; require_once __DIR__ . '/ReferenceMatcher.php'; require_once __DIR__ . '/Metamorph.php'; +require_once __DIR__ . '/LexborOracle.php'; require_once __DIR__ . '/Worker.php'; diff --git a/tools/css-selector-fuzz/lib/util.php b/tools/css-selector-fuzz/lib/util.php index 01e7dc20b7a73..6fe6662a6a3b8 100644 --- a/tools/css-selector-fuzz/lib/util.php +++ b/tools/css-selector-fuzz/lib/util.php @@ -118,6 +118,21 @@ function git_metadata(): array { ); } +/** Whether every string anywhere in a nested array is valid UTF-8. */ +function ast_strings_are_utf8( $node ): bool { + if ( is_string( $node ) ) { + return (bool) preg_match( '//u', $node ); + } + if ( is_array( $node ) ) { + foreach ( $node as $child ) { + if ( ! ast_strings_are_utf8( $child ) ) { + return false; + } + } + } + return true; +} + function ascii_strtolower( string $input ): string { return strtr( $input, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz' ); } From 7b3bbcf032b31bb7f154b98c3ae0d25036cf8763 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 13:46:11 +0200 Subject: [PATCH 161/187] CSS selector fuzz: coverage measurement + unreachable-branch generators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add coverage.php (phpdbg opcode log, chunked to bound memory) reporting line coverage of src/wp-includes/html-api/css/. Add the edge-escape selector bucket to reach branches the structural generators cannot: hex escapes for NUL / surrogate / over-max codepoints (decode to U+FFFD) and raw NUL / CR / CRLF / FF in the selector input (normalize_selector_input). Two invalid templates ([ a, [a="x\) added for attribute/string parse guards. Result: 376/401 lines (93.8%); 388/401 = 96.8% of reachable code. The 25 unreached lines are itemized in COVERAGE.md: 12 are a phpdbg case-label artifact (bodies verified executing), 13 are defensive guards the public API cannot reach (e.g. the match-time unsupported-combinator arm — the parser only emits ' ' and '>'). --- tools/css-selector-fuzz/COVERAGE.md | 75 ++++++++++ tools/css-selector-fuzz/README.md | 9 ++ tools/css-selector-fuzz/coverage.php | 92 ++++++++++++ .../lib/SelectorGenerator.php | 140 ++++++++++++++++-- 4 files changed, 307 insertions(+), 9 deletions(-) create mode 100644 tools/css-selector-fuzz/COVERAGE.md create mode 100644 tools/css-selector-fuzz/coverage.php diff --git a/tools/css-selector-fuzz/COVERAGE.md b/tools/css-selector-fuzz/COVERAGE.md new file mode 100644 index 0000000000000..e69e34cf38a17 --- /dev/null +++ b/tools/css-selector-fuzz/COVERAGE.md @@ -0,0 +1,75 @@ +# CSS Selector Fuzzer — Coverage Report + +Line coverage of `src/wp-includes/html-api/css/` under the fuzzer, measured +with phpdbg's opcode log over 3000 deterministic seeds: + + phpdbg -qrr tools/css-selector-fuzz/coverage.php --seeds 3000 --list-uncovered + +| file | covered / executable | % | +|---|---|---| +| class-wp-css-attribute-selector.php | 102 / 112 | 91.1% | +| class-wp-css-class-selector.php | 10 / 10 | 100% | +| class-wp-css-complex-selector-list.php | 16 / 16 | 100% | +| class-wp-css-complex-selector.php | 59 / 66 | 89.4% | +| class-wp-css-compound-selector-list.php | 27 / 28 | 96.4% | +| class-wp-css-compound-selector.php | 29 / 32 | 90.6% | +| class-wp-css-id-selector.php | 12 / 12 | 100% | +| class-wp-css-selector-parser-matcher.php | 106 / 108 | 98.1% | +| class-wp-css-type-selector.php | 15 / 17 | 88.2% | +| **TOTAL** | **376 / 401** | **93.8%** | + +The 25 unreached lines are all accounted for below. Twelve are a phpdbg +measurement artifact (the code executes); the other thirteen are defensive +guards that the public entry points cannot reach. Effective coverage of +reachable code is **388 / 401 = 96.8%**. + +## phpdbg `case`-label artifact (12 lines — code executes) + +phpdbg attributes a `switch` arm's execution to the body line, not the bare +`case X:` label line. The fuzzer exercises every one of these arms (verified +directly: the body line immediately after each label is covered, and the +lexbor differential + self-check confirm the corresponding behavior). These +are not real gaps: + +- `class-wp-css-attribute-selector.php` + - 287, 291, 295, 299, 303 — the `~= |= ^= $= *=` matcher operators. + - 330, 331, 336, 337 — the `i`/`I`/`s`/`S` case modifiers. +- `class-wp-css-compound-selector.php` + - 120, 122, 124 — the `.` / `#` / `[` subclass-selector dispatch. + +## Defensive guards unreachable from the public API (13 lines) + +These are internal precondition checks that the calling code already +guarantees, or branches for grammar the parser never emits: + +- `class-wp-css-attribute-selector.php:257` — `return null` when the first + byte is not `[`. `parse()` is only ever called by + `parse_subclass_selector()` *after* it has matched `[`, so the guard never + fires. +- `class-wp-css-complex-selector.php:170–179` — the `_doing_it_wrong` + "unsupported combinator" arm in the match walker. The parser only ever + stores `' '` (descendant) or `'>'` (child) combinators, so the match-time + default arm is dead defensively. +- `class-wp-css-compound-selector-list.php:87` — `return false` when the + processor is not on a `#tag` token. `select()` only invokes matching while + positioned on a tag; reachable only by calling `matches()` directly off a + non-tag token. +- `class-wp-css-selector-parser-matcher.php:130` — `parse_string()` EOF + guard; every caller checks bounds and the opening quote before calling. +- `class-wp-css-selector-parser-matcher.php:429` — + `check_if_three_code_points_would_start_an_ident_sequence()` EOF guard; + callers bound-check first. +- `class-wp-css-type-selector.php:45` — `return false` when `get_tag()` is + null during matching; matching only runs on resolved element tokens. +- `class-wp-css-type-selector.php:75` — `parse()` EOF guard; the compound + parser checks `offset < strlen` before calling. + +## Notes on what raised coverage + +- The `edge-escape` bucket drives the U+FFFD escape-decoder branch + (`consume_escaped_codepoint` for NUL / surrogate / over-max codepoints) + and the `normalize_selector_input` NUL→U+FFFD and CR/CRLF/FF→LF paths, + which the structural generators cannot reach. +- A few `invalid`-bucket templates (`[ a`, `[a="x\`) were added to reach + attribute/string parse guards that random structural generation rarely + lands on. diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 3f73c562a6857..a6bad339034e7 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -41,6 +41,10 @@ produces the same document, the same selector, and the same verdict. - `chaos` — arbitrary bytes; no parse expectation. - `mutated` — a supported selector with random byte mutations; no parse expectation. + - `edge-escape` — selectors that exercise otherwise-unreachable parser + branches: hex escapes for NUL / surrogate / over-max codepoints (must + decode to U+FFFD) and raw NUL / CR / CRLF / FF bytes in the input (must + normalize per `normalize_selector_input`); carries the intended AST. 4. Check invariants: - No PHP error/warning/exception from parsing or matching, ever. - Parse result (instance vs `null`) matches the bucket's expectation. @@ -123,6 +127,11 @@ Run a batch in-process (no isolation, faster): php tools/css-selector-fuzz/worker.php --start-seed 1 --count 500 +Measure line coverage of the `css/` classes (see `COVERAGE.md` for the +current report and a justified list of unreached lines): + + phpdbg -qrr tools/css-selector-fuzz/coverage.php --seeds 3000 --list-uncovered + Options of note: - `runner.php --stop-on-failure` stops at the first failing chunk. diff --git a/tools/css-selector-fuzz/coverage.php b/tools/css-selector-fuzz/coverage.php new file mode 100644 index 0000000000000..64c60a7d5e42c --- /dev/null +++ b/tools/css-selector-fuzz/coverage.php @@ -0,0 +1,92 @@ +#!/usr/bin/env php + $lines ) { + foreach ( $lines as $line => $hits ) { + $oplog[ $file ][ $line ] = true; + } + } +} + +$executable = phpdbg_get_executable( array( 'files' => $targets ) ); + +$total_exec = 0; +$total_covered = 0; + +foreach ( $targets as $file ) { + $exec_lines = array_keys( $executable[ $file ] ?? array() ); + $covered_lines = array_keys( $oplog[ $file ] ?? array() ); + $covered_lines = array_intersect( $covered_lines, $exec_lines ); + $uncovered = array_diff( $exec_lines, $covered_lines ); + + $total_exec += count( $exec_lines ); + $total_covered += count( $covered_lines ); + + printf( + "%-55s %4d/%4d lines %5.1f%%\n", + basename( $file ), + count( $covered_lines ), + count( $exec_lines ), + count( $exec_lines ) > 0 ? 100 * count( $covered_lines ) / count( $exec_lines ) : 100 + ); + + if ( $list_uncovered && array() !== $uncovered ) { + $source = file( $file ); + sort( $uncovered ); + foreach ( $uncovered as $line ) { + printf( " !%4d %s\n", $line, rtrim( $source[ $line - 1 ] ?? '' ) ); + } + } +} + +printf( + "%-55s %4d/%4d lines %5.1f%%\n", + 'TOTAL', + $total_covered, + $total_exec, + $total_exec > 0 ? 100 * $total_covered / $total_exec : 100 +); diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 131c3e970cefb..7bf1851f192e6 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -31,6 +31,7 @@ class SelectorGenerator { 'invalid', 'chaos', 'mutated', + 'edge-escape', ); /** @var Prng */ @@ -177,21 +178,23 @@ public static function generate( Prng $prng, array $pools, ?array $rows = null, $bucket = $prng->weighted( null === $rows || array() === $rows ? array( - 'supported-compound' => 30, - 'supported-complex' => 25, - 'unsupported' => 15, - 'invalid' => 12, + 'supported-compound' => 28, + 'supported-complex' => 24, + 'unsupported' => 14, + 'invalid' => 11, 'chaos' => 8, 'mutated' => 10, + 'edge-escape' => 5, ) : array( - 'supported-compound' => 24, - 'supported-complex' => 20, - 'path-directed' => 22, - 'unsupported' => 12, - 'invalid' => 10, + 'supported-compound' => 23, + 'supported-complex' => 19, + 'path-directed' => 21, + 'unsupported' => 11, + 'invalid' => 9, 'chaos' => 6, 'mutated' => 6, + 'edge-escape' => 5, ) ); } @@ -224,6 +227,9 @@ public static function generate( Prng $prng, array $pools, ?array $rows = null, case 'path-directed': return $generator->gen_path_directed( $rows ); + case 'edge-escape': + return $generator->gen_edge_escape(); + case 'unsupported': return array( 'bucket' => $bucket, @@ -521,6 +527,120 @@ private function pick_name( string $pool_key ): string { ); } + /* + * --------------------------- + * Edge-case escapes and input + * --------------------------- + * + * Targets parser branches the structural generators can't reach: + * - hex escapes whose codepoint is NUL / a surrogate / over-max, which + * `consume_escaped_codepoint` must decode to U+FFFD; + * - raw NUL / CR / CRLF / FF bytes in the selector input, which + * `normalize_selector_input` rewrites ( NUL→U+FFFD, the rest→LF ). + * + * These carry a known intended AST: the decoded ident is the U+FFFD + * replacement character ( or, for input normalization, the same selector + * with whitespace normalized ), so the AST round-trip still applies. + */ + private function gen_edge_escape(): array { + $kind = $this->prng->weighted( + array( + 'fffd-ident' => 50, + 'nul-input' => 25, + 'ws-input' => 25, + ) + ); + + if ( 'fffd-ident' === $kind ) { + // A class selector whose name is a single U+FFFD, produced by a + // hex escape for an out-of-range codepoint. + $hex = $this->prng->choice( + array( + '0', + '00', + '000000', + dechex( $this->prng->int( 0xD800, 0xDFFF ) ), // surrogate + dechex( $this->prng->int( 0x110000, 0xFFFFFF ) ), // over-max + ) + ); + if ( $this->prng->chance( 40 ) ) { + $hex = strtoupper( $hex ); + } + $selector = '.\\' . $hex . ' '; + $ast = array( + array( + 'context' => array(), + 'self' => array( + 'type' => null, + 'subs' => array( array( 'kind' => 'class', 'name' => "\u{FFFD}" ) ), + ), + ), + ); + return array( + 'bucket' => 'edge-escape', + 'selector' => $selector, + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => $ast, + ); + } + + /* + * Raw control bytes in the selector input. A small fixed compound + * keeps the case focused on normalize_selector_input and avoids + * entangling with unrelated attribute-selector edge cases. + */ + $compound = array( + 'type' => $this->prng->chance( 50 ) ? 'span' : null, + 'subs' => array( + array( 'kind' => 'class', 'name' => 'foo' ), + array( 'kind' => 'id', 'name' => 'bar' ), + ), + ); + if ( null === $compound['type'] && $this->prng->chance( 50 ) ) { + array_pop( $compound['subs'] ); + } + $rendered = $this->render_compound( $compound ); + + if ( 'nul-input' === $kind ) { + // A NUL between a class dot's selectors becomes part of an ident + // only in limited spots; simplest reliable case: a class whose + // name contains a NUL ( → U+FFFD ). + $ast = array( + array( + 'context' => array(), + 'self' => array( + 'type' => null, + 'subs' => array( array( 'kind' => 'class', 'name' => "a\u{FFFD}b" ) ), + ), + ), + ); + return array( + 'bucket' => 'edge-escape', + 'selector' => ".a\0b", + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => $ast, + ); + } + + // ws-input: wrap/insert CR, CRLF, FF as insignificant whitespace. + $lead = $this->prng->choice( array( "\r", "\f", "\r\n", "\r\r", "\f\f" ) ); + $trail = $this->prng->choice( array( "\r", "\f", "\r\n", '' ) ); + return array( + 'bucket' => 'edge-escape', + 'selector' => $lead . $rendered . $trail, + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => array( + array( + 'context' => array(), + 'self' => $compound, + ), + ), + ); + } + /* * ------------------------ * Path-directed generation @@ -1164,8 +1284,10 @@ private function gen_invalid(): string { '..a', '.#a', '[a', + '[ a', '[a=', '[a=]', + '[a="x\\', '[=b]', '[a==b]', '[a~b]', From 69f3fefad3e3d04b41dfebd991ca6f03bd1058c9 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 13:53:58 +0200 Subject: [PATCH 162/187] CSS selector fuzz: automatic delta-debugging minimizer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add minimize.php and Worker::run_pair. run_pair runs only the self-contained invariants — those computable from a (selector, html) pair without the generator's intended AST or parse expectation: WP select() vs the reference matcher over WP's own parsed AST and the captured tree, the metamorphic relations, the lexbor differential, and parse/shape/cross-grammar/rejection checks. All three known bugs reduce to a self-contained signature (Bug 1 -> metamorphic-ast, Bug 2 -> match-mismatch-html, Bug 3 -> metamorphic-parse). minimize.php ddmin-shrinks the HTML then the selector (HTML first so a selector-only signature collapses the document cheaply), preserving a chosen target signature. The metamorphic stage runs only when the target is itself metamorphic, stops at the first reproducing draw, and uses a fixed draw seed so shrinking stays monotonic. Verified on unpatched core: Bug 2 -> [type*=""] on (8 bytes); Bug 3 -> a[aa="a"] (empty html); Bug 1 -> a 19-byte selector, empty html. --- tools/css-selector-fuzz/README.md | 11 ++ tools/css-selector-fuzz/lib/Worker.php | 164 +++++++++++++++++++++ tools/css-selector-fuzz/minimize.php | 189 +++++++++++++++++++++++++ 3 files changed, 364 insertions(+) create mode 100644 tools/css-selector-fuzz/minimize.php diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index a6bad339034e7..ffa12efda964d 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -123,6 +123,17 @@ Probe a specific selector: php tools/css-selector-fuzz/replay.php --selector 'section > div.cls' --html '
' +Minimize a failing case to a small reproducer (delta-debugging; shrinks +both the selector and the HTML while preserving a failure signature): + + php tools/css-selector-fuzz/minimize.php --seed 1234 + php tools/css-selector-fuzz/minimize.php --selector 'sel' --html '<…>' --signature match-mismatch + +The minimizer drives `Worker::run_pair`, which checks only self-contained +invariants — those computable from the (selector, html) pair without the +generator's intended AST. All three known bugs reduce to one: Bug 1 → +`metamorphic-ast`, Bug 2 → `match-mismatch-html`, Bug 3 → `metamorphic-parse`. + Run a batch in-process (no isolation, faster): php tools/css-selector-fuzz/worker.php --start-seed 1 --count 500 diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 49b79fd39241a..e81f1ba677de9 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -43,6 +43,9 @@ class Worker { const SELECT_ITERATION_LIMIT = 10000; + /** Metamorphic PRNG draws tried per pair in run_pair (minimizer). */ + const PAIR_METAMORPH_DRAWS = 12; + /** * Runs a single fuzz case. * @@ -331,6 +334,167 @@ static function ( $failure ) { ); } + /** + * Runs the SELF-CONTAINED invariants on an explicit ( selector, html ) + * pair — no generated model, intended AST, or parse expectation. This is + * what the minimizer drives: every checked property is computable from + * the pair alone ( WP select() vs the reference matcher over WP's own + * parsed AST and the captured tree; metamorphic relations; the lexbor + * differential; parse/shape/cross-grammar invariants; rejection + * bookkeeping for unparseable selectors ). + * + * Bug 1 surfaces here as metamorphic-ast, Bug 2 as match-mismatch-*, + * Bug 3 as metamorphic-parse — so all three known bugs are minimizable + * without the generator. + * + * @return array{ + * failures: array, + * signatures: string[], + * } + */ + public static function run_pair( string $selector_string, string $html, ?string $target = null ): array { + Bootstrap::load(); + + $failures = array(); + $record = static function ( string $invariant, array $detail ) use ( &$failures ) { + $failures[] = array( + 'invariant' => $invariant, + 'detail' => $detail, + ); + }; + + // When the minimizer fixes a target signature, the metamorphic loop + // ( the only expensive, multi-draw stage ) is only worth running if + // the target is itself a metamorphic signature. + $target_invariant = null === $target ? null : substr( strrchr( $target, ':' ), 1 ); + $target_is_metamorph = null !== $target_invariant && 0 === strpos( $target_invariant, 'metamorphic' ); + $has_target_signature = static function () use ( &$failures, $target ) { + if ( null === $target ) { + return false; + } + foreach ( $failures as $failure ) { + if ( self::signature( $failure ) === $target ) { + return true; + } + } + return false; + }; + + list( $capture, $capture_error ) = self::guard( + static function () use ( $html ) { + return TreeCapture::capture( $html ); + } + ); + + $rows = null; + $tag_rows = null; + $quirks = false; + if ( null === $capture_error && null === $capture['error'] ) { + $rows = $capture['htmlRows']; + $tag_rows = $capture['tagRows']; + $quirks = $capture['quirks']; + } + + $document = array( 'html' => $html ); + + list( $compound_list, $compound_error ) = self::guard( + static function () use ( $selector_string ) { + return \WP_CSS_Compound_Selector_List::from_selectors( $selector_string ); + } + ); + list( $complex_list, $complex_error ) = self::guard( + static function () use ( $selector_string ) { + return \WP_CSS_Complex_Selector_List::from_selectors( $selector_string ); + } + ); + + if ( null !== $compound_error ) { + $record( 'parse-error', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $compound_error ) ) ); + } + if ( null !== $complex_error ) { + $record( 'parse-error', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $complex_error ) ) ); + } + if ( null !== $compound_list && null === $complex_list && null === $complex_error ) { + $record( 'compound-implies-complex', array() ); + } + + $compound_ast = null; + $complex_ast = null; + if ( null !== $compound_list ) { + list( $compound_ast, $shape_error ) = self::guard( + static function () use ( $compound_list ) { + return AstExtractor::from_compound_list( $compound_list ); + } + ); + if ( null !== $shape_error ) { + $record( 'ast-shape', array( 'grammar' => 'compound', 'error' => self::describe_throwable( $shape_error ) ) ); + } + } + if ( null !== $complex_list ) { + list( $complex_ast, $shape_error ) = self::guard( + static function () use ( $complex_list ) { + return AstExtractor::from_complex_list( $complex_list ); + } + ); + if ( null !== $shape_error ) { + $record( 'ast-shape', array( 'grammar' => 'complex', 'error' => self::describe_throwable( $shape_error ) ) ); + } + } + if ( null !== $compound_ast && null !== $complex_ast && $compound_ast !== $complex_ast ) { + $record( 'ast-cross-grammar', array( 'compoundAst' => $compound_ast, 'complexAst' => $complex_ast ) ); + } + + $html_matches = null; + if ( null !== $complex_ast && null !== $rows ) { + $expected = ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, $quirks ); + $html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); + self::check_lexbor_differential( $complex_ast, $selector_string, $document, $rows, $quirks, $expected, $record ); + } elseif ( null === $complex_list && null === $complex_error && null !== $rows ) { + self::check_select_rejection( 'html', $selector_string, $document, $record ); + } + + if ( null !== $compound_ast && null !== $tag_rows ) { + $expected = ReferenceMatcher::expected_tag_matches_rows( $compound_ast, $tag_rows ); + self::check_select_matches( 'tag', $selector_string, $document, $expected, $record ); + } elseif ( null === $compound_list && null === $compound_error && null !== $tag_rows ) { + self::check_select_rejection( 'tag', $selector_string, $document, $record ); + } + + $run_metamorph = ( null === $target || $target_is_metamorph ) + && null !== $complex_ast && null !== $html_matches && array() === $failures; + if ( $run_metamorph ) { + /* + * Metamorphic transforms randomize escapes / case / order, so a + * transform-sensitive bug ( e.g. Bug 1 and Bug 3 ) only fires for + * some PRNG draws. run_case sees one draw; here several fixed + * draws are tried so minimization can reliably preserve such a + * signature regardless of which draw first exposed it. With a + * target fixed, stop at the first draw that reproduces it. + */ + for ( $i = 0; $i < self::PAIR_METAMORPH_DRAWS && array() === $failures; $i++ ) { + // A FIXED draw seed ( not derived from the pair ) keeps the + // test monotonic under shrinking: the same coin-flips apply to + // whatever AST survives, so a smaller selector that still has + // the bug reproduces the same transform signature. + $metamorph_prng = new Prng( 'css-selector-fuzz-minimize', "metamorph:{$i}" ); + self::check_metamorphic( $complex_ast, $html_matches, $document, $metamorph_prng, $record ); + if ( $has_target_signature() ) { + break; + } + } + } + + $signatures = array(); + foreach ( $failures as $failure ) { + $signatures[] = self::signature( $failure ); + } + + return array( + 'failures' => $failures, + 'signatures' => array_values( array_unique( $signatures ) ), + ); + } + /** * Verifies that the processor's captured view of a safe (model-built) * document agrees with the generated model — this guards the oracle diff --git a/tools/css-selector-fuzz/minimize.php b/tools/css-selector-fuzz/minimize.php new file mode 100644 index 0000000000000..3f3870b97b247 --- /dev/null +++ b/tools/css-selector-fuzz/minimize.php @@ -0,0 +1,189 @@ +#!/usr/bin/env php + metamorphic-ast, Bug 2 -> match-mismatch-html, Bug 3 -> + * metamorphic-parse. + * + * Usage: + * php tools/css-selector-fuzz/minimize.php --seed 1234 [--signature SUBSTR] + * php tools/css-selector-fuzz/minimize.php --selector 'sel' --html '<…>' [--signature SUBSTR] + * + * Options: + * --signature SUBSTR Target a signature whose id or invariant contains + * SUBSTR (default: the first signature of the seed's + * failure set). + * --max-attempts N Cap test evaluations (default 4000). + * --json Emit the reproducer as JSON. + */ + +require_once __DIR__ . '/lib/autoload.php'; + +use CssSelectorFuzz\Worker; +use function CssSelectorFuzz\json_encode_safe; +use function CssSelectorFuzz\option_bool; +use function CssSelectorFuzz\option_int; +use function CssSelectorFuzz\option_string; +use function CssSelectorFuzz\parse_cli_options; +use function CssSelectorFuzz\printable_bytes; + +$options = parse_cli_options( $argv ); +$max_attempts = option_int( $options, 'max-attempts', 20000 ); +$sig_filter = option_string( $options, 'signature', null ); + +$seed = option_int( $options, 'seed', -1 ); +if ( $seed >= 0 ) { + $case = Worker::run_case( $seed ); + $selector = $case['selector']; + $html = $case['html']; +} else { + $selector = option_string( $options, 'selector', null ); + $html = option_string( $options, 'html', null ); + if ( null === $selector || null === $html ) { + fwrite( STDERR, "Provide --seed N, or both --selector and --html.\n" ); + exit( 1 ); + } +} + +/** Signatures produced by a pair ( $target lets run_pair short-circuit ). */ +$signatures_of = static function ( string $selector, string $html, ?string $target = null ): array { + return Worker::run_pair( $selector, $html, $target )['signatures']; +}; + +$baseline = $signatures_of( $selector, $html ); +if ( array() === $baseline ) { + fwrite( STDERR, "The starting pair does not reproduce any self-contained failure.\n" ); + fwrite( STDERR, 'selector: ' . printable_bytes( $selector ) . "\n" ); + exit( 1 ); +} + +// Pick the target signature. +$target = $baseline[0]; +if ( null !== $sig_filter ) { + foreach ( $baseline as $candidate ) { + if ( false !== strpos( $candidate, $sig_filter ) ) { + $target = $candidate; + break; + } + } +} + +$attempts = 0; +$reproduces = static function ( string $selector, string $html ) use ( $signatures_of, $target, &$attempts, $max_attempts ): bool { + if ( $attempts >= $max_attempts ) { + return false; + } + ++$attempts; + return in_array( $target, $signatures_of( $selector, $html, $target ), true ); +}; + +/** + * Delta-debugging shrink of one byte string: ddmin chunk removal followed + * by per-position single-byte simplification. $test( candidate ) decides + * whether a candidate still reproduces. + */ +$shrink = static function ( string $current, callable $test ) use ( &$attempts, $max_attempts ): string { + $chunks = 2; + while ( strlen( $current ) > 0 && $attempts < $max_attempts ) { + $length = strlen( $current ); + $chunk_size = (int) ceil( $length / $chunks ); + $changed = false; + + for ( $offset = 0; $offset < $length && $attempts < $max_attempts; $offset += $chunk_size ) { + $candidate = substr( $current, 0, $offset ) . substr( $current, min( $length, $offset + $chunk_size ) ); + if ( $candidate === $current ) { + continue; + } + if ( $test( $candidate ) ) { + $current = $candidate; + $chunks = max( 2, $chunks - 1 ); + $changed = true; + break; + } + } + + if ( ! $changed ) { + if ( $chunks >= $length ) { + break; + } + $chunks = min( $length, $chunks * 2 ); + } + } + + // Per-byte canonicalization: replace each byte with a simpler stand-in. + $replacements = array( 'a', ' ', '' ); + for ( $i = 0; $i < strlen( $current ) && $attempts < $max_attempts; $i++ ) { + foreach ( $replacements as $replacement ) { + $candidate = substr( $current, 0, $i ) . $replacement . substr( $current, $i + 1 ); + if ( $candidate === $current ) { + continue; + } + if ( $test( $candidate ) ) { + $current = $candidate; + $i = max( -1, $i - 2 ); + break; + } + } + } + + return $current; +}; + +// Alternate shrinking the HTML and the selector until neither moves. +// HTML first: when the signature is selector-only (e.g. metamorphic-parse) +// the document collapses cheaply before the costlier selector pass. +$prev = null; +while ( $attempts < $max_attempts && ( $selector . "\0" . $html ) !== $prev ) { + $prev = $selector . "\0" . $html; + + $html = $shrink( + $html, + static function ( string $candidate ) use ( $reproduces, &$selector ): bool { + return $reproduces( $selector, $candidate ); + } + ); + $selector = $shrink( + $selector, + static function ( string $candidate ) use ( $reproduces, &$html ): bool { + return $reproduces( $candidate, $html ); + } + ); +} + +$final = $signatures_of( $selector, $html ); +$ok = in_array( $target, $final, true ); + +if ( option_bool( $options, 'json', false ) ) { + echo json_encode_safe( + array( + 'target' => $target, + 'reproduced' => $ok, + 'attempts' => $attempts, + 'selector' => printable_bytes( $selector ), + 'selectorBytes' => strlen( $selector ), + 'html' => printable_bytes( $html ), + 'htmlBytes' => strlen( $html ), + 'selectorBase64' => base64_encode( $selector ), + 'htmlBase64' => base64_encode( $html ), + ) + ) . "\n"; + exit( $ok ? 0 : 2 ); +} + +echo "target: {$target}\n"; +echo 'reproduced: ' . ( $ok ? 'yes' : 'NO' ) . "\n"; +echo "attempts: {$attempts}\n"; +echo 'selector: ' . printable_bytes( $selector ) . ' (' . strlen( $selector ) . " bytes)\n"; +echo 'html: ' . printable_bytes( $html ) . ' (' . strlen( $html ) . " bytes)\n"; +echo "\nreplay:\n"; +echo ' php tools/css-selector-fuzz/replay.php --selector ' . escapeshellarg( $selector ) + . ' --html ' . escapeshellarg( $html ) . "\n"; +exit( $ok ? 0 : 2 ); From 5da3afedd0db58dfcb028dbe5cf13b5cae2da1c3 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:00:25 +0200 Subject: [PATCH 163/187] CSS selector fuzz: fragment parsing + quirks-trigger coverage Add a -context fragment mode (~20% of safe-document cases): DocumentGenerator::generate_fragment renders body-level content without the document wrapper, TreeCapture parses it via create_fragment and captures the tree (with the implicit HTML/BODY ancestors the fragment parser reports in breadcrumbs), and the match / metamorphic invariants run against it. collect_matches and the rejection check route through create_fragment when the case is a fragment; the tag processor (no fragment mode) and lexbor (full-document only) are skipped for fragments. is the only context create_fragment accepts publicly. Quirks-mode triggers were already broadened by the wild generator's five doctype variants (none / html / legacy-compat SYSTEM / quirky PUBLIC / limited-quirks): ~111 quirks vs ~213 no-quirks per 400 wild docs, and is_quirks_mode() is captured per case and honored by the reference matcher. 294 fragment cases over 2000 seeds run clean with capture == model; full 2000-seed batch clean against core with the three known fixes. --- tools/css-selector-fuzz/README.md | 8 +- .../lib/DocumentGenerator.php | 97 ++++++++++++++++ tools/css-selector-fuzz/lib/TreeCapture.php | 23 +++- tools/css-selector-fuzz/lib/Worker.php | 105 ++++++++++++++---- 4 files changed, 208 insertions(+), 25 deletions(-) diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index ffa12efda964d..3042338f18917 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -10,8 +10,12 @@ produces the same document, the same selector, and the same verdict. ## What a case does 1. Generate a random HTML document — 70% from a structurally "safe" element - set with a known model tree, 30% "wild" (misnested, implied-end-tag, - foreign-content, varied-doctype token soup with no model). + set with a known model tree (of these, ~20% are parsed as a `` + fragment via `create_fragment` instead of a full document, exercising the + fragment `select()` path), 30% "wild" (misnested, implied-end-tag, + foreign-content, token soup with one of five doctypes spanning no-quirks, + quirks, and limited-quirks). `create_fragment` only accepts the `` + context publicly, so that is the fragment context fuzzed. 2. Capture the processor's own view of the document as the matching oracle's ground truth (`TreeCapture`): a flat list of rows in visit order, each carrying the element's tag, attributes, and ancestor tag list (context diff --git a/tools/css-selector-fuzz/lib/DocumentGenerator.php b/tools/css-selector-fuzz/lib/DocumentGenerator.php index e435edce409c9..20e6e99607421 100644 --- a/tools/css-selector-fuzz/lib/DocumentGenerator.php +++ b/tools/css-selector-fuzz/lib/DocumentGenerator.php @@ -106,6 +106,103 @@ public static function generate( Prng $prng ): array { return $generator->build(); } + /** + * Generates a ``-context fragment: body-level content rendered + * without the document wrapper, parsed via create_fragment. The model's + * top-level elements carry the implicit BODY/HTML ancestors the fragment + * parser reports in breadcrumbs. + * + * @return array{ + * model: null, + * children: array, + * html: string, + * context: string, + * fragment: true, + * quirks: bool, + * pools: array, + * } + */ + public static function generate_fragment( Prng $prng ): array { + $generator = new self( $prng, $prng->int( 6, 30 ) ); + return $generator->build_fragment(); + } + + private function build_fragment(): array { + $children = array(); + $child_budget = $this->prng->int( 1, 6 ); + for ( $i = 0; $i < $child_budget && $this->element_count < $this->max_elements; $i++ ) { + $children[] = $this->random_subtree( 0 ); + } + + $bits = array(); + foreach ( $children as $child ) { + $bits[] = $this->render_element( $child ); + } + $filler = array( '', 'text', ' more ', "\n ", '& x', 'café ✓', '' ); + $html = ''; + foreach ( $bits as $bit ) { + if ( $this->prng->chance( 35 ) ) { + $html .= $this->prng->choice( $filler ); + } + $html .= $bit; + } + + foreach ( $this->pools as $key => $values ) { + $this->pools[ $key ] = array_values( array_unique( $values ) ); + } + + return array( + 'model' => null, + 'children' => $children, + 'html' => $html, + 'context' => '', + 'fragment' => true, + 'quirks' => false, + 'pools' => $this->pools, + ); + } + + /** + * Rows ( TreeCapture shape ) for a ``-context fragment: the + * top-level children flattened with the implicit HTML/BODY ancestors the + * fragment parser reports. + */ + public static function rows_from_fragment( array $children ): array { + $html_root = array( 'tag' => 'html', 'fid' => '(html)', 'attrs' => array(), 'children' => array() ); + $body_root = array( 'tag' => 'body', 'fid' => '(body)', 'attrs' => array(), 'children' => $children ); + + $rows = array(); + foreach ( $children as $child ) { + foreach ( self::flatten_with_ancestors( $child, array( $body_root, $html_root ) ) as $pair ) { + list( $element, $ancestors ) = $pair; + + $attrs = array(); + $seen = array(); + foreach ( $element['attrs'] as $attr ) { + $lower = ascii_strtolower( $attr[0] ); + if ( isset( $seen[ $lower ] ) ) { + continue; + } + $seen[ $lower ] = true; + $attrs[] = array( $lower, $attr[1] ); + } + + $ancestor_tags = array(); + foreach ( $ancestors as $ancestor ) { + $ancestor_tags[] = strtoupper( ascii_strtolower( $ancestor['tag'] ) ); + } + + $rows[] = array( + 'tag' => strtoupper( ascii_strtolower( $element['tag'] ) ), + 'fid' => $element['fid'], + 'attrs' => $attrs, + 'ancestorTags' => $ancestor_tags, + ); + } + } + return $rows; + } + private function build(): array { $has_doctype = $this->prng->chance( 85 ); diff --git a/tools/css-selector-fuzz/lib/TreeCapture.php b/tools/css-selector-fuzz/lib/TreeCapture.php index 9edc3b0541757..bd64dc30eb6de 100644 --- a/tools/css-selector-fuzz/lib/TreeCapture.php +++ b/tools/css-selector-fuzz/lib/TreeCapture.php @@ -24,6 +24,13 @@ class TreeCapture { const CAPTURE_ITERATION_LIMIT = 20000; /** + * Captures the processor's view of a document or a fragment. + * + * @param string $html The markup ( full document or fragment ). + * @param string|null $context When set, parse as a fragment in this + * context ( e.g. '' ); the tag + * processor has no fragment mode, so tagRows + * is null in that case. * @return array{ * htmlRows: array|null, * tagRows: array|null, @@ -31,7 +38,7 @@ class TreeCapture { * error: string|null, * } */ - public static function capture( string $html ): array { + public static function capture( string $html, ?string $context = null ): array { $out = array( 'htmlRows' => null, 'tagRows' => null, @@ -39,7 +46,13 @@ public static function capture( string $html ): array { 'error' => null, ); - $processor = \WP_HTML_Processor::create_full_parser( $html ); + $processor = null === $context + ? \WP_HTML_Processor::create_full_parser( $html ) + : \WP_HTML_Processor::create_fragment( $html, $context ); + if ( null === $processor ) { + $out['error'] = 'fragment-context-unsupported'; + return $out; + } $rows = array(); $iterations = 0; while ( $processor->next_tag() ) { @@ -69,6 +82,12 @@ public static function capture( string $html ): array { $out['htmlRows'] = $rows; $out['quirks'] = $processor->is_quirks_mode(); + // The tag processor has no fragment mode; a fragment case exercises + // the html processor's select() only. + if ( null !== $context ) { + return $out; + } + $tag_processor = new \WP_HTML_Tag_Processor( $html ); $tag_rows = array(); $iterations = 0; diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index e81f1ba677de9..46ad6f7fb3bd8 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -61,8 +61,9 @@ class Worker { public static function run_case( int $seed ): array { Bootstrap::load(); - $prng = new Prng( (string) $seed, 'css-selector-fuzz-case' ); - $is_wild = $prng->chance( 30 ); + $prng = new Prng( (string) $seed, 'css-selector-fuzz-case' ); + $is_wild = $prng->chance( 30 ); + $is_fragment = ! $is_wild && $prng->chance( 20 ); $failures = array(); $record = static function ( string $invariant, array $detail ) use ( &$failures ) { @@ -88,13 +89,18 @@ public static function run_case( int $seed ): array { $capture_error = null; $attempts = $is_wild ? 8 : 1; for ( $attempt = 0; $attempt < $attempts; $attempt++ ) { - $document = $is_wild - ? WildDocumentGenerator::generate( $prng->fork( "wild-document:{$attempt}" ) ) - : DocumentGenerator::generate( $prng->fork( 'document' ) ); + if ( $is_wild ) { + $document = WildDocumentGenerator::generate( $prng->fork( "wild-document:{$attempt}" ) ); + } elseif ( $is_fragment ) { + $document = DocumentGenerator::generate_fragment( $prng->fork( 'fragment' ) ); + } else { + $document = DocumentGenerator::generate( $prng->fork( 'document' ) ); + } + $context = ( $document['fragment'] ?? false ) ? $document['context'] : null; list( $capture, $capture_error ) = self::guard( - static function () use ( $document ) { - return TreeCapture::capture( $document['html'] ); + static function () use ( $document, $context ) { + return TreeCapture::capture( $document['html'], $context ); } ); @@ -120,7 +126,9 @@ static function () use ( $document ) { $tag_rows = $capture['tagRows']; $quirks = $capture['quirks']; - if ( ! $is_wild ) { + if ( $is_fragment ) { + self::check_fragment_capture_against_model( $document, $capture, $record ); + } elseif ( ! $is_wild ) { self::check_capture_against_model( $document, $capture, $record ); } } @@ -283,7 +291,10 @@ static function () use ( $complex_list ) { $html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); - $lexbor_state = self::check_lexbor_differential( $complex_ast, $selector_string, $document, $rows, $quirks, $expected, $record ); + // lexbor parses full documents only; fragments skip it. + if ( ! ( $document['fragment'] ?? false ) ) { + $lexbor_state = self::check_lexbor_differential( $complex_ast, $selector_string, $document, $rows, $quirks, $expected, $record ); + } } elseif ( null === $complex_list && null === $complex_error ) { self::check_select_rejection( 'html', $selector_string, $document, $record ); } @@ -495,6 +506,46 @@ static function () use ( $complex_list ) { ); } + /** + * Fragment analogue of check_capture_against_model: the ``-context + * fragment capture must equal the model rows built from the body-level + * children ( with the implicit HTML/BODY ancestors ). + */ + private static function check_fragment_capture_against_model( array $document, array $capture, callable $record ): void { + $model_rows = DocumentGenerator::rows_from_fragment( $document['children'] ); + + $normalize = static function ( array $rows ): array { + $out = array(); + foreach ( $rows as $row ) { + $attrs = array(); + foreach ( $row['attrs'] as $attr ) { + $attrs[ $attr[0] ] = $attr[1]; + } + ksort( $attrs ); + $out[] = array( + 'tag' => $row['tag'], + 'fid' => $row['fid'], + 'attrs' => $attrs, + 'ancestorTags' => $row['ancestorTags'], + ); + } + return $out; + }; + + $expected = $normalize( $model_rows ); + $actual = $normalize( $capture['htmlRows'] ); + if ( $expected !== $actual ) { + $record( + 'model-desync', + array( + 'processor' => 'fragment', + 'expected' => $expected, + 'actual' => $actual, + ) + ); + } + } + /** * Verifies that the processor's captured view of a safe (model-built) * document agrees with the generated model — this guards the oracle @@ -566,15 +617,22 @@ private static function check_capture_against_model( array $document, array $cap /** * Runs a select() loop over the document, collecting matched data-fids. * - * @param string $target 'html' or 'tag'. + * @param string $target 'html' or 'tag'. + * @param array $document The case document ( may request fragment mode ). * @return array{0: string[]|null, 1: \Throwable|null} */ - private static function collect_matches( string $target, string $selector_string, string $html ): array { + private static function collect_matches( string $target, string $selector_string, array $document ): array { + $html = $document['html']; + $context = ( $document['fragment'] ?? false ) ? $document['context'] : null; return self::guard( - static function () use ( $target, $selector_string, $html ) { - $processor = 'html' === $target - ? \WP_HTML_Processor::create_full_parser( $html ) - : new \WP_HTML_Tag_Processor( $html ); + static function () use ( $target, $selector_string, $html, $context ) { + if ( 'tag' === $target ) { + $processor = new \WP_HTML_Tag_Processor( $html ); + } elseif ( null !== $context ) { + $processor = \WP_HTML_Processor::create_fragment( $html, $context ); + } else { + $processor = \WP_HTML_Processor::create_full_parser( $html ); + } $matches = array(); $iterations = 0; @@ -610,7 +668,7 @@ static function () use ( $target, $selector_string, $html ) { private static function check_select_matches( string $target, string $selector_string, array $document, array $expected, callable $record ): ?array { Bootstrap::reset_doing_it_wrong(); - list( $actual, $error ) = self::collect_matches( $target, $selector_string, $document['html'] ); + list( $actual, $error ) = self::collect_matches( $target, $selector_string, $document ); if ( null !== $error ) { $record( @@ -831,7 +889,7 @@ static function () use ( $variant_list ) { } Bootstrap::reset_doing_it_wrong(); - list( $variant_matches, $match_error ) = self::collect_matches( 'html', $variant_selector, $document['html'] ); + list( $variant_matches, $match_error ) = self::collect_matches( 'html', $variant_selector, $document ); if ( null !== $match_error ) { $record( @@ -866,11 +924,16 @@ static function () use ( $variant_list ) { private static function check_select_rejection( string $target, string $selector_string, array $document, callable $record ): void { Bootstrap::reset_doing_it_wrong(); + $context = ( $document['fragment'] ?? false ) ? $document['context'] : null; list( $results, $error ) = self::guard( - static function () use ( $target, $selector_string, $document ) { - $processor = 'html' === $target - ? \WP_HTML_Processor::create_full_parser( $document['html'] ) - : new \WP_HTML_Tag_Processor( $document['html'] ); + static function () use ( $target, $selector_string, $document, $context ) { + if ( 'tag' === $target ) { + $processor = new \WP_HTML_Tag_Processor( $document['html'] ); + } elseif ( null !== $context ) { + $processor = \WP_HTML_Processor::create_fragment( $document['html'], $context ); + } else { + $processor = \WP_HTML_Processor::create_full_parser( $document['html'] ); + } // Two calls: the second exercises the parse cache. return array( $processor->select( $selector_string ), $processor->select( $selector_string ) ); From 44058b4c015da49ce70dcb8497f82819e79b5225 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:04:47 +0200 Subject: [PATCH 164/187] CSS selector fuzz: triage 5000-seed run, update findings and roadmap 5000-seed isolated run on core @ 46334f170b: 427 failures, 0 crashes, every failure triaged to one of the three known bugs (Bug 1 -> metamorphic-ast / ast-mismatch / path-expectation; Bug 2 -> match-mismatch-html/tag; Bug 3 -> metamorphic-parse / parse-expectation). Zero lexbor-divergence (the third oracle agreed with the reference matcher on every compared no-quirks case) and zero model-desync. With all three fixes applied the same 5000 seeds run completely clean, confirming the fuzzer reports exactly these three bugs and no spurious oracle/generator defect. FINDINGS.md: add the signature->bug triage table and refresh the fuzzer status. NEXT-STEPS.md: mark the roadmap complete against the acceptance bar. All three known bugs verified still reproducing. --- tools/css-selector-fuzz/FINDINGS.md | 54 ++++++++++++++++++++++++--- tools/css-selector-fuzz/NEXT-STEPS.md | 13 ++++--- 2 files changed, 56 insertions(+), 11 deletions(-) diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index 981b33ef41d80..ad9f47c3458b7 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -1,11 +1,17 @@ # CSS Selector Fuzzer — Findings -Run: branch `html-css-fuzz` @ `6ebbcc2fe4`, PHP 8.4.21. ~3600 deterministic +Run: branch `html-css-fuzz` @ `46334f170b`, PHP 8.4.21. 5000 deterministic seeds, 0 crashes/timeouts. Three distinct, reproduced WordPress-core correctness bugs in the new HTML-API CSS selector support. Every selector below is valid, supported CSS that the API mis-handles **without** reporting lack of support. +No new bugs surfaced beyond these three, and no fuzzer-side (oracle or +generator) defect surfaced: with all three fixes applied a 5000-seed run is +completely clean, and the lexbor differential (third independent oracle) agreed +with the reference matcher on every compared no-quirks case (0 `lexbor-divergence`). + Reproduce any case: `php tools/css-selector-fuzz/replay.php --selector '' [--html '']`. +Auto-minimize a failing seed: `php tools/css-selector-fuzz/minimize.php --seed `. --- @@ -105,10 +111,46 @@ character of the selector string. --- +## Triage of the 5000-seed run (unpatched core) + +427 failures, every one attributable to one of the three bugs above. The +signature → bug mapping (and why each is a WP finding, not a fuzzer defect): + +| signature | hits | bug | how it manifests | +|---|---|---|---| +| `metamorphic-ast` (5 variants) | 328 | Bug 1 | a re-rendered / escaped variant of a selector parses to a different AST because an identity escape after multibyte content mis-decodes | +| `ast-mismatch` | 71 | Bug 1 | generated AST ≠ parsed AST, same root cause | +| `path-expectation` | 1 | Bug 1 | a path-directed selector with a multibyte-then-identity-escape value (`Über90\ x`) mis-parses, so the element it was built from no longer matches | +| `metamorphic-parse` (4 variants) | 9 | Bug 3 | a re-rendered variant ending in a single-char unquoted value at EOF is wrongly rejected | +| `parse-expectation` (2 variants) | 7 | Bug 3 | the generated selector itself ends in `=x]` and is wrongly rejected (e.g. `[dir =a]`) | +| `match-mismatch-html` | 7 | Bug 2 | empty-operand `^= *= $=` match elements the spec says they must not | +| `match-mismatch-tag` | 4 | Bug 2 | same, via the tag processor | + +Zero `lexbor-divergence`, zero `model-desync`, zero crashes/timeouts. With all +three fixes applied, the same 5000 seeds run with **0 failures** — confirming +the fuzzer reports exactly these three bugs and nothing spurious. + ## Fuzzer status -Implemented and validated: deterministic seeds, seed-based replay, generative -6-bucket selector generation, independent reference matcher, ~18 invariants, -process-isolated runner, self-check suite. `php tools/css-selector-fuzz/tests/self-check.php` -passes; see `README.md` for usage. No fuzzer-side (oracle/generator) defects -surfaced in 3600 seeds — all failures are the three target bugs above. +Implemented and validated: + +- Deterministic seeds, seed-based replay, self-check suite + (`php tools/css-selector-fuzz/tests/self-check.php` passes). +- Seven-bucket selector generation including **path-directed** synthesis + (combinator positive-match rate ~68% vs ~14% before) and **edge-escape** + (U+FFFD escape decoder, input normalization). +- Three independent match oracles: the spec-faithful `ReferenceMatcher`, the + AST round-trip, and a **lexbor differential** (liblexbor v3.0.0, no-quirks + documents, tree-equality gated). The three agree on every compared case. +- **Metamorphic invariants** (oracle-free): meaning-preserving transforms keep + the match set; AST-preserving transforms keep the AST. +- **Parser-derived oracle tree** (`TreeCapture`): the processor's own parse is + ground truth, so **wild / restructured HTML** and **`` fragments** are + fuzzed, not only clean trees. +- **Line coverage** measured (93.8%, see `COVERAGE.md`; 96.8% of reachable + code, remainder justified). +- **Automatic minimizer** (`minimize.php`): delta-debugs selector and HTML to a + minimal reproducer preserving a chosen signature. + +See `README.md` for usage and `NEXT-STEPS.md` for the roadmap this work +completed. diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 0b509450a177e..86fa37c61eb93 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -1,10 +1,13 @@ # CSS Selector Fuzzer — Next Steps / Improvement Roadmap -Status: first-generation fuzzer is implemented, validated, and has found three -real WordPress-core bugs (see `FINDINGS.md`). Design and current coverage are in -`README.md`. This document is the prioritized plan to take it from "found three -bugs" to "exhaustive and trustworthy." Do NOT re-explain the existing tool here; -read `README.md` and `FINDINGS.md` first. +> **Status: all seven work items below are implemented and validated** (see +> `README.md`, `COVERAGE.md`, `FINDINGS.md`). The acceptance bar is met: +> coverage measured (93.8%; 96.8% of reachable code, remainder justified); +> three oracles agree on no-quirks supported cases with every divergence +> triaged; metamorphic invariants passing; combinator positive-match rate +> raised from 14.5% to ~68% (path-directed bucket); minimizer working; a clean +> 5000-seed run with all signatures triaged to the three known bugs, all of +> which still reproduce. The notes below are retained as the design rationale. Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` @ `6ebbcc2fe4` (trunk + merged `html-api/add-css-selector-parser`). From 7336efad279a0790488817a42a580f0bb20d794a Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:37:15 +0200 Subject: [PATCH 165/187] CSS selector fuzz: stop the minimizer silently retargeting a different bug Reviewer found minimize.php --seed could print 'reproduced: yes' for a signature the seed never produced: run_pair only checks self-contained invariants, so a seed whose recorded failure is generator-side (ast-mismatch, parse-expectation, path-expectation, model-desync) would fall through to minimizing an unrelated incidental self-contained signature and report success. run_case now returns its per-case signatures. minimize.php --seed restricts targets to signatures sharing an INVARIANT with the seed's own failures (invariant-level, not exact-hash, so the same metamorphic invariant exposed by a different transform draw still counts as faithful). When the seed's failures are entirely generator-side it refuses by default and lists the nearby self-contained signatures; --signature opts into a retarget, which is then explicitly labelled 'retargeted' / NOTE in the output. Docs updated to scope --seed accordingly. --- tools/css-selector-fuzz/FINDINGS.md | 5 +- tools/css-selector-fuzz/README.md | 18 +++++- tools/css-selector-fuzz/lib/Worker.php | 20 ++++-- tools/css-selector-fuzz/minimize.php | 88 ++++++++++++++++++++++++-- 4 files changed, 113 insertions(+), 18 deletions(-) diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index ad9f47c3458b7..302d6218a6f0a 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -11,7 +11,10 @@ completely clean, and the lexbor differential (third independent oracle) agreed with the reference matcher on every compared no-quirks case (0 `lexbor-divergence`). Reproduce any case: `php tools/css-selector-fuzz/replay.php --selector '' [--html '']`. -Auto-minimize a failing seed: `php tools/css-selector-fuzz/minimize.php --seed `. +Auto-minimize a failing seed: `php tools/css-selector-fuzz/minimize.php --seed ` +(faithful for seeds with a self-contained failure; seeds whose only recorded +failure is generator-side — `ast-mismatch`, `parse-expectation` — are refused +unless a related self-contained signature is opted into with `--signature`). --- diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 3042338f18917..2c60bf5c73a51 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -133,10 +133,22 @@ both the selector and the HTML while preserving a failure signature): php tools/css-selector-fuzz/minimize.php --seed 1234 php tools/css-selector-fuzz/minimize.php --selector 'sel' --html '<…>' --signature match-mismatch -The minimizer drives `Worker::run_pair`, which checks only self-contained +The minimizer drives `Worker::run_pair`, which checks only **self-contained** invariants — those computable from the (selector, html) pair without the -generator's intended AST. All three known bugs reduce to one: Bug 1 → -`metamorphic-ast`, Bug 2 → `match-mismatch-html`, Bug 3 → `metamorphic-parse`. +generator's intended AST: `match-mismatch-*`, `metamorphic-*`, +`lexbor-divergence`, `parse-error`, `ast-shape`, `ast-cross-grammar`, and the +rejection checks. The generator-side invariants `ast-mismatch`, +`parse-expectation`, `path-expectation`, and `model-desync` are **not** +self-contained and cannot be reproduced from the pair alone. + +So `--seed` faithfully minimizes only seeds whose failure is self-contained. +The three known bugs each *also* surface a self-contained signature (Bug 1 → +`metamorphic-ast`, Bug 2 → `match-mismatch-html`, Bug 3 → `metamorphic-parse`), +but a seed whose recorded failure is *only* the generator-side form (e.g. a +Bug-1 seed that recorded `ast-mismatch` before the metamorphic phase ran) is +**refused by default** rather than silently retargeted — pass `--signature` +to opt into minimizing a related self-contained signature, which is then +clearly labelled as a retarget in the output. Run a batch in-process (no isolation, faster): diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 46ad6f7fb3bd8..6371b617cc028 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -334,14 +334,20 @@ static function ( $failure ) { ) ); + $signatures = array(); + foreach ( $failures as $failure ) { + $signatures[] = self::signature( $failure ); + } + return array( - 'seed' => $seed, - 'bucket' => $selector['bucket'], - 'digest' => $digest, - 'failures' => $failures, - 'selector' => $selector_string, - 'html' => $document['html'], - 'lexbor' => $lexbor_state, + 'seed' => $seed, + 'bucket' => $selector['bucket'], + 'digest' => $digest, + 'failures' => $failures, + 'signatures' => array_values( array_unique( $signatures ) ), + 'selector' => $selector_string, + 'html' => $document['html'], + 'lexbor' => $lexbor_state, ); } diff --git a/tools/css-selector-fuzz/minimize.php b/tools/css-selector-fuzz/minimize.php index 3f3870b97b247..edfc892689fa7 100644 --- a/tools/css-selector-fuzz/minimize.php +++ b/tools/css-selector-fuzz/minimize.php @@ -39,11 +39,27 @@ $max_attempts = option_int( $options, 'max-attempts', 20000 ); $sig_filter = option_string( $options, 'signature', null ); -$seed = option_int( $options, 'seed', -1 ); +/* + * In --seed mode, the seed's OWN failures ( from run_case ) are the source + * of truth. The minimizer can only preserve "self-contained" signatures + * ( those run_pair re-checks without the generator's intended AST ); the + * generator-side ones ( ast-mismatch, parse-expectation, path-expectation, + * model-desync ) are invisible to run_pair. Targeting must therefore be + * restricted to the intersection of the seed's failures and run_pair's + * view — otherwise the minimizer could silently retarget to an unrelated + * incidental signature and report a false "reproduced". + */ +$seed = option_int( $options, 'seed', -1 ); +$seed_signatures = null; if ( $seed >= 0 ) { - $case = Worker::run_case( $seed ); - $selector = $case['selector']; - $html = $case['html']; + $case = Worker::run_case( $seed ); + $selector = $case['selector']; + $html = $case['html']; + $seed_signatures = $case['signatures']; + if ( array() === $seed_signatures ) { + fwrite( STDERR, "Seed {$seed} produced no failure; nothing to minimize.\n" ); + exit( 1 ); + } } else { $selector = option_string( $options, 'selector', null ); $html = option_string( $options, 'html', null ); @@ -61,14 +77,66 @@ $baseline = $signatures_of( $selector, $html ); if ( array() === $baseline ) { fwrite( STDERR, "The starting pair does not reproduce any self-contained failure.\n" ); + if ( null !== $seed_signatures ) { + fwrite( STDERR, 'Seed failure(s): ' . implode( ', ', $seed_signatures ) . "\n" ); + fwrite( STDERR, "These are generator-side signatures the minimizer cannot reproduce from the\n" ); + fwrite( STDERR, "pair alone. Minimize a seed whose failure is self-contained, or pass\n" ); + fwrite( STDERR, "--selector/--html directly.\n" ); + } fwrite( STDERR, 'selector: ' . printable_bytes( $selector ) . "\n" ); exit( 1 ); } -// Pick the target signature. -$target = $baseline[0]; +/* + * Candidate targets are matched at the INVARIANT level, not the exact + * signature hash: a signature embeds transform-specific detail ( e.g. + * metamorphic-parse via `rerender` vs via `dup-branch` ), and run_pair's + * fixed metamorphic draws may expose the same invariant through a + * different transform than run_case did. Same invariant == same bug class, + * so that is faithful. A DIFFERENT invariant ( e.g. the seed's generator- + * side ast-mismatch vs an incidental self-contained metamorphic-ast ) is a + * genuine retarget and must be opted into. + */ +$invariant_of = static function ( string $signature ): string { + $pos = strrpos( $signature, ':' ); + return false === $pos ? $signature : substr( $signature, $pos + 1 ); +}; + +$retargeted = false; +if ( null === $seed_signatures ) { + $candidates = $baseline; +} else { + $seed_invariants = array_map( $invariant_of, $seed_signatures ); + $candidates = array(); + foreach ( $baseline as $signature ) { + if ( in_array( $invariant_of( $signature ), $seed_invariants, true ) ) { + $candidates[] = $signature; + } + } +} + +if ( array() === $candidates ) { + // The seed's failures are all generator-side ( no self-contained + // invariant in common ); refuse to silently minimize an unrelated + // incidental signature. + fwrite( STDERR, "Seed {$seed}'s failures are not self-contained, so the minimizer cannot\n" ); + fwrite( STDERR, "faithfully reproduce them.\n" ); + fwrite( STDERR, 'Seed failure(s): ' . implode( ', ', $seed_signatures ) . "\n" ); + fwrite( STDERR, 'Self-contained nearby: ' . implode( ', ', $baseline ) . "\n" ); + fwrite( STDERR, "Re-run with --signature to minimize one of the nearby signatures\n" ); + fwrite( STDERR, "explicitly ( understanding it is a related, not identical, failure ).\n" ); + if ( null === $sig_filter ) { + exit( 1 ); + } + // User explicitly opted into a nearby signature. + $candidates = $baseline; + $retargeted = true; +} + +// Pick the target signature from the eligible candidates. +$target = $candidates[0]; if ( null !== $sig_filter ) { - foreach ( $baseline as $candidate ) { + foreach ( $candidates as $candidate ) { if ( false !== strpos( $candidate, $sig_filter ) ) { $target = $candidate; break; @@ -165,6 +233,8 @@ static function ( string $candidate ) use ( $reproduces, &$html ): bool { echo json_encode_safe( array( 'target' => $target, + 'retargeted' => $retargeted, + 'seedSignatures' => $seed_signatures, 'reproduced' => $ok, 'attempts' => $attempts, 'selector' => printable_bytes( $selector ), @@ -179,6 +249,10 @@ static function ( string $candidate ) use ( $reproduces, &$html ): bool { } echo "target: {$target}\n"; +if ( $retargeted ) { + echo 'NOTE: seed failure(s) ' . implode( ', ', $seed_signatures ) . " are generator-side;\n"; + echo " minimized the related self-contained signature above instead.\n"; +} echo 'reproduced: ' . ( $ok ? 'yes' : 'NO' ) . "\n"; echo "attempts: {$attempts}\n"; echo 'selector: ' . printable_bytes( $selector ) . ' (' . strlen( $selector ) . " bytes)\n"; From 5f0ad7ce06efc812dbccaa63da7f8c8471edd2b8 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:39:06 +0200 Subject: [PATCH 166/187] CSS selector fuzz: make lexbor oracle death observable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewers noted the lexbor tally was computed then discarded and the 'off' state conflated 'oracle not applicable' with 'oracle dead', so a third oracle that died mid-run (PHP latches available()=false and every later case silently returns 'off') would leave no trace in artifacts. Split the state into 'n/a' (unparseable selector / fragment / no tree — differential genuinely does not apply) vs 'unavailable' (harness missing or died) and 'error'. Aggregate the per-case tally into the batch summary (already present) and now into runner state.json under 'lexbor'. The runner prints a loud WARNING if unavailable/error appear after the harness had been live, or a NOTE if it never ran at all. Verified both paths. --- tools/css-selector-fuzz/README.md | 11 ++++++++++- tools/css-selector-fuzz/lib/Worker.php | 12 +++++++++--- tools/css-selector-fuzz/runner.php | 19 +++++++++++++++++++ 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 2c60bf5c73a51..c48c790e3fdc9 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -88,7 +88,16 @@ produces the same document, the same selector, and the same verdict. Build with `sh tools/css-selector-fuzz/lexbor/build.sh` (clones and builds liblexbor, pinned to v3.0.0 = `2ae88a1c6b52`). The worker auto-detects the binary at `tools/css-selector-fuzz/lexbor/harness` and reports per-batch -tallies (`compared` / `tree-gated` / `skipped-quirks` / `off`). +tallies, persisted to `state.json` under `lexbor`: + +- `compared` — the differential ran and matched fid-multisets. +- `tree-gated` — WP and lexbor built different trees; differential skipped. +- `skipped-quirks` / `skipped-utf8` — quirks document / non-UTF-8 AST. +- `n/a` — the differential does not apply (unparseable selector, fragment, no + captured tree). +- `unavailable` / `error` — the harness was missing or died. The runner prints + a loud warning if these appear after the harness had run, so a third oracle + that dies mid-run cannot hide behind a green run. Known lexbor issues compensated for at this pin: diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 6371b617cc028..b2ad002ed8ac0 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -256,7 +256,12 @@ static function () use ( $complex_list ) { // --- Match phase --------------------------------------------------- $html_matches = null; - $lexbor_state = 'off'; + // 'n/a' = the lexbor differential does not apply to this case + // ( unparseable selector, fragment, no captured tree ). Distinct from + // 'unavailable', which check_lexbor_differential reports only when the + // harness itself is missing or died — so a silently-dropped third + // oracle shows up in the per-batch tally instead of hiding in 'off'. + $lexbor_state = 'n/a'; if ( null !== $complex_ast && null !== $rows ) { $expected = ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, $quirks ); @@ -729,11 +734,12 @@ private static function check_select_matches( string $target, string $selector_s * means reference == lexbor != WP: a * high-confidence WP finding. * - * @return string Tally state: off|skipped-quirks|error|tree-gated|compared. + * @return string Tally state: + * unavailable|skipped-quirks|skipped-utf8|error|tree-gated|compared. */ private static function check_lexbor_differential( array $complex_ast, string $selector_string, array $document, array $rows, bool $quirks, array $expected, callable $record ): string { if ( ! LexborOracle::available() ) { - return 'off'; + return 'unavailable'; } if ( $quirks ) { return 'skipped-quirks'; diff --git a/tools/css-selector-fuzz/runner.php b/tools/css-selector-fuzz/runner.php index 3dbdf0ee66cbe..fc3db262b282a 100644 --- a/tools/css-selector-fuzz/runner.php +++ b/tools/css-selector-fuzz/runner.php @@ -158,6 +158,7 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { 'crashes' => 0, 'buckets' => array(), 'signatures' => array(), + 'lexbor' => array(), 'nextSeed' => $start_seed, 'stopReason' => null, ); @@ -244,6 +245,9 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { foreach ( $summary['signatures'] as $signature => $signature_count ) { $state['signatures'][ $signature ] = ( $state['signatures'][ $signature ] ?? 0 ) + $signature_count; } + foreach ( $summary['lexbor'] ?? array() as $lexbor_state => $lexbor_count ) { + $state['lexbor'][ $lexbor_state ] = ( $state['lexbor'][ $lexbor_state ] ?? 0 ) + $lexbor_count; + } } $seed += $count; @@ -263,5 +267,20 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { $state['updatedAt'] = gmdate( 'c' ); write_json_file( $state_path, $state ); +/* + * The lexbor differential is the third oracle. If it ever ran ( 'compared' ) + * it was built and live; any 'unavailable' or 'error' tally then means it + * was missing for some cases or died mid-run, so part of the run had only + * two oracles. Surface that loudly rather than letting a green run hide it. + */ +$lexbor = $state['lexbor']; +$lexbor_ran = ( $lexbor['compared'] ?? 0 ) > 0; +$lexbor_lost = ( $lexbor['unavailable'] ?? 0 ) + ( $lexbor['error'] ?? 0 ); +if ( $lexbor_ran && $lexbor_lost > 0 ) { + fwrite( STDERR, "WARNING: lexbor third oracle was unavailable/errored for {$lexbor_lost} case(s); those ran with two oracles.\n" ); +} elseif ( ! $lexbor_ran ) { + fwrite( STDERR, "NOTE: lexbor third oracle never ran (harness not built?); run `sh tools/css-selector-fuzz/lexbor/build.sh` for the differential.\n" ); +} + echo json_encode_safe( $state ) . "\n"; exit( 0 === $state['failures'] ? 0 : 2 ); From 031d5c38a08c5b02180d0b74f548ac8514a99543 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:40:39 +0200 Subject: [PATCH 167/187] CSS selector fuzz: harden lexbor harness (base64 + fid framing) Two latent issues from the C review (neither reachable from the current generators, both defensive): - b64_decode had dead code (two empty if-bodies) and a comment claiming invalid bytes are skipped when they were actually folded into the output stream as zero, corrupting everything after a stray byte. Now genuinely skip any non-alphabet byte (testing the byte, not its table value, since 'A' legitimately maps to 0). The index is unsigned, so table[c] was never out of bounds. - put_fid wrote the raw data-fid into the tab-and-newline framed protocol; a fid containing TAB/LF/CR would desync row/match parsing on the PHP side. Generated fids are always w/e, but harden anyway: the harness replaces those three bytes with '?', and TreeCapture::sanitize_fid applies the identical replacement to WP's own fids, so a sanitized fid still compares equal (worst case a benign tree-gated skip, never a false divergence). Verified a tab-fid produces one row/match/D with no desync. --- tools/css-selector-fuzz/lexbor/harness.c | 33 +++++++++++++++++---- tools/css-selector-fuzz/lib/TreeCapture.php | 13 +++++++- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/tools/css-selector-fuzz/lexbor/harness.c b/tools/css-selector-fuzz/lexbor/harness.c index a33a198090ddf..ebd3aa32f4b4a 100644 --- a/tools/css-selector-fuzz/lexbor/harness.c +++ b/tools/css-selector-fuzz/lexbor/harness.c @@ -65,13 +65,18 @@ b64_decode(const char *in, size_t in_len, size_t *out_len) for (size_t i = 0; i < in_len; i++) { unsigned char c = (unsigned char) in[i]; + /* + * The PHP adapter always feeds well-formed base64_encode() output, + * but guard anyway: skip padding/whitespace, and actually skip any + * byte not in the alphabet ('A' legitimately maps to 0, so test the + * byte itself, not its table value). c is unsigned, so table[c] is + * always in bounds. + */ if (c == '=' || c == '\n' || c == '\r') { continue; } - if (c != 'A' && table[c] == 0 && c != 'A') { - if (c != 'A') { - /* invalid chars are skipped; base64 here is machine-made */ - } + if (c != 'A' && table[c] == 0) { + continue; } acc = (acc << 6) | (unsigned int) table[c]; bits += 6; @@ -97,6 +102,24 @@ put_upper(const lxb_char_t *name, size_t len) } } +/* + * Emit a data-fid value, replacing the framing bytes TAB / LF / CR with '?'. + * Generated documents only ever use fids like "w12" / "e3", so this never + * fires in practice; it guards the line-and-tab protocol against a fid that + * contains a control char (which would otherwise desync row/match parsing on + * the PHP side). LexborOracle applies the identical replacement when reading + * WP's own fids, so a sanitized fid still compares equal — the worst case is + * a benign tree-gated skip, never a false divergence. + */ +static void +put_fid_value(const lxb_char_t *value, size_t value_len) +{ + for (size_t i = 0; i < value_len; i++) { + unsigned char c = value[i]; + putchar((c == '\t' || c == '\n' || c == '\r') ? '?' : c); + } +} + static void put_fid(lxb_dom_node_t *node) { @@ -106,7 +129,7 @@ put_fid(lxb_dom_node_t *node) element, (const lxb_char_t *) "data-fid", 8, &value_len); if (value != NULL) { - fwrite(value, 1, value_len, stdout); + put_fid_value(value, value_len); return; } diff --git a/tools/css-selector-fuzz/lib/TreeCapture.php b/tools/css-selector-fuzz/lib/TreeCapture.php index bd64dc30eb6de..616a3ff65ba76 100644 --- a/tools/css-selector-fuzz/lib/TreeCapture.php +++ b/tools/css-selector-fuzz/lib/TreeCapture.php @@ -110,7 +110,18 @@ public static function capture( string $html, ?string $context = null ): array { /** The element's data-fid, or the same placeholder collect_matches() uses. */ private static function fid_of( $processor ): string { $fid = $processor->get_attribute( 'data-fid' ); - return is_string( $fid ) ? $fid : '(missing-fid:' . $processor->get_tag() . ')'; + return is_string( $fid ) ? self::sanitize_fid( $fid ) : '(missing-fid:' . $processor->get_tag() . ')'; + } + + /** + * Replaces the lexbor protocol framing bytes ( TAB / LF / CR ) in a fid + * with '?'. Generated fids never contain these, but the lexbor harness + * applies the same replacement, so matching this here keeps the two trees + * comparable even for a hypothetical control-char fid ( the worst case is + * a benign tree-gated skip, never a false divergence ). + */ + public static function sanitize_fid( string $fid ): string { + return strtr( $fid, "\t\n\r", '???' ); } /** From a5f832e938b5354540ec3823fc4c2a0f14b31d63 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:42:31 +0200 Subject: [PATCH 168/187] CSS selector fuzz: make class-selector coverage deterministic Reviewer found COVERAGE.md's documented command gave 375/401, not the reported 376/401: class-wp-css-class-selector.php:58 (the bare/trailing '.' guard) is reachable but was only sampled intermittently (it landed at seeds 4001-4050, outside the 3000-seed window), so the report's 'all 25 unreached lines accounted for' was off by one. Add the 'a.' invalid template so that guard is hit deterministically within the documented window. class-selector is now a reproducible 10/10 and the 376/401 (93.8%) total matches the documented command exactly; the 25 unreached lines are the 12 case-label artifacts + 13 defensive guards already itemized. --- tools/css-selector-fuzz/COVERAGE.md | 9 ++++++--- tools/css-selector-fuzz/lib/SelectorGenerator.php | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/css-selector-fuzz/COVERAGE.md b/tools/css-selector-fuzz/COVERAGE.md index e69e34cf38a17..5c772ce27793c 100644 --- a/tools/css-selector-fuzz/COVERAGE.md +++ b/tools/css-selector-fuzz/COVERAGE.md @@ -70,6 +70,9 @@ guarantees, or branches for grammar the parser never emits: (`consume_escaped_codepoint` for NUL / surrogate / over-max codepoints) and the `normalize_selector_input` NUL→U+FFFD and CR/CRLF/FF→LF paths, which the structural generators cannot reach. -- A few `invalid`-bucket templates (`[ a`, `[a="x\`) were added to reach - attribute/string parse guards that random structural generation rarely - lands on. +- A few `invalid`-bucket templates (`[ a`, `[a="x\`, `a.`) were added to reach + attribute / string / class parse guards that random structural generation + rarely lands on. With them the per-file numbers above are **deterministic** + at the documented 3000-seed window (e.g. `class-wp-css-class-selector.php` + reaches 10/10 reliably rather than depending on whether a bare `.` happened + to be sampled). diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 7bf1851f192e6..88a2cbaefd9a9 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -1273,6 +1273,7 @@ private function gen_invalid(): string { ' ', "\t\n\f ", '.', + 'a.', '#', '[', ']', From acd1762d1861fdcd27ce9b80834a4b3c29745fa0 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 14:44:12 +0200 Subject: [PATCH 169/187] CSS selector fuzz: honest framing of oracle strength Reviewers flagged overclaims in the prose. Corrected with measured numbers, no behavior change: - 'most match assertions non-vacuous' -> true only within the path-directed bucket (~67% non-vacuous); aggregate across all buckets is ~62% vacuous [] == [] by design (negative-oriented and parse-focused buckets are intentionally empty-set). README, FINDINGS, NEXT-STEPS now state both numbers and the actual point (the combinator walker is exercised with real depth). - 'three oracles agree on every compared case' -> kept, but disclose ~half of compared cases are themselves vacuous. - Quirks-mode class/ID matching has NO independent third oracle (lexbor #368 excludes quirks docs), and ReferenceMatcher shares WP's ASCII-fold reading by construction -> documented as the weakest-covered behavior rather than implied-covered. - The determinism digest covers the WP-under-test surface but not the lexbor oracle's own output -> noted. --- tools/css-selector-fuzz/FINDINGS.md | 5 +++++ tools/css-selector-fuzz/NEXT-STEPS.md | 5 ++++- tools/css-selector-fuzz/README.md | 29 ++++++++++++++++++++++----- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index 302d6218a6f0a..4d5331df629a6 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -9,6 +9,11 @@ No new bugs surfaced beyond these three, and no fuzzer-side (oracle or generator) defect surfaced: with all three fixes applied a 5000-seed run is completely clean, and the lexbor differential (third independent oracle) agreed with the reference matcher on every compared no-quirks case (0 `lexbor-divergence`). +Caveats on the strength of that agreement: roughly half of the `compared` +cases (and ~62% of all match assertions across buckets) are vacuous `[] == []`; +quirks-mode class/ID matching is excluded from the differential (lexbor #368) +and so rests on `ReferenceMatcher` alone. See `README.md` for the full +disclosure. Reproduce any case: `php tools/css-selector-fuzz/replay.php --selector '' [--html '']`. Auto-minimize a failing seed: `php tools/css-selector-fuzz/minimize.php --seed ` diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 86fa37c61eb93..5d7a76e51dc8c 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -167,7 +167,10 @@ keep-failing) to a minimal reproducer. Wire into `replay.php` or a new a fuzzer-oracle fix — never left ambiguous. - Metamorphic invariants in place and passing. - Positive-match rate for combinator selectors materially raised (path-directed - generation); match assertions are mostly non-vacuous. + generation): ~68% in that bucket vs ~14% before, so the combinator/breadcrumb + walker is genuinely exercised. (Aggregate across all buckets remains ~62% + vacuous `[] == []`, by design — the negative-oriented and parse-focused + buckets are intentionally mostly empty-set; see `README.md`.) - Minimizer produces minimal repros automatically. - A clean multi-thousand-seed run with all signatures triaged; `FINDINGS.md` updated with any new bugs (each with a minimal repro and a one-line fix diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index c48c790e3fdc9..92c0ce3f10579 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -35,9 +35,16 @@ produces the same document, the same selector, and the same verdict. match that element — or flipped into a near-miss (wrong type/class/attr guarantees a non-match; loosening `>` to descendant must keep matching). The guarantee is asserted against the reference matcher - (`path-expectation`), making most match assertions non-vacuous: - measured positive-match rate for combinator selectors is ~68% in this - bucket vs ~14% in `supported-complex`. + (`path-expectation`). Within this bucket ~67% of match assertions are + non-vacuous (positive-match rate ~68% for combinator selectors, vs ~14% + in `supported-complex`). Across *all* buckets ~38% of match assertions + are non-vacuous: the negative-oriented buckets (`unsupported`, + `invalid`, much of `supported-*`) and `edge-escape` (which targets the + parse/escape-decode path, not matching) are intentionally mostly + empty-set, so the aggregate `[] == []` rate is ~62%. The point of + path-directed generation is that the *combinator/breadcrumb* walker — + the part most likely to harbor a matching bug — is now exercised with + real depth, not that every assertion is non-vacuous. - `unsupported` — valid CSS the API intentionally rejects (pseudo-classes and -elements, `+`/`~`/`||` combinators, namespaces, non-type context selectors); must not parse. @@ -80,8 +87,13 @@ produces the same document, the same selector, and the same verdict. the selector layer, not tree construction. Verdicts: `lexbor-divergence` (lexbor ≠ reference) is a fuzzer-oracle problem; `match-mismatch-html` with no accompanying divergence means reference == lexbor ≠ WP — a - high-confidence WP finding. + high-confidence WP finding. (Roughly half of `compared` cases are + themselves non-vacuous; the rest assert `[] == []` on both engines.) - Repeating a case yields a byte-identical result digest (determinism). + Note the digest covers the WP-under-test surface (selector, html, + parse-nullness, ASTs, failure invariants) but **not** the lexbor + oracle's own output, so it would not flag a flaky lexbor result that + never escalates to a `lexbor-divergence` failure. ## lexbor harness @@ -107,7 +119,14 @@ Known lexbor issues compensated for at this pin: case-sensitive). Detected by a startup probe; when present, lexbor is compared against the reference matcher run with quirks-style class/ID folding, and quirks-mode documents are excluded from the differential - entirely (the reference matcher is the sole quirks authority). + entirely. **Consequence — a real coverage hole:** quirks-mode class/ID + matching has no independent third oracle. `ReferenceMatcher` is the sole + authority there, and it encodes the same "ASCII-only case fold in quirks" + reading WP does (both fold via ASCII-only lowercasing), so if that reading + is wrong they would be wrong identically and lexbor — the one engine that + could disagree — is excluded. This is inherent to lexbor #368 being open; + it is the weakest-covered behavior in the suite and is called out here + rather than papered over. - lexbor rejects uppercase `I`/`S` attribute-selector modifiers, and its non-ASCII ident-codepoint table omits U+00B7 and U+00C0–U+00F6 (it starts at U+00F8), rejecting e.g. `.Über` while accepting `.über`. From 86744400159a9bd5e5ba8f2e32f11d46bb5dc0e4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 15:00:36 +0200 Subject: [PATCH 170/187] CSS selector fuzz: model class_list NUL-fold; close review nitpicks Reviewer-1 #10 (class-value decode boundary): ReferenceMatcher::class_matches now folds NUL -> U+FFFD per class token, matching WP_HTML_Tag_Processor:: class_list(). Previously the reference left raw NUL, so it would have diverged from select() on a class value containing NUL (a reference gap, not a WP bug). Pinned by five deterministic decode-boundary cases in self-check.php (NUL->FFFD, trailing NUL, FF separator) that put the two independent class tokenizers against each other and against select(). Randomized document-side NUL injection is deliberately NOT added: a hot-path PRNG draw perturbs self-check.php's fixed seed space enough to surface the known Bug 3, which would first require decoupling self-check from the unfixed core bugs. Documented as a scoped future improvement in README 'Known oracle limitations', which also distinguishes the independent class-value path from the shared get_attribute() attribute path per the reviewer's sharpening. Reviewer-2 nitpick (fid sanitization asymmetric on match path): collect_matches now routes select() fids through TreeCapture::sanitize_fid, identical to the tree-row and lexbor sides, so a control-char fid can never produce a false lexbor-divergence (unreachable today; fids are integers). Reviewer-3 nitpick: minimize.php header docstring no longer implies --seed works universally. Validated: self-check OK (incl. new cases), unpatched detects the 3 bugs, patched 2000-seed run clean (927 lexbor comparisons), all 3 bugs still reproduce. --- tools/css-selector-fuzz/README.md | 23 ++++++++++++ .../lib/ReferenceMatcher.php | 8 +++++ tools/css-selector-fuzz/lib/Worker.php | 5 ++- tools/css-selector-fuzz/minimize.php | 15 +++++--- tools/css-selector-fuzz/tests/self-check.php | 36 +++++++++++++++++++ 5 files changed, 81 insertions(+), 6 deletions(-) diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 92c0ce3f10579..661e6dd575cba 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -136,6 +136,29 @@ Known lexbor issues compensated for at this pin: - `lxb_selectors_find` reports a node once per matching selector-list branch; `LXB_SELECTORS_OPT_MATCH_FIRST` dedupes. +## Known oracle limitations (document-side decoding) + +The match oracle's independence differs between class and attribute selectors: + +- **Class values are matched by two genuinely independent tokenizers.** WP's + `select('.x')` goes through `WP_HTML_Tag_Processor::class_list()`, which + splits on ASCII whitespace and folds NUL → U+FFFD per token; + `ReferenceMatcher::class_matches()` reimplements that independently (and is + pinned against `class_list()` on NUL/FF boundary inputs by `self-check.php`). + The random document generators do **not** emit control bytes inside class + values, so the *randomized* fuzzing never exercises this boundary — it is + covered only by the deterministic self-check cases. Randomized document-side + injection is deliberately deferred: adding it to the hot path perturbs the + deterministic self-check seed space enough to surface the known Bug 3, which + would first require decoupling `self-check.php` from the unfixed core bugs. + A worthwhile, scoped future improvement. +- **Attribute values are matched through a single shared read.** Both WP's + attribute matcher and `ReferenceMatcher::attr_matches()` read the same + `get_attribute()` output, so a value-decoding bug there would be shared and + invisible regardless of input — a genuine shared-oracle limitation that no + generator change can close (it needs an independent attribute-value decoder, + which lexbor partly provides on no-quirks documents). + ## Usage Bounded fuzz run (process-isolated chunks, crash/hang attribution): diff --git a/tools/css-selector-fuzz/lib/ReferenceMatcher.php b/tools/css-selector-fuzz/lib/ReferenceMatcher.php index 6af3301cd080b..5acbf9f5d4927 100644 --- a/tools/css-selector-fuzz/lib/ReferenceMatcher.php +++ b/tools/css-selector-fuzz/lib/ReferenceMatcher.php @@ -172,6 +172,14 @@ private static function class_matches( string $wanted, array $row, bool $quirks $word = substr( $class_value, $at, $word_length ); $at += $word_length; + /* + * WP_HTML_Tag_Processor::class_list() replaces NUL with U+FFFD in + * each class token before comparison; model that so a class value + * containing a raw NUL matches a `\0`-escaped ( U+FFFD ) selector + * the same way select() does. + */ + $word = str_replace( "\0", "\u{FFFD}", $word ); + if ( $quirks ? ascii_strtolower( $word ) === ascii_strtolower( $wanted ) diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index b2ad002ed8ac0..5bb607a032c58 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -649,7 +649,10 @@ static function () use ( $target, $selector_string, $html, $context ) { $iterations = 0; while ( $processor->select( $selector_string ) ) { $fid = $processor->get_attribute( 'data-fid' ); - $matches[] = is_string( $fid ) ? $fid : '(missing-fid:' . $processor->get_tag() . ')'; + // Sanitize identically to TreeCapture/lexbor so a fid with + // a control char can never produce a false divergence on + // the match path ( unreachable today: fids are integers ). + $matches[] = is_string( $fid ) ? TreeCapture::sanitize_fid( $fid ) : '(missing-fid:' . $processor->get_tag() . ')'; if ( ++$iterations > self::SELECT_ITERATION_LIMIT ) { throw new \RuntimeException( 'select() did not terminate within the iteration limit.' ); } diff --git a/tools/css-selector-fuzz/minimize.php b/tools/css-selector-fuzz/minimize.php index edfc892689fa7..c7fe1f1cb3dda 100644 --- a/tools/css-selector-fuzz/minimize.php +++ b/tools/css-selector-fuzz/minimize.php @@ -9,9 +9,13 @@ * * The minimizer drives Worker::run_pair, which checks only self-contained * invariants (computable from the pair alone), so it needs no generator - * intent. The three known bugs reduce to self-contained signatures: - * Bug 1 -> metamorphic-ast, Bug 2 -> match-mismatch-html, Bug 3 -> - * metamorphic-parse. + * intent. --seed faithfully minimizes only seeds whose failure is + * self-contained; the generator-side invariants (ast-mismatch, + * parse-expectation, path-expectation, model-desync) are invisible to + * run_pair, so a seed whose failure is only those is refused by default + * (each of the three known bugs DOES also surface a self-contained + * signature — Bug 1 -> metamorphic-ast, Bug 2 -> match-mismatch-html, + * Bug 3 -> metamorphic-parse — reachable via --signature). * * Usage: * php tools/css-selector-fuzz/minimize.php --seed 1234 [--signature SUBSTR] @@ -19,8 +23,9 @@ * * Options: * --signature SUBSTR Target a signature whose id or invariant contains - * SUBSTR (default: the first signature of the seed's - * failure set). + * SUBSTR. For --seed, also the way to opt into a + * related self-contained signature when the seed's own + * failure is generator-side (printed as a retarget). * --max-attempts N Cap test evaluations (default 4000). * --json Emit the reproducer as JSON. */ diff --git a/tools/css-selector-fuzz/tests/self-check.php b/tools/css-selector-fuzz/tests/self-check.php index e92cc3ecd3f7c..10196f2d62291 100644 --- a/tools/css-selector-fuzz/tests/self-check.php +++ b/tools/css-selector-fuzz/tests/self-check.php @@ -115,6 +115,42 @@ function select_fids( string $html, string $selector ): array { check( array( 'e4' ) === select_fids( $known_html, '[data-v|="hello"]' ), 'Known: [data-v|=hello].' ); check( array( 'e7' ) === select_fids( $known_html, '[lang^="en"]' ), 'Known: [lang^=en].' ); +// --- Class-value decode boundary (ReferenceMatcher vs WP class_list) -------- +// WP's class_list() folds NUL -> U+FFFD and treats FF as a separator; the +// reference matcher reimplements tokenization independently. Pin both engines +// against each other on these boundary inputs ( exercised deterministically +// here since the random document generator does not emit control bytes in +// class values — see README #10 ). Each case also checks the reference matcher +// agrees with select() over a TreeCapture of the same markup. + +function ref_fids( string $html, string $selector ): array { + $capture = \CssSelectorFuzz\TreeCapture::capture( $html ); + $list = WP_CSS_Complex_Selector_List::from_selectors( $selector ); + if ( null !== $capture['error'] || null === $list ) { + return array( '(error)' ); + } + $ast = \CssSelectorFuzz\AstExtractor::from_complex_list( $list ); + return \CssSelectorFuzz\ReferenceMatcher::expected_html_matches_rows( $ast, $capture['htmlRows'], $capture['quirks'] ); +} + +$nul_html = ""; +$ff_html = ""; + +$nul_cases = array( + array( "class NUL -> FFFD", $nul_html, ".foo\u{FFFD}bar", array( 'n0' ) ), + array( "class trailing NUL", $nul_html, ".x\u{FFFD}", array( 'n1' ) ), + array( "class raw NUL no-match", $nul_html, '.foobar', array() ), + array( "class FF separator (first)", $ff_html, '.alpha', array( 'f0' ) ), + array( "class FF separator (second)", $ff_html, '.beta', array( 'f0' ) ), +); +foreach ( $nul_cases as $case ) { + list( $label, $html, $selector, $expected ) = $case; + $wp = select_fids( $html, $selector ); + $ref = ref_fids( $html, $selector ); + check( $expected === $wp, "Decode boundary ({$label}): select() == expected." ); + check( $ref === $wp, "Decode boundary ({$label}): ReferenceMatcher == select()." ); +} + // --- Worker end-to-end on a few seeds --------------------------------------- for ( $seed = 1; $seed <= 5; $seed++ ) { From acbc6a1a4e52edbdfb0d99b74326fae73fe473ae Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 15:04:10 +0200 Subject: [PATCH 171/187] CSS selector fuzz: track self-check/known-bug decoupling as follow-up MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewer-1 forward-looking note (not a blocker): self-check.php's parse-expectation loop runs over a fixed seed window that dodges the three known core bugs only by seed luck, so any future generator change can collide with them (as the deferred class-NUL injection already does). Record decoupling self-check from the unfixed core bugs as a standalone hardening item in NEXT-STEPS — worth doing independently and the prerequisite for randomized class-NUL injection. --- tools/css-selector-fuzz/NEXT-STEPS.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 5d7a76e51dc8c..0081ce4d3a63a 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -8,6 +8,17 @@ > raised from 14.5% to ~68% (path-directed bucket); minimizer working; a clean > 5000-seed run with all signatures triaged to the three known bugs, all of > which still reproduce. The notes below are retained as the design rationale. +> +> **Open follow-up hardening (post-review):** `tests/self-check.php` runs its +> parse-expectation assertions over a fixed seed window (1–400) that currently +> dodges the three known core bugs only by seed luck. Any generator change that +> shifts the PRNG stream can collide with Bug 1/3 there (it already does for the +> deferred document-side class-NUL injection — see README "Known oracle +> limitations"). Decouple self-check from the unfixed core bugs — e.g. apply the +> three FINDINGS.md fixes inside the self-check harness, or allowlist their +> signatures in the parse-expectation loop — as a standalone hardening. This is +> worth doing on its own (it makes self-check robust to *any* future generator +> change) and is the prerequisite for randomized class-NUL document injection. Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` @ `6ebbcc2fe4` (trunk + merged `html-api/add-css-selector-parser`). From 0a5ef71b4443e422dcd1bb29a356a7aad25ff70a Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 17:28:57 +0200 Subject: [PATCH 172/187] CSS selector fuzz: record fix status; correct findings inaccuracies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All three FINDINGS.md bugs are now fixed on this branch by the 'CSS selector:' commits, each with PHPUnit regression tests, and a post-fix 5000-seed run is clean. Update FINDINGS.md and the NEXT-STEPS regression anchors accordingly: the minimal repros must now NOT trigger. Corrections and additions surfaced by the fix-review panels: - Bug 2's claimed substr_compare negative-length edge does not exist (-strlen('') is 0, and PHP clamps out-of-range negative offsets); the landed fix also excludes ~= from the guard since a whitespace-delimited list never yields an empty item. - README: note lexbor's [x~=""] whitespace-value divergence (matches where Selectors-4/Chrome/WP say no match) as a latent noise source and candidate upstream report. - NEXT-STEPS: candidate finding 4 — \ at EOF is a valid escape per CSS Syntax §4.3.8 and should decode to U+FFFD in ident context, but WP rejects it ('.foo\' parses to null). Unverified, low severity. - NEXT-STEPS: self-check/known-bug decoupling reframed now that this branch's core is fixed; hazard remains for unfixed-core runs. --- tools/css-selector-fuzz/FINDINGS.md | 22 +++++++++++------ tools/css-selector-fuzz/NEXT-STEPS.md | 34 +++++++++++++++++++-------- tools/css-selector-fuzz/README.md | 6 +++++ 3 files changed, 45 insertions(+), 17 deletions(-) diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index 4d5331df629a6..5e650aac73549 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -5,6 +5,12 @@ seeds, 0 crashes/timeouts. Three distinct, reproduced WordPress-core correctness bugs in the new HTML-API CSS selector support. Every selector below is valid, supported CSS that the API mis-handles **without** reporting lack of support. +**Status: all three bugs are fixed on this branch** (commit prefix +`CSS selector:` — Bug 1 `7419a9fef6`, Bug 2 `0cefeb2fc8`, Bug 3 `16d03e2c5f`), +each with PHPUnit regression tests that fail pre-fix. A post-fix 5000-seed run +is clean (0 failures, 0 crashes). The repros below no longer trigger; they +remain as regression anchors and Trac-ready minimal test cases. + No new bugs surfaced beyond these three, and no fuzzer-side (oracle or generator) defect surfaced: with all three fixes applied a 5000-seed run is completely clean, and the lexbor differential (third independent oracle) agreed @@ -54,9 +60,8 @@ non-hex identity-escape branch is wrong. Depending on what wrong codepoint is produced this also causes spurious parse failures (a valid selector returns `null`). -**Fix direction:** read the next codepoint by byte offset, e.g. -`mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' )`, or decode the UTF-8 -lead byte length from `$input[$offset]` directly. +**Fix (landed in `7419a9fef6`):** read the next codepoint from the byte +offset: `mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' )`. --- @@ -82,9 +87,11 @@ Reproduction against ``: | `[x$=""]` | `I` | none | | `[x~=""]` | none ✅ | none | -**Fix direction:** in `matches()`, return `false` for `^= $= *=` (and `~=`) when -`'' === $this->value`, before the `substr_compare`/`strpos` calls. (This also -removes a `substr_compare` negative-length edge with very short attribute values.) +**Fix (landed in `0cefeb2fc8`):** in `matches()`, return `false` for `^= $= *=` +when `'' === $this->value`, before the `substr_compare`/`strpos` calls. `~=` +needs no guard — a whitespace-delimited list never yields an empty item — and +a test pins that. (No `substr_compare` length edge exists here: `-strlen('')` +is `0`, and PHP clamps out-of-range negative offsets rather than erroring.) --- @@ -115,7 +122,8 @@ character of the selector string. | `[a^=b]` | parsed ✅ (2-char operator) | | `[a=b].c` | parsed ✅ (trailing content) | -**Fix direction:** change `>=` to `>` (need `strlen - $updated_offset >= 3`). +**Fix (landed in `16d03e2c5f`):** change `>=` to `>` (need +`strlen - $updated_offset >= 3`). --- diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 0081ce4d3a63a..51a68dc06a5cf 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -9,16 +9,29 @@ > 5000-seed run with all signatures triaged to the three known bugs, all of > which still reproduce. The notes below are retained as the design rationale. > +> **Core fixes landed:** the three FINDINGS.md bugs are fixed on this branch +> (`CSS selector:` commits `7419a9fef6` / `0cefeb2fc8` / `16d03e2c5f`), each +> with PHPUnit regression tests. A post-fix 5000-seed run is clean. +> > **Open follow-up hardening (post-review):** `tests/self-check.php` runs its -> parse-expectation assertions over a fixed seed window (1–400) that currently -> dodges the three known core bugs only by seed luck. Any generator change that -> shifts the PRNG stream can collide with Bug 1/3 there (it already does for the -> deferred document-side class-NUL injection — see README "Known oracle -> limitations"). Decouple self-check from the unfixed core bugs — e.g. apply the -> three FINDINGS.md fixes inside the self-check harness, or allowlist their +> parse-expectation assertions over a fixed seed window (1–400) that, against +> an *unfixed* core, dodges the known core bugs only by seed luck. On this +> branch the bugs are fixed so the collision risk is gone, but the hazard +> returns whenever the tooling runs against a core without the fixes (e.g. +> cherry-picked onto trunk before the fixes land) or when a future unfixed bug +> is found. Decouple self-check from unfixed core bugs — e.g. allowlist known > signatures in the parse-expectation loop — as a standalone hardening. This is > worth doing on its own (it makes self-check robust to *any* future generator > change) and is the prerequisite for randomized class-NUL document injection. +> +> **Candidate finding 4 (unverified, found in fix review):** per CSS Syntax 3 +> §4.3.8, `\` followed by EOF is a valid escape (EOF is not a newline), and +> §4.3.7 says consuming it returns U+FFFD — so `.foo\` should parse as class +> `foo\u{FFFD}`. WP's `next_two_are_valid_escape()` requires a code point after +> the backslash, so `.foo\` is rejected (`from_selectors()` → null). The +> string-context behavior (`'foo\` → `foo`, "do nothing" at EOF) is already +> spec-correct; only ident context diverges. Low severity (fail-safe null, not +> a mis-match); verify against browsers, then fix or document as intentional. Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` @ `6ebbcc2fe4` (trunk + merged `html-api/add-css-selector-parser`). @@ -189,7 +202,8 @@ keep-failing) to a minimal reproducer. Wire into `replay.php` or a new ## Existing bugs to keep verifying (regression anchors) -From `FINDINGS.md` — minimal repros, all must still trigger until core is fixed: -1. Identity escape after multibyte mis-decodes: `#Ü,\sup #x` → type `uup` (want `sup`). -2. Empty-value matchers match everything: `[x^=""]`, `[x*=""]`, `[x$=""]`. -3. Off-by-one length guard: `[a=b]` (single-char unquoted value, exact `=`, at EOF) → `null`. +From `FINDINGS.md` — all three are fixed on this branch and pinned by PHPUnit +tests; the minimal repros must now NOT trigger (a clean 5000-seed run confirms): +1. Identity escape after multibyte mis-decodes: `#Ü,\sup #x` → type must be `sup`. +2. Empty-value substring matchers: `[x^=""]`, `[x*=""]`, `[x$=""]` must match nothing. +3. Off-by-one length guard: `[a=b]` (single-char unquoted value, exact `=`, at EOF) must parse. diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 661e6dd575cba..3af425719c807 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -135,6 +135,12 @@ Known lexbor issues compensated for at this pin: findings. - `lxb_selectors_find` reports a node once per matching selector-list branch; `LXB_SELECTORS_OPT_MATCH_FIRST` dedupes. +- lexbor matches `[x~=""]` against whitespace-only attribute values + (e.g. `x=" "`); Selectors-4 and Chrome say an empty operand never + matches a list item, and WP agrees with them. Latent + `lexbor-divergence` noise source if the generator ever pairs `~=""` + with whitespace-valued attributes; candidate upstream report, not a + WP finding. ## Known oracle limitations (document-side decoding) From 68ef171dea1d9fae4b558345db6648cba7713259 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 18:46:50 +0200 Subject: [PATCH 173/187] CSS selector fuzz: draft upstream lexbor bug reports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three spec-conformance bugs in liblexbor v3.0.0, found via the differential oracle and re-verified directly against the harness: 1. [x~=""] matches whitespace-only attribute values (empty operand must never match, Selectors-4 §6.1). 2. Uppercase I/S attribute-selector modifiers are parse errors (Selectors-4 §6.3 defines them case-insensitively). 3. Non-ASCII ident code points below U+00F8 (U+00B7, U+00C0-U+00F6) are rejected; the table appears to start at U+00F8 (CSS Syntax 3 §4.2). Each comes with verified repro tables, control cases bracketing the boundary, spec citations, a self-contained C repro skeleton, and instructions for an agent to re-verify at lexbor master, dedupe against existing issues, and file upstream. lexbor #368 is already filed and excluded. --- .../lexbor/UPSTREAM-ISSUES.md | 141 ++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md diff --git a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md new file mode 100644 index 0000000000000..8ebf17484b095 --- /dev/null +++ b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md @@ -0,0 +1,141 @@ +# lexbor — draft upstream bug reports + +Three spec-conformance bugs in liblexbor's CSS selectors support, found while +using lexbor as a differential oracle for the WordPress HTML-API CSS selector +fuzzer (`tools/css-selector-fuzz/`). All three were re-verified directly +against the harness on 2026-06-10. + +- **Pinned version:** lexbor v3.0.0 (`2ae88a1c6b52`), built by + `tools/css-selector-fuzz/lexbor/build.sh`. +- **Upstream repo:** https://github.com/lexbor/lexbor +- **Already filed upstream — do NOT refile:** + [#368](https://github.com/lexbor/lexbor/issues/368) (class/`#id` selectors + match ASCII case-insensitively in no-quirks documents). + +## Instructions for the filing agent + +1. **Re-verify at lexbor master first.** The pin is v3.0.0; any of these may + already be fixed. Edit `build.sh` to build master (or clone/build manually) + and re-run the repros below. Only file what still reproduces, and say in + the report which commit you tested. +2. **Search for duplicates** before filing (suggested queries: `~=`, + `attr-modifier`, `case insensitive modifier`, `ident code point`, + `U+00B7`, `non-ascii`). #368 shows the maintainer's preferred repro style. +3. **One issue per bug.** Reduce each to a self-contained C repro (sketch + below); maintainers should not need this repo's harness. +4. Reproduction via this repo (fast path): build the harness + (`sh tools/css-selector-fuzz/lexbor/build.sh`), then feed it + `base64(html) TAB base64(selector)` lines on stdin. Response lines per + case: `Rtagfidancestors` (tree rows), `Mfid` (match), + `Xreason` (selector parse error), terminated by `D`. See + `lib/LexborOracle.php` for a reference client and `harness.c` for the + exact lexbor API usage (`lxb_html_document_parse`, + `lxb_css_selectors_parse`, `lxb_selectors_find`). + +Minimal C repro skeleton (adapt per issue; `harness.c` is the full reference): + +```c +/* cc repro.c -llexbor */ +#include +#include +#include + +static lxb_status_t cb(lxb_dom_node_t *n, lxb_css_selector_specificity_t s, void *ctx) { + (*(int *)ctx)++; + return LXB_STATUS_OK; +} + +int main(void) { + const lxb_char_t html[] = ""; + const lxb_char_t sel[] = "[x~=\"\"]"; + int hits = 0; + + lxb_html_document_t *doc = lxb_html_document_create(); + lxb_html_document_parse(doc, html, sizeof(html) - 1); + + lxb_css_parser_t *parser = lxb_css_parser_create(); + lxb_css_parser_init(parser, NULL); + lxb_selectors_t *selectors = lxb_selectors_create(); + lxb_selectors_init(selectors); + + lxb_css_selector_list_t *list = + lxb_css_selectors_parse(parser, sel, sizeof(sel) - 1); + if (list == NULL) { printf("selector parse error\n"); return 1; } + + lxb_selectors_find(selectors, lxb_dom_interface_node(doc), + list, cb, &hits); + printf("matches: %d\n", hits); /* spec: 0 */ + return 0; +} +``` + +--- + +## Issue 1 — `[x~=""]` matches whitespace-only attribute values + +Per Selectors Level 4, `[att~=val]` with an empty `val` never matches: + +> If "val" is the empty string, it will never represent anything. +> — https://www.w3.org/TR/selectors-4/#attribute-representation (§6.1) + +lexbor instead matches elements whose attribute value consists only of +whitespace, suggesting its list-splitting yields an empty token for +whitespace-only values. Verified at v3.0.0 (`data-fid="a"` on the element): + +| document | selector | lexbor | spec / Chrome 149 | +|---------------------------|-----------|-----------|-------------------| +| `` (space) | `[x~=""]` | matches ❌ | no match | +| `` (tab) | `[x~=""]` | matches ❌ | no match | +| `` | `[x~=""]` | no match ✅ | no match | +| `` | `[x~=""]` | no match ✅ | no match | +| `` (control) | `[x~=a]` | matches ✅ | matches | + +Chrome 149 (`document.querySelectorAll`) returns no match for all `[x~=""]` +rows (verified 2026-06-10 via Playwright during the WordPress fix review). + +## Issue 2 — uppercase `I`/`S` attribute-selector modifiers rejected + +Selectors Level 4 §6.3 defines the modifiers explicitly as case-insensitive: + +> ...adding the identifier `i` (or `I`) ... adding the identifier `s` (or `S`) ... +> — https://www.w3.org/TR/selectors-4/#attribute-case + +lexbor parses the lowercase forms but reports a selector parse error for the +uppercase forms. Verified at v3.0.0: + +| selector | lexbor | spec | +|--------------|---------------|---------| +| `[x=abc i]` | parses ✅ | parses | +| `[x=abc I]` | parse error ❌ | parses | +| `[x=abc s]` | parses ✅ | parses | +| `[x=abc S]` | parse error ❌ | parses | + +Note for browser comparison: Chrome 149 had not shipped the `s` modifier at +all (throws SyntaxError), so compare `I` against Chrome and `S` against the +spec text / Firefox. + +## Issue 3 — non-ASCII ident code points below U+00F8 rejected + +CSS Syntax Level 3 defines the non-ASCII ident code points to include +U+00B7 and U+00C0–U+00D6 / U+00D8–U+00F6: + +> non-ASCII ident code point: U+00B7, U+00C0 to U+00D6, U+00D8 to U+00F6, +> U+00F8 to U+037D, ... +> — https://www.w3.org/TR/css-syntax-3/#non-ascii-ident-code-point + +lexbor's table appears to start at U+00F8: code points in the earlier ranges +are rejected both in ident-start and non-start positions. Verified at v3.0.0 +(raw UTF-8 selectors; class attribute contains the same characters): + +| selector | codepoint(s) | lexbor | spec | +|-----------|---------------------|---------------|---------| +| `.über` | U+00FC (≥ U+00F8) | parses ✅ | parses | +| `.øx` | U+00F8 (boundary) | parses ✅ | parses | +| `.Über` | U+00DC (U+00D8–F6) | parse error ❌ | parses | +| `.a·b` | U+00B7 (non-start) | parse error ❌ | parses | +| `.÷x` | U+00F7 (excluded) | parse error ✅ | error | + +The U+00F7 row is a control: the division sign is correctly NOT an ident code +point, so lexbor's boundary is off by exactly the U+00B7 / U+00C0–U+00F6 +ranges. Workaround used by this fuzzer: hex-escape all non-ASCII (`\dc ber` +parses fine), which is why this surfaces only with raw multibyte selectors. From 28df783d2107ad6f70ab303485f65d4d96d1e771 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 22:38:50 +0200 Subject: [PATCH 174/187] CSS selector fuzz: cover backslash-at-EOF escapes; record decisions Track the core EOF-escape fix (candidate finding 4, now confirmed against lexbor and fixed): - The invalid bucket's lone '\' entry is now a valid selector (type U+FFFD); replace it with "\\n" (backslash before a newline is not a valid escape and stays invalid). - New 'eof-escape' kind in the edge-escape bucket generates '.name\', '#name\', and 'name\' (including empty-name variants) with expected ASTs ending in U+FFFD, exercising both the EOF escape decode and the normalize-input trailing-whitespace handling. NEXT-STEPS.md: mark candidate finding 4 fixed (including the trailing-trim wrong-match-set bug its review surfaced) and record the session decisions: EOF-truncated attribute selectors will be made spec-conformant (auto-close), the HTML case-insensitive attribute value list will be implemented, grammar-level truncations stay invalid, no Trac tickets. Self-check OK; 5000-seed runs clean at seeds 1-5000 and 7000000+ (reviewer-chosen fresh range) with lexbor comparisons active. --- tools/css-selector-fuzz/NEXT-STEPS.md | 31 +++++++--- .../lib/SelectorGenerator.php | 59 +++++++++++++++++-- 2 files changed, 78 insertions(+), 12 deletions(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 51a68dc06a5cf..af2ba87eca8cd 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -24,14 +24,29 @@ > worth doing on its own (it makes self-check robust to *any* future generator > change) and is the prerequisite for randomized class-NUL document injection. > -> **Candidate finding 4 (unverified, found in fix review):** per CSS Syntax 3 -> §4.3.8, `\` followed by EOF is a valid escape (EOF is not a newline), and -> §4.3.7 says consuming it returns U+FFFD — so `.foo\` should parse as class -> `foo\u{FFFD}`. WP's `next_two_are_valid_escape()` requires a code point after -> the backslash, so `.foo\` is rejected (`from_selectors()` → null). The -> string-context behavior (`'foo\` → `foo`, "do nothing" at EOF) is already -> spec-correct; only ident context diverges. Low severity (fail-safe null, not -> a mis-match); verify against browsers, then fix or document as intentional. +> **Candidate finding 4 — FIXED:** per CSS Syntax 3 §4.3.8, `\` followed by +> EOF is a valid escape (EOF is not a newline), and §4.3.7 says consuming it +> returns U+FFFD — so `.foo\` parses as class `foo\u{FFFD}`. Verified against +> lexbor (agrees: `.foo\` matches class `foo\u{FFFD}`; `\` parses as type +> `\u{FFFD}`). Fixed on this branch (`CSS selector:` commit): EOF guard in +> `consume_escaped_codepoint()` returns U+FFFD, `next_two_are_valid_escape()` +> accepts a backslash as the final byte. Review of the fix surfaced a second +> bug in the same family: `normalize_selector_input()` trimmed *trailing* +> whitespace before tokenizing, so `.foo\ ` (escaped space — valid class +> `foo `, matches nothing) and `.foo\` (invalid escape — must be +> rejected) both collapsed to `.foo\` and matched class `foo\u{FFFD}` — a +> wrong-match-set bug. Fixed by switching to `ltrim()`; the grammar consumes +> insignificant trailing whitespace. Fuzzer updated to match: the lone `\` +> invalid-bucket entry became `\` (still invalid), and `edge-escape` +> gained an `eof-escape` kind covering `.name\` / `#name\` / `name\`. +> +> **Session decisions (2026-06-10):** EOF-truncated selectors (`div[a=b`) +> will be made spec-conformant — CSS Syntax auto-closes open blocks at EOF — +> rather than documented as an intentional rejection. HTML's default +> case-insensitive attribute value list will be implemented (no-modifier + +> html-namespace + listed attribute; explicit `s` keeps forcing +> case-sensitivity). Grammar-level truncations (`[`, `[a=`, `div >`, `div,`) +> stay invalid — browsers reject those too. No Trac tickets for any of this. Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` @ `6ebbcc2fe4` (trunk + merged `html-api/add-css-selector-parser`). diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 88a2cbaefd9a9..54aa761781c5b 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -545,12 +545,61 @@ private function pick_name( string $pool_key ): string { private function gen_edge_escape(): array { $kind = $this->prng->weighted( array( - 'fffd-ident' => 50, - 'nul-input' => 25, - 'ws-input' => 25, + 'fffd-ident' => 40, + 'eof-escape' => 20, + 'nul-input' => 20, + 'ws-input' => 20, ) ); + if ( 'eof-escape' === $kind ) { + /* + * A backslash at the end of input is a valid escape ( EOF is not + * a newline ) and decodes to U+FFFD, in ident context only: + * `.foo\` is the class `foo\u{FFFD}`. + * + * https://www.w3.org/TR/css-syntax-3/#consume-escaped-code-point + */ + $name = $this->prng->chance( 30 ) ? '' : 'a' . $this->prng->int( 0, 99 ); + list( $selector, $self ) = $this->prng->choice( + array( + array( + '.' . $name . '\\', + array( + 'type' => null, + 'subs' => array( array( 'kind' => 'class', 'name' => $name . "\u{FFFD}" ) ), + ), + ), + array( + '#' . $name . '\\', + array( + 'type' => null, + 'subs' => array( array( 'kind' => 'id', 'name' => $name . "\u{FFFD}" ) ), + ), + ), + array( + $name . '\\', + array( + 'type' => $name . "\u{FFFD}", + 'subs' => null, + ), + ), + ) + ); + return array( + 'bucket' => 'edge-escape', + 'selector' => $selector, + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => array( + array( + 'context' => array(), + 'self' => $self, + ), + ), + ); + } + if ( 'fffd-ident' === $kind ) { // A class selector whose name is a single U+FFFD, produced by a // hex escape for an out-of-range codepoint. @@ -1307,7 +1356,9 @@ private function gen_invalid(): string { 'a >> b', '>', '-', - '\\', + // A lone '\' is a valid escape at EOF ( type selector U+FFFD ); + // '\' before a newline is not a valid escape. + "\\\n", "a\\\nb", 'a/**/b', '/* comment */ a', From c6916ce008756ab273c5738912d1dda6c094dad4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 23:02:33 +0200 Subject: [PATCH 175/187] CSS selector fuzz: cover EOF-truncated attribute selectors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Track the core EOF auto-close change: - New 'eof-truncated' kind in the edge-escape bucket: render an attribute compound, strip the trailing ']', sometimes also drop a closing string quote (EOF terminates the string, then the block) and sometimes append a trailing backslash to the unterminated string (the 'do nothing' escape arm, keeping that branch exercised after the '[a="x\' invalid template became valid). - Invalid bucket reshuffled along the new validity boundary: entries that EOF auto-close makes valid ('[a', '[ a', '[a=b', '[a="x\', '[a="b]', "[a='b]", '[a=b i') are replaced with still-invalid grammar-level truncations ('[a=', '[a= ', '[a~', '[a^', '[a=b x', '[a=b ix', '[a=b i x', '[5=b', '[a="bc'). COVERAGE.md regenerated: 384/408 lines (94.1%), effective 396/408 (97.1%). The parse_string() and ident-start EOF guards flipped from 'defensive, unreachable' to genuinely covered ('[a=' now reaches the value parsers at EOF); next_two_are_valid_escape()'s EOF guard is the remaining defensive line. NEXT-STEPS.md: record candidate finding 5 (escaped attribute-selector modifier idents like '[a=b \69]' are rejected by the byte-wise modifier switch; Chromium itself is inconsistent — accepts \69/i, rejects \73/s; fail-safe refusal, not fixed). Review panel: two approvals; 20k-case generator oracle loop and a fresh 9M-seed-range fuzz run by reviewers found no oracle mismatches. Gates: self-check OK, full suite 1631 green, 5000-seed run clean. --- tools/css-selector-fuzz/COVERAGE.md | 46 ++++++---- tools/css-selector-fuzz/NEXT-STEPS.md | 9 ++ .../lib/SelectorGenerator.php | 84 ++++++++++++++++--- 3 files changed, 111 insertions(+), 28 deletions(-) diff --git a/tools/css-selector-fuzz/COVERAGE.md b/tools/css-selector-fuzz/COVERAGE.md index 5c772ce27793c..5279d0363201e 100644 --- a/tools/css-selector-fuzz/COVERAGE.md +++ b/tools/css-selector-fuzz/COVERAGE.md @@ -7,21 +7,25 @@ with phpdbg's opcode log over 3000 deterministic seeds: | file | covered / executable | % | |---|---|---| -| class-wp-css-attribute-selector.php | 102 / 112 | 91.1% | +| class-wp-css-attribute-selector.php | 106 / 116 | 91.4% | | class-wp-css-class-selector.php | 10 / 10 | 100% | | class-wp-css-complex-selector-list.php | 16 / 16 | 100% | | class-wp-css-complex-selector.php | 59 / 66 | 89.4% | | class-wp-css-compound-selector-list.php | 27 / 28 | 96.4% | | class-wp-css-compound-selector.php | 29 / 32 | 90.6% | | class-wp-css-id-selector.php | 12 / 12 | 100% | -| class-wp-css-selector-parser-matcher.php | 106 / 108 | 98.1% | +| class-wp-css-selector-parser-matcher.php | 110 / 111 | 99.1% | | class-wp-css-type-selector.php | 15 / 17 | 88.2% | -| **TOTAL** | **376 / 401** | **93.8%** | +| **TOTAL** | **384 / 408** | **94.1%** | -The 25 unreached lines are all accounted for below. Twelve are a phpdbg -measurement artifact (the code executes); the other thirteen are defensive +The 24 unreached lines are all accounted for below. Twelve are a phpdbg +measurement artifact (the code executes); the other twelve are defensive guards that the public entry points cannot reach. Effective coverage of -reachable code is **388 / 401 = 96.8%**. +reachable code is **396 / 408 = 97.1%**. + +(Executable-line totals grew from 401 to 408 with the EOF-escape and +EOF-auto-close changes; two parser-matcher EOF guards that used to be +unreachable defensive lines are now genuinely exercised — see below.) ## phpdbg `case`-label artifact (12 lines — code executes) @@ -32,17 +36,17 @@ lexbor differential + self-check confirm the corresponding behavior). These are not real gaps: - `class-wp-css-attribute-selector.php` - - 287, 291, 295, 299, 303 — the `~= |= ^= $= *=` matcher operators. - - 330, 331, 336, 337 — the `i`/`I`/`s`/`S` case modifiers. + - 309, 313, 317, 321, 325 — the `~= |= ^= $= *=` matcher operators. + - 350, 351, 356, 357 — the `i`/`I`/`s`/`S` case modifiers. - `class-wp-css-compound-selector.php` - 120, 122, 124 — the `.` / `#` / `[` subclass-selector dispatch. -## Defensive guards unreachable from the public API (13 lines) +## Defensive guards unreachable from the public API (12 lines) These are internal precondition checks that the calling code already guarantees, or branches for grammar the parser never emits: -- `class-wp-css-attribute-selector.php:257` — `return null` when the first +- `class-wp-css-attribute-selector.php:282` — `return null` when the first byte is not `[`. `parse()` is only ever called by `parse_subclass_selector()` *after* it has matched `[`, so the guard never fires. @@ -54,23 +58,31 @@ guarantees, or branches for grammar the parser never emits: processor is not on a `#tag` token. `select()` only invokes matching while positioned on a tag; reachable only by calling `matches()` directly off a non-tag token. -- `class-wp-css-selector-parser-matcher.php:130` — `parse_string()` EOF - guard; every caller checks bounds and the opening quote before calling. -- `class-wp-css-selector-parser-matcher.php:429` — - `check_if_three_code_points_would_start_an_ident_sequence()` EOF guard; - callers bound-check first. +- `class-wp-css-selector-parser-matcher.php:351` — + `next_two_are_valid_escape()` EOF guard; every caller either bound-checks + first or only calls it on a known backslash byte. - `class-wp-css-type-selector.php:45` — `return false` when `get_tag()` is null during matching; matching only runs on resolved element tokens. - `class-wp-css-type-selector.php:75` — `parse()` EOF guard; the compound parser checks `offset < strlen` before calling. +Two guards documented here in earlier revisions are now genuinely covered: +the `parse_string()` EOF guard and the +`check_if_three_code_points_would_start_an_ident_sequence()` EOF guard are +both reached since EOF auto-close lets `[a=` call the value parsers at the +end of input. + ## Notes on what raised coverage - The `edge-escape` bucket drives the U+FFFD escape-decoder branch (`consume_escaped_codepoint` for NUL / surrogate / over-max codepoints) and the `normalize_selector_input` NUL→U+FFFD and CR/CRLF/FF→LF paths, - which the structural generators cannot reach. -- A few `invalid`-bucket templates (`[ a`, `[a="x\`, `a.`) were added to reach + which the structural generators cannot reach. Its `eof-escape` kind covers + the backslash-at-end-of-input → U+FFFD decode, and its `eof-truncated` + kind covers the EOF auto-close paths in the attribute parser, including + unterminated strings (with and without a trailing "do nothing" backslash, + which keeps the `parse_string` backslash-at-EOF arm exercised). +- A few `invalid`-bucket templates (`[a=`, `[a~`, `[a="bc`, `a.`) reach attribute / string / class parse guards that random structural generation rarely lands on. With them the per-file numbers above are **deterministic** at the documented 3000-seed window (e.g. `class-wp-css-class-selector.php` diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index af2ba87eca8cd..4bcf41dc07c78 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -40,6 +40,15 @@ > invalid-bucket entry became `\` (still invalid), and `edge-escape` > gained an `eof-escape` kind covering `.name\` / `#name\` / `name\`. > +> **Candidate finding 5 (recorded 2026-06-10, low severity, not fixed):** +> the attribute-selector case modifier is matched byte-wise (`i`/`I`/`s`/`S` +> literals), so an *escaped* modifier ident like `[a=b \69]` (tokenizes to +> the ident `i`) is rejected. Per the Selectors-4 grammar ` = +> i | s` these are ident tokens, so escapes should arguably be accepted — +> but browsers are themselves inconsistent (Chromium accepts `[a=b \69]` +> and rejects `[a=b \73]`). Fail-safe refusal, not a mis-match; revisit only +> if the matcher ever moves to token-level parsing. +> > **Session decisions (2026-06-10):** EOF-truncated selectors (`div[a=b`) > will be made spec-conformant — CSS Syntax auto-closes open blocks at EOF — > rather than documented as an intentional rejection. HTML's default diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 54aa761781c5b..82fe2b5745b0b 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -545,13 +545,69 @@ private function pick_name( string $pool_key ): string { private function gen_edge_escape(): array { $kind = $this->prng->weighted( array( - 'fffd-ident' => 40, - 'eof-escape' => 20, - 'nul-input' => 20, - 'ws-input' => 20, + 'fffd-ident' => 35, + 'eof-escape' => 20, + 'eof-truncated' => 15, + 'nul-input' => 15, + 'ws-input' => 15, ) ); + if ( 'eof-truncated' === $kind ) { + /* + * The end of input auto-closes an unterminated attribute selector + * block ( and an unterminated string inside it ): `[a=b` is the + * same selector as `[a=b]`. + * + * https://www.w3.org/TR/css-syntax-3/#consume-simple-block + */ + $matcher = $this->prng->choice( array( null, 'exact', 'one-of', 'exact-or-hyphen-suffixed', 'prefixed', 'suffixed', 'contains' ) ); + $value = null === $matcher ? null : $this->prng->choice( array( 'v' . $this->prng->int( 0, 99 ), 'a b', '', 'x,y', "caf\u{E9}" ) ); + $modifier = null !== $matcher && $this->prng->chance( 30 ) + ? $this->prng->choice( array( 'case-insensitive', 'case-sensitive' ) ) + : null; + $compound = array( + 'type' => $this->prng->chance( 50 ) ? 'div' : null, + 'subs' => array( + array( + 'kind' => 'attr', + 'name' => 'a' . $this->prng->int( 0, 99 ), + 'matcher' => $matcher, + 'value' => $value, + 'modifier' => $modifier, + ), + ), + ); + + // The attribute selector is the final rendered unit, so the render always ends with ']'. + $rendered = $this->render_compound( $compound ); + $truncated = substr( $rendered, 0, -1 ); + + // Sometimes also drop a closing string quote: EOF terminates the string, then closes the block. + $last_byte = substr( $truncated, -1 ); + if ( ( '"' === $last_byte || "'" === $last_byte ) && $this->prng->chance( 50 ) ) { + $truncated = substr( $truncated, 0, -1 ); + + // A backslash at the end of an unterminated string "does nothing": the value is unchanged. + if ( $this->prng->chance( 40 ) ) { + $truncated .= '\\'; + } + } + + return array( + 'bucket' => 'edge-escape', + 'selector' => $truncated, + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => array( + array( + 'context' => array(), + 'self' => $compound, + ), + ), + ); + } + if ( 'eof-escape' === $kind ) { /* * A backslash at the end of input is a valid escape ( EOF is not @@ -1333,23 +1389,29 @@ private function gen_invalid(): string { '. x', '..a', '.#a', - '[a', - '[ a', + /* + * EOF auto-closes an open attribute selector block + * ( '[a', '[a=b', '[a="b]', '[a=b i' are valid ), but + * grammar-level truncation is still invalid. + */ '[a=', + '[a= ', + '[a~', + '[a^', '[a=]', - '[a="x\\', '[=b]', '[a==b]', '[a~b]', '[a!=b]', - '[a=b', - '[a="b]', - "[a='b]", "[a=\"b\nc\"]", + "[a=\"b\nc", '[a=b x]', + '[a=b x', '[a=b ix]', - '[a=b i', + '[a=b ix', + '[a=b i x', '[5=b]', + '[5=b', 'a >', '> a', 'a > > b', From a2c21ae9cc746778672afca89ff8aee3aec7a6d7 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Wed, 10 Jun 2026 23:54:44 +0200 Subject: [PATCH 176/187] CSS selector fuzz: mirror the HTML case-insensitive attribute list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Track the core change in the oracle stack: - ReferenceMatcher: independent copy of the 46-name list (the oracle must not share a possible misreading with the implementation under test); attr matching folds when no modifier + html-namespace row + listed name. A new $html_attr_ci flag threads through the matching entry points so the lexbor comparison can model an engine without the rule. - TreeCapture: html-processor rows now carry the element's namespace (svg/math subtrees and foreignObject integration points get correct per-element folding; rows without the field default to html, which matches both the model generator's html-only output and the namespace-blind standalone Tag Processor). - Worker: lexbor does not implement the rule ([rel=NOFOLLOW] fails to match rel="nofollow"); its expectation is now always recomputed with the list disabled, composed with the existing issue-368 quirks fold. Candidate upstream report recorded in NEXT-STEPS.md. - SelectorGenerator: case-flip twists in gen_attr_selector and, more importantly, path_attr_feature — the path-directed bucket pairs attribute name and value from the same real element, so a flipped operand makes the folding rule load-bearing for the mustMatchFid invariant. Mutation-tested: with the core folding branch disabled, a 3000-seed run fires 11 match-mismatch failures (review found the earlier pool-based flip alone was load-bearing in ~1/14k cases). - util: ascii_strtoupper and str_shuffle_case (ASCII-only, multibyte bytes pass through untouched). Review panel: two approvals (spec reviewer machine-diffed both list constants against the live spec; oracle reviewer verified row namespaces against match-time get_namespace() including integration points, the lexbor compensation composition, and util determinism). Gates: self-check OK, suite 1640 green, 5000-seed run clean, fresh 11M-seed-range reviewer run clean. --- tools/css-selector-fuzz/NEXT-STEPS.md | 18 ++++ .../lib/ReferenceMatcher.php | 97 ++++++++++++++++--- .../lib/SelectorGenerator.php | 38 +++++++- tools/css-selector-fuzz/lib/TreeCapture.php | 1 + tools/css-selector-fuzz/lib/Worker.php | 25 +++-- tools/css-selector-fuzz/lib/util.php | 17 ++++ 6 files changed, 170 insertions(+), 26 deletions(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 4bcf41dc07c78..7cd82c01cce89 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -49,6 +49,24 @@ > and rejects `[a=b \73]`). Fail-safe refusal, not a mis-match; revisit only > if the matcher ever moves to token-level parsing. > +> **HTML case-insensitive attribute value list — IMPLEMENTED (2026-06-10):** +> per https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors +> the values of ~46 listed attributes (`type`, `rel`, `lang`, `dir`, +> `media`, ...) match ASCII case-insensitively on HTML elements when the +> selector has no modifier; an explicit `s` still forces sensitivity, and +> elements outside the html namespace are unaffected. Oracle notes from +> verification: +> - **lexbor does not implement the rule at all** (`[rel=nofollow]` does +> not match `rel="NOFOLLOW"`) — compensated in the differential the same +> way as lexbor #368 (lexbor is compared against the reference run with +> the list disabled); candidate upstream report. +> - **Chromium applies the list to foreign elements too** (`[type=TEXT]` +> matches ``), diverging from the HTML spec's "on an +> HTML element" scoping. WP follows the spec (html namespace only, via +> `get_namespace()`). The standalone Tag Processor has no namespace +> tracking and applies the list to every element — an inherent +> tag-processor approximation, same as its ancestor-blind matching. +> > **Session decisions (2026-06-10):** EOF-truncated selectors (`div[a=b`) > will be made spec-conformant — CSS Syntax auto-closes open blocks at EOF — > rather than documented as an intentional rejection. HTML's default diff --git a/tools/css-selector-fuzz/lib/ReferenceMatcher.php b/tools/css-selector-fuzz/lib/ReferenceMatcher.php index 5acbf9f5d4927..e86aa4e2e990b 100644 --- a/tools/css-selector-fuzz/lib/ReferenceMatcher.php +++ b/tools/css-selector-fuzz/lib/ReferenceMatcher.php @@ -18,7 +18,9 @@ * - Class and ID matching is exact, except in quirks mode where it is * ASCII case-insensitive. * - Attribute value matching is exact (byte-wise) unless the `i` modifier - * requests ASCII case-insensitivity. + * requests ASCII case-insensitivity, or the attribute is in HTML's + * case-insensitive list, the selector has no modifier, and the element + * is in the html namespace (rows without a namespace field are html). * - For `^=`, `$=`, `*=` and `~=`, an empty (or for `~=`, whitespace- * containing) value matches nothing. * @@ -28,18 +30,78 @@ class ReferenceMatcher { const WHITESPACE = " \t\r\n\f"; + /** + * HTML's case-insensitive attribute value list: with no `i`/`s` + * modifier, these attributes' values match ASCII case-insensitively on + * HTML elements. Independent copy — the matcher must not share a + * possible misreading with the implementation under test. + * + * https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors + */ + const HTML_CASE_INSENSITIVE_ATTRIBUTES = array( + 'accept' => true, + 'accept-charset' => true, + 'align' => true, + 'alink' => true, + 'axis' => true, + 'bgcolor' => true, + 'charset' => true, + 'checked' => true, + 'clear' => true, + 'codetype' => true, + 'color' => true, + 'compact' => true, + 'declare' => true, + 'defer' => true, + 'dir' => true, + 'direction' => true, + 'disabled' => true, + 'enctype' => true, + 'face' => true, + 'frame' => true, + 'hreflang' => true, + 'http-equiv' => true, + 'lang' => true, + 'language' => true, + 'link' => true, + 'media' => true, + 'method' => true, + 'multiple' => true, + 'nohref' => true, + 'noresize' => true, + 'noshade' => true, + 'nowrap' => true, + 'readonly' => true, + 'rel' => true, + 'rev' => true, + 'rules' => true, + 'scope' => true, + 'scrolling' => true, + 'selected' => true, + 'shape' => true, + 'target' => true, + 'text' => true, + 'type' => true, + 'valign' => true, + 'valuetype' => true, + 'vlink' => true, + ); + /** * Expected match list for WP_HTML_Processor::select(). * - * @param array $list_ast Canonical complex selector list AST. - * @param array $rows Element rows in visit order, with ancestorTags. - * @param bool $quirks Whether the document parses in quirks mode. + * @param array $list_ast Canonical complex selector list AST. + * @param array $rows Element rows in visit order, with ancestorTags. + * @param bool $quirks Whether the document parses in quirks mode. + * @param bool $html_attr_ci Whether HTML's case-insensitive attribute value + * list applies. True models WP/browsers; false + * models an engine without the rule ( lexbor ). * @return string[] data-fid values in visit order. */ - public static function expected_html_matches_rows( array $list_ast, array $rows, bool $quirks ): array { + public static function expected_html_matches_rows( array $list_ast, array $rows, bool $quirks, bool $html_attr_ci = true ): array { $out = array(); foreach ( $rows as $row ) { - if ( self::list_matches_row( $list_ast, $row, $quirks ) ) { + if ( self::list_matches_row( $list_ast, $row, $quirks, $html_attr_ci ) ) { $out[] = $row['fid']; } } @@ -60,7 +122,7 @@ public static function expected_tag_matches_rows( array $list_ast, array $rows ) foreach ( $rows as $row ) { $matched = false; foreach ( $list_ast as $complex ) { - if ( self::compound_matches( $complex['self'], $row, false ) ) { + if ( self::compound_matches( $complex['self'], $row, false, true ) ) { $matched = true; break; } @@ -82,10 +144,10 @@ public static function expected_tag_processor_matches( array $list_ast, array $m return self::expected_tag_matches_rows( $list_ast, DocumentGenerator::rows_from_model( $model ) ); } - public static function list_matches_row( array $list_ast, array $row, bool $quirks ): bool { + public static function list_matches_row( array $list_ast, array $row, bool $quirks, bool $html_attr_ci = true ): bool { foreach ( $list_ast as $complex ) { if ( - self::compound_matches( $complex['self'], $row, $quirks ) && + self::compound_matches( $complex['self'], $row, $quirks, $html_attr_ci ) && self::explore_context( $complex['context'], $row['ancestorTags'] ) ) { return true; @@ -127,12 +189,12 @@ private static function explore_context( array $context, array $ancestor_tags ): return false; } - public static function compound_matches( array $compound, array $row, bool $quirks ): bool { + public static function compound_matches( array $compound, array $row, bool $quirks, bool $html_attr_ci = true ): bool { if ( null !== $compound['type'] && ! self::type_matches( $compound['type'], $row['tag'] ) ) { return false; } foreach ( (array) $compound['subs'] as $sub ) { - if ( ! self::sub_matches( $sub, $row, $quirks ) ) { + if ( ! self::sub_matches( $sub, $row, $quirks, $html_attr_ci ) ) { return false; } } @@ -143,14 +205,14 @@ private static function type_matches( string $type, string $tag ): bool { return '*' === $type || ascii_strtolower( $type ) === ascii_strtolower( $tag ); } - private static function sub_matches( array $sub, array $row, bool $quirks ): bool { + private static function sub_matches( array $sub, array $row, bool $quirks, bool $html_attr_ci ): bool { switch ( $sub['kind'] ) { case 'class': return self::class_matches( $sub['name'], $row, $quirks ); case 'id': return self::id_matches( $sub['name'], $row, $quirks ); case 'attr': - return self::attr_matches( $sub, $row ); + return self::attr_matches( $sub, $row, $html_attr_ci ); } return false; } @@ -201,7 +263,7 @@ private static function id_matches( string $wanted, array $row, bool $quirks ): : $id === $wanted; } - private static function attr_matches( array $sub, array $row ): bool { + private static function attr_matches( array $sub, array $row, bool $html_attr_ci ): bool { $attr_value = DocumentGenerator::get_attribute_value( $row, $sub['name'] ); if ( null === $attr_value ) { return false; @@ -214,7 +276,12 @@ private static function attr_matches( array $sub, array $row ): bool { } $wanted = (string) $sub['value']; - $case_insensitive = 'case-insensitive' === $sub['modifier']; + $case_insensitive = 'case-insensitive' === $sub['modifier'] || ( + $html_attr_ci && + null === $sub['modifier'] && + 'html' === ( $row['namespace'] ?? 'html' ) && + isset( self::HTML_CASE_INSENSITIVE_ATTRIBUTES[ ascii_strtolower( $sub['name'] ) ] ) + ); if ( $case_insensitive ) { $attr_value = ascii_strtolower( $attr_value ); $wanted = ascii_strtolower( $wanted ); diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 82fe2b5745b0b..1f3a8fa2e89c2 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -423,11 +423,29 @@ private function gen_attr_selector(): array { ) ); + $value = $this->gen_attr_value(); + + /* + * HTML's case-insensitive attribute value list: with no modifier, + * the values of listed attributes ( type, rel, lang, dir, ... ) + * match ASCII case-insensitively on HTML elements. Sometimes flip + * the case of the selector value for a listed attribute so the + * differential exercises that rule rather than relying on sampled + * values happening to differ in case. + */ + if ( + '' === $modifier && + isset( ReferenceMatcher::HTML_CASE_INSENSITIVE_ATTRIBUTES[ ascii_strtolower( $name ) ] ) && + $this->prng->chance( 40 ) + ) { + $value = $this->prng->chance( 50 ) ? ascii_strtoupper( $value ) : str_shuffle_case( $value, $this->prng ); + } + return array( 'kind' => 'attr', 'name' => $name, 'matcher' => $matcher, - 'value' => $this->gen_attr_value(), + 'value' => $value, 'modifier' => '' === $modifier ? null : $modifier, ); } @@ -838,7 +856,7 @@ private function path_compound_for( array $element ): array { continue; } $seen_attrs[ $lower ] = true; - $features[] = $this->path_attr_feature( $lower, $attr[1] ); + $features[] = $this->path_attr_feature( $lower, $attr[1], 'html' === ( $element['namespace'] ?? 'html' ) ); } $subs = array(); @@ -864,7 +882,7 @@ private function path_compound_for( array $element ): array { } /** An attribute selector that the (name, value) pair satisfies. */ - private function path_attr_feature( string $name, $value ): array { + private function path_attr_feature( string $name, $value, bool $is_html_namespace = true ): array { $presence = array( 'kind' => 'attr', 'name' => $this->prng->chance( 15 ) ? $this->random_case( $name ) : $name, @@ -933,6 +951,20 @@ private function path_attr_feature( string $name, $value ): array { } else { $modifier = 'case-sensitive'; } + } elseif ( + $is_html_namespace && + isset( ReferenceMatcher::HTML_CASE_INSENSITIVE_ATTRIBUTES[ $name ] ) && + $this->prng->chance( 50 ) + ) { + /* + * HTML's case-insensitive attribute value list: with no modifier + * the flipped operand still satisfies the (name, value) pair on + * an html-namespace element, which makes the folding rule + * load-bearing for the mustMatchFid invariant — name and value + * here come from the same real element, unlike the independent + * pools in gen_attr_selector. + */ + $operand = $this->random_case( $operand ); } return array( diff --git a/tools/css-selector-fuzz/lib/TreeCapture.php b/tools/css-selector-fuzz/lib/TreeCapture.php index 616a3ff65ba76..2350db024c8ad 100644 --- a/tools/css-selector-fuzz/lib/TreeCapture.php +++ b/tools/css-selector-fuzz/lib/TreeCapture.php @@ -67,6 +67,7 @@ public static function capture( string $html, ?string $context = null ): array { 'fid' => self::fid_of( $processor ), 'attrs' => self::attrs_of( $processor ), 'ancestorTags' => array_reverse( $breadcrumbs ), + 'namespace' => $processor->get_namespace(), ); } diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 5bb607a032c58..ed3a9c7fa24d2 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -785,15 +785,24 @@ private static function check_lexbor_differential( array $complex_ast, string $s } /* - * lexbor #368: class/#id match ASCII case-insensitively even in - * no-quirks documents. Compare lexbor against the reference run - * with quirks-style class/ID folding ( the only thing the flag - * affects ) so the rest of the semantics still get differential - * coverage; WP itself is still held to the strict expectation. + * Two known lexbor deviations are compensated for so the rest of the + * semantics still get differential coverage; WP itself is still held + * to the strict expectation: + * + * - lexbor #368: class/#id match ASCII case-insensitively even in + * no-quirks documents. Compare lexbor against the reference run + * with quirks-style class/ID folding. + * - lexbor does not implement HTML's case-insensitive attribute + * value list ( [rel=NOFOLLOW] does not match rel="nofollow" ), + * where browsers and WP do. Compare lexbor against the reference + * run with that list disabled. */ - $expected_for_lexbor = LexborOracle::has_issue_368() - ? ReferenceMatcher::expected_html_matches_rows( $complex_ast, $rows, true ) - : $expected; + $expected_for_lexbor = ReferenceMatcher::expected_html_matches_rows( + $complex_ast, + $rows, + LexborOracle::has_issue_368() ? true : $quirks, + false + ); // lexbor reports in document order, WP/reference in visit order — // compare as multisets. diff --git a/tools/css-selector-fuzz/lib/util.php b/tools/css-selector-fuzz/lib/util.php index 6fe6662a6a3b8..d70d5cff9bae1 100644 --- a/tools/css-selector-fuzz/lib/util.php +++ b/tools/css-selector-fuzz/lib/util.php @@ -137,6 +137,23 @@ function ascii_strtolower( string $input ): string { return strtr( $input, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz' ); } +function ascii_strtoupper( string $input ): string { + return strtr( $input, 'abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' ); +} + +/** Flips the case of each ASCII letter independently with 50% probability. */ +function str_shuffle_case( string $input, Prng $prng ): string { + $out = ''; + for ( $i = 0; $i < strlen( $input ); $i++ ) { + $byte = $input[ $i ]; + if ( $prng->chance( 50 ) ) { + $byte = ctype_lower( $byte ) ? ascii_strtoupper( $byte ) : ascii_strtolower( $byte ); + } + $out .= $byte; + } + return $out; +} + /** * Splits a valid UTF-8 string into codepoints. * From 892b0e9d5ff7cda72841f7746ea55f94e47e7bc2 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 00:08:19 +0200 Subject: [PATCH 177/187] CSS selector fuzz: draft two more upstream lexbor reports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issues 4 and 5, both surfaced while verifying the WP conformance fixes against lexbor and both re-verified directly against the harness: 4. EOF does not auto-close an open attribute selector block: '[att=val' is a parse error where CSS Syntax §5.4.8 returns the block ('[att=val]') and Chrome accepts it. Controls confirm grammar-level truncation ('[att=', '[') is correctly rejected and escape-at-EOF ('.foo\' -> foo U+FFFD) already works — the gap is specifically the simple-block auto-close. 5. HTML's case-insensitive attribute value list is not implemented: '[rel=nofollow]' does not match rel="NOFOLLOW" where the HTML spec and Chrome fold the 46 listed attributes' values. Controls confirm explicit i/s modifiers and unlisted attributes behave. Includes the namespace-scoping caveat (spec scopes to HTML elements; Chrome folds SVG too). Both are compensated for in this fuzzer's differential (issue 4 never reaches lexbor because the differential compares canonical re-renders; issue 5 is compensated like #368 by comparing lexbor against the reference run with the list disabled). Same filing-agent protocol as issues 1-3: re-verify at master, dedupe, one self-contained C repro per issue. --- .../lexbor/UPSTREAM-ISSUES.md | 86 ++++++++++++++++++- 1 file changed, 82 insertions(+), 4 deletions(-) diff --git a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md index 8ebf17484b095..9ec23e414dcfa 100644 --- a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md +++ b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md @@ -1,9 +1,10 @@ # lexbor — draft upstream bug reports -Three spec-conformance bugs in liblexbor's CSS selectors support, found while +Five spec-conformance bugs in liblexbor's CSS selectors support, found while using lexbor as a differential oracle for the WordPress HTML-API CSS selector -fuzzer (`tools/css-selector-fuzz/`). All three were re-verified directly -against the harness on 2026-06-10. +fuzzer (`tools/css-selector-fuzz/`). Issues 1–3 were re-verified directly +against the harness on 2026-06-10; issues 4–5 surfaced during the WP +conformance-fix session and were re-verified on 2026-06-11. - **Pinned version:** lexbor v3.0.0 (`2ae88a1c6b52`), built by `tools/css-selector-fuzz/lexbor/build.sh`. @@ -20,7 +21,9 @@ against the harness on 2026-06-10. the report which commit you tested. 2. **Search for duplicates** before filing (suggested queries: `~=`, `attr-modifier`, `case insensitive modifier`, `ident code point`, - `U+00B7`, `non-ascii`). #368 shows the maintainer's preferred repro style. + `U+00B7`, `non-ascii`, `EOF`, `unclosed`, `simple block`, + `case-insensitive attribute`, `querySelector`). #368 shows the + maintainer's preferred repro style. 3. **One issue per bug.** Reduce each to a self-contained C repro (sketch below); maintainers should not need this repo's harness. 4. Reproduction via this repo (fast path): build the harness @@ -139,3 +142,78 @@ The U+00F7 row is a control: the division sign is correctly NOT an ident code point, so lexbor's boundary is off by exactly the U+00B7 / U+00C0–U+00F6 ranges. Workaround used by this fuzzer: hex-escape all non-ASCII (`\dc ber` parses fine), which is why this surfaces only with raw multibyte selectors. + +## Issue 4 — EOF does not auto-close an open attribute selector block + +Per CSS Syntax Level 3, tokenization auto-closes unterminated simple blocks +at the end of input (a parse error, but the block is returned), and an +unterminated string at EOF returns the string token: + +> \: This is a parse error. Return the block. +> — https://www.w3.org/TR/css-syntax-3/#consume-simple-block (§5.4.8) + +> EOF: This is a parse error. Return the \. +> — https://www.w3.org/TR/css-syntax-3/#consume-string-token (§4.3.5) + +So `[att=val` is the same selector as `[att=val]`, and `[att="a b` carries +the string value `a b`. lexbor reports a selector parse error for every +EOF-truncated attribute selector. Verified at v3.0.0 against +`
` / `
`: + +| selector | lexbor | spec / Chrome 149 | +|-----------------|---------------|-------------------| +| `[att]` | parses ✅ | parses | +| `[att=val]` | parses ✅ | parses | +| `[att` | parse error ❌ | parses, matches | +| `[att=val` | parse error ❌ | parses, matches | +| `[att="a b` | parse error ❌ | parses, matches | +| `[att=val i` | parse error ❌ | parses, matches | +| `div[att` | parse error ❌ | parses, matches | +| `[att=` | parse error ✅ | error (grammar) | +| `[att~` | parse error ✅ | error (grammar) | +| `[` | parse error ✅ | error (grammar) | +| `[att=val, div` | parse error ✅ | error (comma is inside the open block) | + +The last four rows are controls: truncation inside the selector *grammar* +(matcher without value, lone bracket) is invalid even after auto-close, and +lexbor correctly rejects those. Chrome 149 (`document.querySelectorAll`) +accepts and rejects exactly per the table (verified 2026-06-10 via +Playwright). Note lexbor's escape handling at EOF is fine — `.foo\` parses +as class `foo\u{FFFD}` per §4.3.7 — the gap is specifically the simple-block +auto-close. + +## Issue 5 — HTML's case-insensitive attribute value list not implemented + +HTML defines 46 attributes (`type`, `rel`, `lang`, `dir`, `media`, +`hreflang`, `http-equiv`, ...) whose values must match ASCII +case-insensitively in attribute selectors on an HTML element when the +selector has no `i`/`s` modifier: + +> Attribute selectors on an HTML element in an HTML document must treat the +> values of attributes with the following names as ASCII case-insensitive: … +> — https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors + +lexbor matches all attribute values case-sensitively unless the selector +carries an explicit `i`. Verified at v3.0.0 against +`` (`e1`), `` (`e2`), +`` (`e3`): + +| selector | lexbor | spec / Chrome 149 | +|--------------------|--------------|-------------------| +| `[rel=nofollow]` | `e2` only ❌ | `e1` and `e2` | +| `[rel=NOFOLLOW]` | `e1` only ❌ | `e1` and `e2` | +| `[rel=nofollow i]` | `e1`, `e2` ✅ | `e1` and `e2` | +| `[rel=nofollow s]` | `e2` only ✅ | `e2` only | +| `[data-x=abc]` | no match ✅ | no match (unlisted attribute) | + +The last three rows are controls: explicit modifiers work, and attributes +outside the list stay case-sensitive. Chrome 149 agrees with the spec column +(verified 2026-06-10 via Playwright), with one scoping caveat the report +should mention: the spec restricts the rule to elements in the HTML +namespace, but Chrome also folds on SVG-namespace elements +(`` matches `[type=TEXT]`), so an implementation true +to the spec letter would scope by element namespace. This may be framed as +a feature request rather than a bug if lexbor considers document-language +selector rules out of scope for its selectors module — but lexbor is an +HTML engine and browsers uniformly implement the folding, so matching +against HTML documents diverges from every browser without it. From 485af4b79ddd7660aab1667d96b0e02b96f16953 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 00:11:01 +0200 Subject: [PATCH 178/187] CSS selector fuzz: bring NEXT-STEPS status up to date - Add the missing IMPLEMENTED entry for EOF auto-close (the session decision block still said 'will be made spec-conformant'). - Record the invalid-UTF-8 escape-decode wart both review panels flagged ('\' + invalid byte decodes to mb_substitute_character, '?', instead of U+FFFD) and tie it to the open handoff item 5 contract decision. - Point the lexbor gaps at their now-drafted UPSTREAM-ISSUES.md entries (issues 4 and 5) instead of 'candidate upstream report'. - Note the mutation-test result for the path-directed case-flip and the two minor review leftovers (namespace-defaulting dead helpers, s-modifier differential coverage). - Fix the stale repo-state paragraph (the tooling has been committed on this branch since 2026-06-10) and list what remains open. --- tools/css-selector-fuzz/NEXT-STEPS.md | 61 ++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 11 deletions(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 7cd82c01cce89..d5551395382fe 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -49,6 +49,28 @@ > and rejects `[a=b \73]`). Fail-safe refusal, not a mis-match; revisit only > if the matcher ever moves to token-level parsing. > +> **EOF auto-close for attribute selectors — IMPLEMENTED (2026-06-10):** +> per CSS Syntax 3 §5.4.8/§4.3.5, the end of input closes an unterminated +> simple block (and an unterminated string), so `[att=val`, `[att`, +> `[att="a b`, and `[att=val i` are valid selectors; grammar-level +> truncations (`[`, `[a=`, `[a~`, `[a=b, div`) stay invalid. Verified +> against Chromium form-by-form, including an exhaustive per-byte +> truncation table in review. lexbor rejects all EOF-truncated forms +> (drafted as `lexbor/UPSTREAM-ISSUES.md` issue 4); the differential is +> unaffected because it compares canonical re-renders. Fuzzer gained an +> `eof-truncated` edge-escape kind and the invalid corpus was reshuffled +> along the new validity boundary; COVERAGE.md regenerated. +> +> **Escape decode of invalid UTF-8 bytes (recorded 2026-06-10, not fixed):** +> `\` followed by an invalid UTF-8 byte decodes through `mb_substr()`'s +> substitution character — `?` by default — instead of U+FFFD +> (`consume_escaped_codepoint()`, identity-escape arm). Pre-existing, +> byte-identical before/after the EOF fixes; flagged independently by both +> review panels. Belongs to the open invalid-UTF-8 input policy decision +> (handoff item 5): per spec, input preprocessing operates on decoded code +> points, so byte-level decode errors should arguably become U+FFFD before +> tokenization rather than leak `mb_substitute_character`. +> > **HTML case-insensitive attribute value list — IMPLEMENTED (2026-06-10):** > per https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors > the values of ~46 listed attributes (`type`, `rel`, `lang`, `dir`, @@ -59,7 +81,16 @@ > - **lexbor does not implement the rule at all** (`[rel=nofollow]` does > not match `rel="NOFOLLOW"`) — compensated in the differential the same > way as lexbor #368 (lexbor is compared against the reference run with -> the list disabled); candidate upstream report. +> the list disabled); drafted as `lexbor/UPSTREAM-ISSUES.md` issue 5. +> - The case-flip generator twist in `path_attr_feature` makes the folding +> load-bearing for `mustMatchFid` (mutation-tested: disabling the core +> branch fires 11 failures in 3000 seeds). Minor leftovers from review: +> the unused `expected_*_processor_matches` back-compat helpers in +> `ReferenceMatcher` silently default rows to the html namespace — fine +> today (the safe model generator emits no foreign content) but a trap +> for a future caller; and `s`-forces-sensitivity only gets differential +> coverage when sampled values happen to differ in case (pinned by unit +> tests instead). > - **Chromium applies the list to foreign elements too** (`[type=TEXT]` > matches ``), diverging from the HTML spec's "on an > HTML element" scoping. WP follows the spec (html namespace only, via @@ -67,18 +98,26 @@ > tracking and applies the list to every element — an inherent > tag-processor approximation, same as its ancestor-blind matching. > -> **Session decisions (2026-06-10):** EOF-truncated selectors (`div[a=b`) -> will be made spec-conformant — CSS Syntax auto-closes open blocks at EOF — -> rather than documented as an intentional rejection. HTML's default -> case-insensitive attribute value list will be implemented (no-modifier + -> html-namespace + listed attribute; explicit `s` keeps forcing -> case-sensitivity). Grammar-level truncations (`[`, `[a=`, `div >`, `div,`) -> stay invalid — browsers reject those too. No Trac tickets for any of this. +> **Session decisions (2026-06-10, both since implemented — see the +> IMPLEMENTED entries above):** EOF-truncated selectors (`div[a=b`) are +> spec-conformant (CSS Syntax auto-closes open blocks at EOF) rather than +> documented as an intentional rejection. HTML's default case-insensitive +> attribute value list is implemented (no-modifier + html-namespace + +> listed attribute; explicit `s` keeps forcing case-sensitivity). +> Grammar-level truncations (`[`, `[a=`, `div >`, `div,`) stay invalid — +> browsers reject those too. No Trac tickets for any of this. +> +> **Still open from the original follow-up list:** the O(1) identity-escape +> decode (perf only, do only if asked) and the invalid-UTF-8 input policy +> (contract decision; see the escape-decode note above), plus the tooling +> items in this file's hardening notes (self-check decoupling, class-NUL +> injection, vacuous-assertion rate, quirks-mode single-oracle gap). Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch -`html-css-fuzz` @ `6ebbcc2fe4` (trunk + merged `html-api/add-css-selector-parser`). -PHP 8.4.21. Everything under `tools/css-selector-fuzz/` is untracked; nothing -committed. `/artifacts` is gitignored (runner output lives there). +`html-css-fuzz` (trunk + merged `html-api/add-css-selector-parser`). +PHP 8.4.21. The fuzzer and all fixes are committed on this branch +(`CSS selector:` / `CSS selector fuzz:` prefixed commits). `/artifacts` is +gitignored (runner output lives there). ## Measured weaknesses driving this plan From 232a1240bf9f458e1fbd8f8464db3bfd3ae8cb6b Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 10:48:31 +0200 Subject: [PATCH 179/187] CSS selector fuzz: record O(1) identity-escape decode as implemented Move the perf follow-up out of the still-open list and record the outcome: _wp_scan_utf8-based in-place sizing, byte-identical behavior (74M differential cases), linear scaling, and the deliberately-kept quadratic mb_substr fallback for escaped invalid bytes pending the invalid-UTF-8 policy decision. --- tools/css-selector-fuzz/NEXT-STEPS.md | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index d5551395382fe..b4c38885ffa07 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -107,11 +107,28 @@ > Grammar-level truncations (`[`, `[a=`, `div >`, `div,`) stay invalid — > browsers reject those too. No Trac tickets for any of this. > -> **Still open from the original follow-up list:** the O(1) identity-escape -> decode (perf only, do only if asked) and the invalid-UTF-8 input policy -> (contract decision; see the escape-decode note above), plus the tooling -> items in this file's hardening notes (self-check decoupling, class-NUL -> injection, vacuous-assertion rate, quirks-mode single-oracle gap). +> **O(1) identity-escape decode — IMPLEMENTED (2026-06-11, perf only):** +> `consume_escaped_codepoint()`'s identity arm no longer copies the input +> tail per escape (`mb_substr( substr( … ) )`); it sizes the code point in +> place with `_wp_scan_utf8( $input, $at, $invalid_length, 4, 1 )` +> (`compat-utf8.php`, WP 6.9). 200KB all-escape selector: 180 ms → 45 ms, +> scaling now linear (47/90/180 ms at 200/400/800KB; previously ~4× per +> doubling). Behavior is byte-identical by construction: escapes of +> *invalid* UTF-8 still fall through to the literal old `mb_substr()` line +> (re-verified ~74M differential cases, 0 mismatches, including non-default +> `mb_substitute_character` settings), so the open invalid-UTF-8 policy +> decision is untouched — and that fallback path remains quadratic for +> selectors made of escaped invalid bytes (accepted; developer-supplied +> input). Caution recorded in-code: `_wp_utf8_codepoint_span()` looks like +> the natural helper but passes `max_bytes = null`, making its ASCII +> fast-path O(tail) per call — quadratic again. Escape pin coverage grew to +> 14 cases (2/3/4-byte chars incl. at-EOF, NUL, each invalid-byte class). +> +> **Still open from the original follow-up list:** the invalid-UTF-8 input +> policy (contract decision; see the escape-decode note above), plus the +> tooling items in this file's hardening notes (self-check decoupling, +> class-NUL injection, vacuous-assertion rate, quirks-mode single-oracle +> gap). Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` (trunk + merged `html-api/add-css-selector-parser`). From 9c2cb64d5e338699ed30af567016927cb614b860 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 11:46:05 +0200 Subject: [PATCH 180/187] CSS selector fuzz: note the canary red suite for the UTF-8 policy item The invalid-UTF-8 escape-decode note now points at the mb_substitute_character canary fixture and pins landed in wpCssSelectorParserMatcher.php, which serve as the ready-made red suite for the item-5 U+FFFD fix. --- tools/css-selector-fuzz/NEXT-STEPS.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index b4c38885ffa07..5b79201125cf1 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -69,7 +69,12 @@ > review panels. Belongs to the open invalid-UTF-8 input policy decision > (handoff item 5): per spec, input preprocessing operates on decoded code > points, so byte-level decode errors should arguably become U+FFFD before -> tokenization rather than leak `mb_substitute_character`. +> tokenization rather than leak `mb_substitute_character`. A red suite for +> the fix is in place (2026-06-11): `wpCssSelectorParserMatcher.php` pins +> `mb_substitute_character()` to a U+2603 canary in set_up()/tear_down(), +> and its seven invalid-byte escape pins (plus a dedicated offset-overrun +> test) assert the leak's damage — swallowed characters, offset past end +> of input. Decoding to U+FFFD per maximal subpart flips every one. > > **HTML case-insensitive attribute value list — IMPLEMENTED (2026-06-10):** > per https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors From ec99a9f893cd4498704675bfdcf8817794414609 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 18:08:11 +0200 Subject: [PATCH 181/187] CSS selector fuzz: Model the scrub notice in the worker invariants MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The core scrub change makes from_selectors() report _doing_it_wrong() once per parse of an invalid-UTF-8 selector. The worker's notice invariants assumed zero notices for parseable selectors and exactly two for unparseable ones; the chaos/mutated buckets organically produce invalid-UTF-8 selectors, so a 5000-seed run failed 108 cases against the new core behavior (94 doing-it-wrong-unexpected, 12 doing-it-wrong-missing, 2 case-determinism). Worker changes: - flush_select_parse_caches(): both select() implementations memoize the most recently parsed selector string in a function static, so whether a call re-parses — and therefore whether the parse-time scrub notice fires — depended on worker history, breaking the case-determinism re-run. Parsing a sentinel (#-fuzz-cache-flush-) through both processors before each notice-assertion window makes exactly one parse happen inside it. The flush works even for unparseable sentinels (the cache assigns before the null check) and precedes reset_doing_it_wrong(), so it cannot pollute recordings. - check_select_matches() expects exactly one scrub notice — named WP_CSS_Compound_Selector_List::from_selectors for the tag target, WP_CSS_Complex_Selector_List::from_selectors for html — iff wp_is_valid_utf8() rejects the selector string, and nothing else. Review verified the predicate is exactly equivalent to "the scrub changed the input" (exhaustive 1-2-byte strings plus 2M random). - check_select_rejection() expects the two per-call select() notices (those fire on cache hits too) plus one leading scrub notice for invalid-UTF-8 selectors, order- and name-exact via notices_match(). Stale comments updated now that parsed ASTs are valid UTF-8 by construction: Metamorph's variants() guard and the lexbor differential's skipped-utf8 state are kept as defense in depth (a nonzero skipped-utf8 tally now indicates a normalization bypass), and the invariant glossary describes the expected-set semantics. NEXT-STEPS.md: the invalid-UTF-8 policy item is resolved as scrub (decision history, the linked value-getter pin obligation, the optional parse()-visibility follow-up); the O(1) decode entry notes its mb_substr() fallback was since removed; the still-open list points at the deferred coverage work (dedicated invalid-UTF-8 generator bucket, raw-byte mutation class, explicit lexbor probe — handoff drafted) and records that the chaos/mutated buckets already exercise the scrub organically, with lexbor agreeing across clean 5000- and 10000-seed runs. Gates: self-check OK, 5000 seeds 0 failures, plus independent reviewer runs (2x2000 determinism-checked, 8000 additional seeds, all clean). --- tools/css-selector-fuzz/NEXT-STEPS.md | 61 ++++++++---- tools/css-selector-fuzz/lib/Metamorph.php | 10 +- tools/css-selector-fuzz/lib/Worker.php | 108 ++++++++++++++++++++-- 3 files changed, 146 insertions(+), 33 deletions(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 5b79201125cf1..b84ec6130f47a 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -61,20 +61,36 @@ > `eof-truncated` edge-escape kind and the invalid corpus was reshuffled > along the new validity boundary; COVERAGE.md regenerated. > -> **Escape decode of invalid UTF-8 bytes (recorded 2026-06-10, not fixed):** -> `\` followed by an invalid UTF-8 byte decodes through `mb_substr()`'s -> substitution character — `?` by default — instead of U+FFFD -> (`consume_escaped_codepoint()`, identity-escape arm). Pre-existing, -> byte-identical before/after the EOF fixes; flagged independently by both -> review panels. Belongs to the open invalid-UTF-8 input policy decision -> (handoff item 5): per spec, input preprocessing operates on decoded code -> points, so byte-level decode errors should arguably become U+FFFD before -> tokenization rather than leak `mb_substitute_character`. A red suite for -> the fix is in place (2026-06-11): `wpCssSelectorParserMatcher.php` pins -> `mb_substitute_character()` to a U+2603 canary in set_up()/tear_down(), -> and its seven invalid-byte escape pins (plus a dedicated offset-overrun -> test) assert the leak's damage — swallowed characters, offset past end -> of input. Decoding to U+FFFD per maximal subpart flips every one. +> **Invalid-UTF-8 input policy — IMPLEMENTED as scrub (2026-06-11):** +> selector strings are UTF-8 text; `normalize_selector_input()` now decodes +> the byte stream first via `wp_scrub_utf8()` (WP 6.9, maximal-subpart +> U+FFFD replacement, matching the WHATWG decoder CSS Syntax §3.2 invokes), +> and reports a `_doing_it_wrong()` (named `::from_selectors`) when +> the input changed. The `mb_substitute_character()` leak in +> `consume_escaped_codepoint()` is gone structurally: the identity arm's +> `mb_substr()` fallback is replaced by "consume the maximal subpart the +> `_wp_scan_utf8()` scan already reported, return one U+FFFD" — reachable +> only via direct `parse()` calls with un-normalized input, and consistent +> with the scrub when it is. Decision history: reject (`wp_is_valid_utf8()` +> → null) and raw passthrough were rejected after a three-persona +> adversarial panel; scrub is the unique option stable under both the +> current raw value getters and their likely scrubbed future. The U+2603 +> canary in `wpCssSelectorParserMatcher.php` set_up() is retained +> permanently — its job inverted from documenting the leak to proving +> setting-independence. Worker.php learned the notice contract (scrub +> notice expected iff `!wp_is_valid_utf8(selector)`) and flushes the +> `select()` parse caches before each notice-assertion window so the +> once-per-parse notice is deterministic under case re-runs. +> **Linked obligation:** the select-level pin +> `test_select_scrubbed_selector_does_not_match_raw_invalid_document_bytes` +> documents that scrubbed selectors cannot match raw invalid document +> bytes; if the HTML API value getters (`get_attribute()`, `class_list()`, +> …) are ever changed to scrub their return values, that case flips to a +> match and the pin must be updated in the same change. +> **Optional follow-up:** tightening the `parse()` prototype from public to +> protected (the classes are `@access private`) would make un-normalized +> input structurally impossible and let the defensive escape arm be +> deleted. > > **HTML case-insensitive attribute value list — IMPLEMENTED (2026-06-10):** > per https://html.spec.whatwg.org/multipage/semantics-other.html#case-sensitivity-of-selectors @@ -128,12 +144,19 @@ > the natural helper but passes `max_bytes = null`, making its ASCII > fast-path O(tail) per call — quadratic again. Escape pin coverage grew to > 14 cases (2/3/4-byte chars incl. at-EOF, NUL, each invalid-byte class). +> (Superseded the same day for invalid bytes: the `mb_substr()` fallback and +> its quadratic tail were removed by the scrub implementation — see the +> invalid-UTF-8 policy entry above.) > -> **Still open from the original follow-up list:** the invalid-UTF-8 input -> policy (contract decision; see the escape-decode note above), plus the -> tooling items in this file's hardening notes (self-check decoupling, -> class-NUL injection, vacuous-assertion rate, quirks-mode single-oracle -> gap). +> **Still open from the original follow-up list:** the tooling items in +> this file's hardening notes (self-check decoupling, class-NUL injection, +> vacuous-assertion rate, quirks-mode single-oracle gap), plus deferred +> fuzzer coverage for the scrub surface (dedicated invalid-UTF-8 generator +> bucket with maximal-subpart AST expectations, raw-byte mutation class, +> explicit lexbor invalid-byte probe — handoff drafted 2026-06-11; note +> the chaos/mutated buckets already produce invalid-UTF-8 selectors +> organically and lexbor agreed with the scrubbed results across a clean +> 5000-seed run). Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` (trunk + merged `html-api/add-css-selector-parser`). diff --git a/tools/css-selector-fuzz/lib/Metamorph.php b/tools/css-selector-fuzz/lib/Metamorph.php index 44e0e434ff4b2..159d8e8bedd52 100644 --- a/tools/css-selector-fuzz/lib/Metamorph.php +++ b/tools/css-selector-fuzz/lib/Metamorph.php @@ -35,11 +35,11 @@ class Metamorph { */ public static function variants( array $list_ast, Prng $prng ): array { /* - * The WP parser passes raw bytes through: a selector that is not - * valid UTF-8 yields AST names that are not valid UTF-8 (it does - * not substitute U+FFFD). The renderer can only round-trip valid - * UTF-8 names, so such ASTs (only reachable from chaos/mutated - * inputs) are not transformable. + * from_selectors() scrubs invalid UTF-8 to U+FFFD before parsing, so + * parsed AST names are always valid UTF-8 and this guard should be + * unreachable. It stays as defense in depth: the renderer can only + * round-trip valid UTF-8 names, and a future AST source that skips + * normalization would otherwise corrupt the variants silently. */ if ( ! ast_strings_are_utf8( $list_ast ) ) { return array(); diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index ed3a9c7fa24d2..86ad865d50e37 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -22,9 +22,15 @@ * from the reference matcher. * - match-mismatch-tag: WP_HTML_Tag_Processor::select() match set * differs from the reference matcher. - * - doing-it-wrong-unexpected: _doing_it_wrong fired for a selector that parsed. - * - doing-it-wrong-missing: _doing_it_wrong did not fire ( or fired the wrong - * number of times ) for an unparseable selector. + * - doing-it-wrong-unexpected: the _doing_it_wrong calls during matching did + * not equal the expected set ( exactly one scrub + * notice for an invalid-UTF-8 selector, none + * otherwise ). + * - doing-it-wrong-missing: the _doing_it_wrong calls for an unparseable + * selector did not equal the expected set ( one + * select() notice per call, plus one leading + * scrub notice when the selector is invalid + * UTF-8 ). * - select-on-null: select() returned true for an unparseable selector. * - processor-error: the processor entered an error/unsupported state. * - case-determinism: running the full case twice gave different digests. @@ -672,6 +678,33 @@ static function () use ( $target, $selector_string, $html, $context ) { ); } + /** + * Flushes the select() parse caches. + * + * Both select() implementations memoize the most recently parsed selector + * string in a function-static cache, so whether a select() call re-parses + * — and therefore whether parse-time notices ( the invalid-UTF-8 scrub + * notice from from_selectors() ) fire — depends on what the worker + * happened to parse before. Parsing a sentinel selector first makes the + * next select() call for the case selector deterministic: it always + * re-parses, so exactly one parse happens inside each notice-assertion + * window regardless of worker history or case re-runs. + */ + private static function flush_select_parse_caches(): void { + ( new \WP_HTML_Tag_Processor( '' ) )->select( '#-fuzz-cache-flush-' ); + \WP_HTML_Processor::create_full_parser( '' )->select( '#-fuzz-cache-flush-' ); + } + + /** + * The _doing_it_wrong() name under which from_selectors() reports that an + * invalid-UTF-8 selector string was scrubbed to U+FFFD before parsing. + * + * @param string $target 'html' or 'tag'. + */ + private static function scrub_notice_name( string $target ): string { + return ( 'tag' === $target ? 'WP_CSS_Compound_Selector_List' : 'WP_CSS_Complex_Selector_List' ) . '::from_selectors'; + } + /** * Runs a select() loop on a parseable selector and compares the match set * against the reference matcher. @@ -680,6 +713,7 @@ static function () use ( $target, $selector_string, $html, $context ) { * @return string[]|null The actual match set, or null when matching failed. */ private static function check_select_matches( string $target, string $selector_string, array $document, array $expected, callable $record ): ?array { + self::flush_select_parse_caches(); Bootstrap::reset_doing_it_wrong(); list( $actual, $error ) = self::collect_matches( $target, $selector_string, $document ); @@ -695,13 +729,28 @@ private static function check_select_matches( string $target, string $selector_s return null; } + /* + * A selector string containing invalid UTF-8 is scrubbed to U+FFFD by + * from_selectors(), which reports the replacement with exactly one + * notice on the (single, cache-flushed) parse. Anything else is + * unexpected for a selector that parses. + */ + $expected_calls = \wp_is_valid_utf8( $selector_string ) + ? array() + : array( + array( + 'function' => self::scrub_notice_name( $target ), + ), + ); + $doing_it_wrong = Bootstrap::doing_it_wrong_calls(); - if ( array() !== $doing_it_wrong ) { + if ( ! self::notices_match( $expected_calls, $doing_it_wrong ) ) { $record( 'doing-it-wrong-unexpected', array( - 'target' => $target, - 'calls' => $doing_it_wrong, + 'target' => $target, + 'expectedCalls' => $expected_calls, + 'calls' => $doing_it_wrong, ) ); } @@ -754,7 +803,10 @@ private static function check_lexbor_differential( array $complex_ast, string $s * matching semantics, while byte-level parsing (escapes, whitespace, * modifier case — lexbor e.g. rejects uppercase I/S modifiers) is * covered by the AST round-trip and metamorphic invariants. ASTs - * containing invalid UTF-8 cannot be re-rendered and are skipped. + * containing invalid UTF-8 cannot be re-rendered; since + * from_selectors() scrubs input to U+FFFD before parsing, none should + * exist and this skip is defensive ( a nonzero skipped-utf8 tally + * indicates a normalization bypass ). */ if ( ! ast_strings_are_utf8( $complex_ast ) ) { return 'skipped-utf8'; @@ -946,6 +998,7 @@ static function () use ( $variant_list ) { * processor usable, and report misuse exactly once per call. */ private static function check_select_rejection( string $target, string $selector_string, array $document, callable $record ): void { + self::flush_select_parse_caches(); Bootstrap::reset_doing_it_wrong(); $context = ( $document['fragment'] ?? false ) ? $document['context'] : null; @@ -986,19 +1039,56 @@ static function () use ( $target, $selector_string, $document, $context ) { ); } + /* + * Two select() calls report the unparseable selector once each; the + * parse cache only skips re-parsing, never the per-call notice. An + * invalid-UTF-8 selector additionally reports the U+FFFD scrub once, + * on the first call ( the only one that parses after the flush ). + */ + $select_notice_name = ( 'tag' === $target ? 'WP_HTML_Tag_Processor' : 'WP_HTML_Processor' ) . '::select'; + $expected_calls = array( + array( 'function' => $select_notice_name ), + array( 'function' => $select_notice_name ), + ); + if ( ! \wp_is_valid_utf8( $selector_string ) ) { + array_unshift( $expected_calls, array( 'function' => self::scrub_notice_name( $target ) ) ); + } + $doing_it_wrong = Bootstrap::doing_it_wrong_calls(); - if ( 2 !== count( $doing_it_wrong ) ) { + if ( ! self::notices_match( $expected_calls, $doing_it_wrong ) ) { $record( 'doing-it-wrong-missing', array( 'target' => $target, - 'expectedCalls' => 2, + 'expectedCalls' => $expected_calls, 'calls' => $doing_it_wrong, ) ); } } + /** + * Compares recorded _doing_it_wrong() calls against expectations: same + * count, in order, matching on every key the expectation specifies + * ( recorded calls also carry 'message', which expectations omit ). + * + * @param array[] $expected_calls Expected calls, each a subset of record keys. + * @param array[] $actual_calls Recorded calls. + */ + private static function notices_match( array $expected_calls, array $actual_calls ): bool { + if ( count( $expected_calls ) !== count( $actual_calls ) ) { + return false; + } + foreach ( $expected_calls as $i => $expected_call ) { + foreach ( $expected_call as $key => $value ) { + if ( ( $actual_calls[ $i ][ $key ] ?? null ) !== $value ) { + return false; + } + } + } + return true; + } + /* * ------------- * Batch running From 2adef6a891ca6df3c154aede0a3c7656c0bb2d68 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 21:27:29 +0200 Subject: [PATCH 182/187] CSS selector fuzz: Cover the UTF-8 scrub with an invalid-utf8 bucket MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The core scrub (598ed6f363) decodes selector input before parsing: each maximal subpart of an ill-formed UTF-8 sequence becomes one U+FFFD (CSS Syntax 3 §3.2 via the WHATWG decoder). Until now only the chaos/mutated buckets exercised that path, organically and without AST expectations. The new bucket (weight 5 in both maps) injects one raw ill-formed sequence into a class/ID/attribute-name ident or quoted attribute string operand — lead/mid/trail/whole position, optionally behind a span type — and carries the post-scrub AST as its expectation. The per-class U+FFFD counts are pinned in INVALID_UTF8_CLASSES independently of wp_scrub_utf8(), so the AST round-trip is a real differential against the core scrub: lone continuation, truncated 2/3/4-byte leads, and invalid leads F5/FF decode to 1; overlong C0 80 / C1 BF to 2; surrogate half ED A0 80 to 3; beyond-max F4 90 80 80 to 4. An injected sequence is always followed by ASCII or end of input, so a continuation byte can never complete a truncated lead and shift the subpart boundaries. self-check gains a forced-bucket section (150 seeds): the selector must be invalid UTF-8, parse in both grammars, and parse to exactly the pinned AST; variety assertions require all subpart counts {1,2,3,4}, all four injection sites, and all ten byte classes. The class names and byte values are duplicated in the test deliberately — tallying from the generator's own table would shrink the assertion with a deleted entry and self-validate a drifted byte value (both demonstrated live in review). Adversarial review: three hostile reviewers. The spec reviewer verified the count table against an independently written WHATWG decoder (960 table contexts x 3 oracles; all 2880 site/position/class render combinations decode to the assumed post-scrub string; key-order-exact ASTs in both grammars; 3000-seed sweep clean). The test reviewer ran nine mutations — count drift, raw-byte expectations, suffix-guarantee removal, core scrub no-op, per-byte core scrub (killed exclusively by the two truncated classes that discriminate maximal-subpart from per-byte replacement), class deletion and de-selection, byte drift — all killed after two hardening rounds; two disclosed low-severity survivors remain (lone-continuation substring ambiguity; a class added to the table alone gets no variety pin). The integration reviewer confirmed the scrub-notice contract cannot flip (5200 constructed cases all invalid UTF-8), the lexbor differential stays live via the canonical re-render (zero skipped-utf8), digest determinism on every in-bucket seed in 1-400, and replay/minimizer behavior on raw-byte selectors. Gates: self-check OK; 5000 seeds, 0 failures (241 invalid-utf8 cases). --- tools/css-selector-fuzz/README.md | 9 +- .../lib/SelectorGenerator.php | 118 ++++++++++++++++++ tools/css-selector-fuzz/tests/self-check.php | 88 +++++++++++++ 3 files changed, 214 insertions(+), 1 deletion(-) diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 3af425719c807..3767c2a1726e8 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -25,7 +25,7 @@ produces the same document, the same selector, and the same verdict. capture on wild documents. Wild documents that hit a construct the processor bails on (foster parenting, complex adoption-agency runs) are deterministically regenerated a bounded number of times. -3. Generate a selector in one of seven buckets: +3. Generate a selector in one of nine buckets: - `supported-compound` — must parse in both grammars; carries intended AST. - `supported-complex` — uses `>`/descendant combinators; must parse only in the complex grammar; carries intended AST. @@ -49,6 +49,13 @@ produces the same document, the same selector, and the same verdict. and -elements, `+`/`~`/`||` combinators, namespaces, non-type context selectors); must not parse. - `invalid` — not valid CSS; must not parse. + - `invalid-utf8` — a small supported selector with a raw ill-formed UTF-8 + byte sequence (lone continuation, truncated 2/3/4-byte, overlong, + surrogate half, beyond U+10FFFF) injected into a class/ID/attribute + ident or string operand; `from_selectors()` scrubs the input first, so + the case must parse and carries the post-scrub AST (one U+FFFD per + maximal subpart, with per-class subpart counts pinned independently of + `wp_scrub_utf8()`). - `chaos` — arbitrary bytes; no parse expectation. - `mutated` — a supported selector with random byte mutations; no parse expectation. diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 1f3a8fa2e89c2..345228ed1a570 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -13,6 +13,11 @@ * (pseudo-classes/elements, sibling/column combinators, namespaces, * non-type context selectors). Must not parse in either grammar. * - invalid: not valid CSS selectors at all. Must not parse. + * - invalid-utf8: a supported compound with a raw ill-formed UTF-8 byte + * sequence injected into an ident or string operand. from_selectors() + * scrubs the input before parsing ( one U+FFFD per maximal subpart, CSS + * Syntax §3.2 via the WHATWG decoder ), so the case carries the + * post-scrub AST. * - chaos: arbitrary bytes. No parse expectation. * - mutated: a supported selector with random byte mutations. No parse * expectation. @@ -29,11 +34,35 @@ class SelectorGenerator { 'path-directed', 'unsupported', 'invalid', + 'invalid-utf8', 'chaos', 'mutated', 'edge-escape', ); + /** + * Ill-formed UTF-8 byte classes and the number of U+FFFD replacements the + * WHATWG UTF-8 decoder produces for each ( one per maximal subpart ). + * The counts are pinned here as an independent expectation — computing + * them with wp_scrub_utf8() would make the AST check a tautology. + * + * The counts assume the byte after the sequence is not a continuation + * byte ( it could complete a truncated sequence ); the generator always + * follows an injected sequence with ASCII or end of input. + */ + const INVALID_UTF8_CLASSES = array( + 'lone-continuation' => array( "\x80", 1 ), + 'truncated-2-byte' => array( "\xC3", 1 ), + 'truncated-3-byte' => array( "\xE2\x8C", 1 ), + 'truncated-4-byte' => array( "\xF0\x9F\x82", 1 ), + 'invalid-lead-f5' => array( "\xF5", 1 ), + 'invalid-lead-ff' => array( "\xFF", 1 ), + 'overlong-min' => array( "\xC0\x80", 2 ), + 'overlong-max' => array( "\xC1\xBF", 2 ), + 'surrogate-half' => array( "\xED\xA0\x80", 3 ), + 'beyond-max' => array( "\xF4\x90\x80\x80", 4 ), + ); + /** @var Prng */ private $prng; /** @var array */ @@ -182,6 +211,7 @@ public static function generate( Prng $prng, array $pools, ?array $rows = null, 'supported-complex' => 24, 'unsupported' => 14, 'invalid' => 11, + 'invalid-utf8' => 5, 'chaos' => 8, 'mutated' => 10, 'edge-escape' => 5, @@ -192,6 +222,7 @@ public static function generate( Prng $prng, array $pools, ?array $rows = null, 'path-directed' => 21, 'unsupported' => 11, 'invalid' => 9, + 'invalid-utf8' => 5, 'chaos' => 6, 'mutated' => 6, 'edge-escape' => 5, @@ -230,6 +261,9 @@ public static function generate( Prng $prng, array $pools, ?array $rows = null, case 'edge-escape': return $generator->gen_edge_escape(); + case 'invalid-utf8': + return $generator->gen_invalid_utf8(); + case 'unsupported': return array( 'bucket' => $bucket, @@ -764,6 +798,90 @@ private function gen_edge_escape(): array { ); } + /* + * ----------------------- + * Invalid-UTF-8 injection + * ----------------------- + * + * Raw ill-formed UTF-8 byte sequences in the selector input, mirroring + * the nul-input pattern: a small fixed simple selector keeps the case + * focused on the normalize_selector_input() scrub. Each maximal subpart + * of the injected sequence decodes to one U+FFFD ( per-class counts + * pinned in INVALID_UTF8_CLASSES ), and U+FFFD is a valid ident + * codepoint — including in start position — so the scrubbed selector + * must parse and the post-scrub AST is known by construction. + */ + private function gen_invalid_utf8(): array { + list( $bytes, $subparts ) = $this->prng->choice( array_values( self::INVALID_UTF8_CLASSES ) ); + + $position = $this->prng->choice( array( 'lead', 'mid', 'trail', 'whole' ) ); + $prefix = in_array( $position, array( 'lead', 'whole' ), true ) ? '' : 'a' . $this->prng->int( 0, 9 ); + $suffix = in_array( $position, array( 'trail', 'whole' ), true ) ? '' : 'z' . $this->prng->int( 0, 9 ); + $raw = $prefix . $bytes . $suffix; + $decoded = $prefix . str_repeat( "\u{FFFD}", $subparts ) . $suffix; + + switch ( $this->prng->choice( array( 'class', 'id', 'attr-name', 'attr-value' ) ) ) { + case 'class': + $rendered = '.' . $raw; + $sub = array( + 'kind' => 'class', + 'name' => $decoded, + ); + break; + + case 'id': + $rendered = '#' . $raw; + $sub = array( + 'kind' => 'id', + 'name' => $decoded, + ); + break; + + case 'attr-name': + $rendered = '[' . $raw . ']'; + $sub = array( + 'kind' => 'attr', + 'name' => $decoded, + 'matcher' => null, + 'value' => null, + 'modifier' => null, + ); + break; + + case 'attr-value': + default: + $name = 'a' . $this->prng->int( 0, 99 ); + $quote = $this->prng->chance( 50 ) ? '"' : "'"; + $rendered = '[' . $name . '=' . $quote . $raw . $quote . ']'; + $sub = array( + 'kind' => 'attr', + 'name' => $name, + 'matcher' => 'exact', + 'value' => $decoded, + 'modifier' => null, + ); + break; + } + + $type = $this->prng->chance( 40 ) ? 'span' : null; + + return array( + 'bucket' => 'invalid-utf8', + 'selector' => ( null === $type ? '' : $type ) . $rendered, + 'expectCompound' => true, + 'expectComplex' => true, + 'ast' => array( + array( + 'context' => array(), + 'self' => array( + 'type' => $type, + 'subs' => array( $sub ), + ), + ), + ), + ); + } + /* * ------------------------ * Path-directed generation diff --git a/tools/css-selector-fuzz/tests/self-check.php b/tools/css-selector-fuzz/tests/self-check.php index 10196f2d62291..d6a9a19dec2d0 100644 --- a/tools/css-selector-fuzz/tests/self-check.php +++ b/tools/css-selector-fuzz/tests/self-check.php @@ -91,6 +91,94 @@ function check( bool $condition, string $message ): void { check( count( $by_bucket ) >= 5, 'Bucket variety: saw ' . count( $by_bucket ) . ' buckets.' ); +// --- Invalid-UTF-8 bucket: post-scrub AST expectations by construction ------ +// from_selectors() replaces each maximal subpart of an ill-formed UTF-8 +// sequence with one U+FFFD before parsing ( CSS Syntax §3.2 via the WHATWG +// decoder ). The bucket injects raw ill-formed sequences and carries the +// post-scrub AST, with the per-class subpart counts hard-coded in the +// generator — independent of wp_scrub_utf8(), so this loop is a real +// differential between the generator's WHATWG expectations and the core +// scrub + parse pipeline. + +$fffd_ast_counts = array(); +$injection_sites = array(); +$byte_classes = array(); + +// The class names AND byte values are duplicated here on purpose: tallying +// from the generator's own table would silently shrink the assertion with a +// deleted entry and self-validate on a drifted byte value. +$expected_byte_classes = array( + 'lone-continuation' => "\x80", + 'truncated-2-byte' => "\xC3", + 'truncated-3-byte' => "\xE2\x8C", + 'truncated-4-byte' => "\xF0\x9F\x82", + 'invalid-lead-f5' => "\xF5", + 'invalid-lead-ff' => "\xFF", + 'overlong-min' => "\xC0\x80", + 'overlong-max' => "\xC1\xBF", + 'surrogate-half' => "\xED\xA0\x80", + 'beyond-max' => "\xF4\x90\x80\x80", +); + +$count_fffd = static function ( $node ) use ( &$count_fffd ): int { + if ( is_string( $node ) ) { + return substr_count( $node, "\u{FFFD}" ); + } + $total = 0; + if ( is_array( $node ) ) { + foreach ( $node as $child ) { + $total += $count_fffd( $child ); + } + } + return $total; +}; + +for ( $seed = 1; $seed <= 150; $seed++ ) { + $prng = new Prng( (string) $seed, 'self-check-invalid-utf8' ); + $document = DocumentGenerator::generate( $prng->fork( 'doc' ) ); + $case = SelectorGenerator::generate( $prng->fork( 'sel' ), $document['pools'], null, 'invalid-utf8' ); + $printable = \CssSelectorFuzz\printable_bytes( $case['selector'] ); + + check( 'invalid-utf8' === $case['bucket'], "Seed {$seed}: forced invalid-utf8 bucket, got {$case['bucket']}." ); + check( ! wp_is_valid_utf8( $case['selector'] ), "Seed {$seed}: selector must contain invalid UTF-8: {$printable}" ); + check( true === $case['expectCompound'] && true === $case['expectComplex'], "Seed {$seed}: invalid-utf8 cases must expect to parse in both grammars." ); + check( is_array( $case['ast'] ) && \CssSelectorFuzz\ast_strings_are_utf8( $case['ast'] ), "Seed {$seed}: expected AST must be valid UTF-8." ); + + $compound = WP_CSS_Compound_Selector_List::from_selectors( $case['selector'] ); + $complex = WP_CSS_Complex_Selector_List::from_selectors( $case['selector'] ); + check( null !== $compound, "Seed {$seed}: compound parse after scrub for: {$printable}" ); + check( null !== $complex, "Seed {$seed}: complex parse after scrub for: {$printable}" ); + if ( null === $complex || ! is_array( $case['ast'] ) ) { + continue; + } + + $parsed_ast = \CssSelectorFuzz\AstExtractor::from_complex_list( $complex ); + check( $case['ast'] === $parsed_ast, "Seed {$seed}: parsed AST equals maximal-subpart scrub expectation for: {$printable}" ); + + $fffd_ast_counts[ $count_fffd( $case['ast'] ) ] = true; + foreach ( (array) $case['ast'][0]['self']['subs'] as $sub ) { + $injection_sites[ 'attr' === $sub['kind'] && null !== $sub['matcher'] ? 'attr-value' : $sub['kind'] ] = true; + } + foreach ( $expected_byte_classes as $class_name => $class_bytes ) { + // Substring attribution is ambiguous only for lone-continuation, + // whose byte occurs inside three longer classes — good enough for + // an at-least-once variety tally. + if ( str_contains( $case['selector'], $class_bytes ) ) { + $byte_classes[ $class_name ] = true; + } + } +} + +foreach ( array( 1, 2, 3, 4 ) as $expected_count ) { + check( isset( $fffd_ast_counts[ $expected_count ] ), "Invalid-utf8 variety: a {$expected_count}-subpart byte class was generated." ); +} +foreach ( array( 'class', 'id', 'attr', 'attr-value' ) as $site ) { + check( isset( $injection_sites[ $site ] ), "Invalid-utf8 variety: injection site {$site} was generated." ); +} +foreach ( array_keys( $expected_byte_classes ) as $class_name ) { + check( isset( $byte_classes[ $class_name ] ), "Invalid-utf8 variety: byte class {$class_name} was generated." ); +} + // --- Known-answer matching cases ------------------------------------------- $known_html = '' From 5ddac66b92892031feed967191ec0fc0fa56e0d4 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 21:37:38 +0200 Subject: [PATCH 183/187] CSS selector fuzz: Splice raw invalid UTF-8 in the mutation bucket MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The mutated bucket's operations drew from a pure-ASCII alphabet, so the only ill-formed UTF-8 it produced came from delete/duplicate corrupting the pools' few multibyte characters (leads C3/CE/E2/F0 only). A new mutation kind (weight 12) splices one raw sequence from INVALID_UTF8_CLASSES at an arbitrary byte offset — possibly splitting an existing multibyte character or landing where a following continuation byte re-validates the string. These cases carry no AST expectation; they exercise crash, scrub-notice, and differential paths, and they make the worker's invalid-UTF-8 rejection branch hot (an unparseable invalid-UTF-8 selector expects scrub + two select() notices), which no bucket reached before: the invalid-utf8 bucket always parses and the chaos alphabets are valid UTF-8. self-check asserts the operation fires: at least 10 of 200 forced mutated seeds must contain a marker byte C0/C1/ED/F4/F5/FF (currently 28). The marker set is exactly the sound subset: those bytes cannot occur in any clean render (C0/C1/F5/FF never appear in valid UTF-8; ED/F4 only for U+D000-D7FF / above U+FFFFF, which no pool emits), while the four marker-free sequences (80, C3, E2 8C, F0 9F 82) reuse bytes that legitimate pool characters contain. Adversarial review: the same three hostile reviewers, all approved. Spec: splice arithmetic verified at every boundary (empty selector, at=0/length, cross-round corruption), a 20000-seed crash sweep with warnings escalated to exceptions came back clean, marker exclusivity confirmed against the pre-change generator (0 hits in 20000 seeds; the red loop reproduced exactly). Test adequacy: dead arm, dead weighted entry, and empty payload all collapse to 0/200 against the 28/200 baseline (threshold ~4 sigma below the mean under PRNG reshuffles); the one survivor (dropping only marker-free payloads) is probe diversity, not verification, and the bucket commit pins all ten classes. Integration: 5000 seeds 0 failures with byte-identical bucket distribution to the pre-change baseline, the notice contract verified self-keyed on the final byte string under 11 adversarial splice shapes including validity-restoring ones, determinism on every mutated seed in 1-400. Gates: self-check OK; 5000 seeds, 0 failures. --- tools/css-selector-fuzz/README.md | 3 ++- .../lib/SelectorGenerator.php | 22 ++++++++++++++----- tools/css-selector-fuzz/tests/self-check.php | 18 +++++++++++++++ 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index 3767c2a1726e8..f0abff0934da5 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -57,7 +57,8 @@ produces the same document, the same selector, and the same verdict. maximal subpart, with per-class subpart counts pinned independently of `wp_scrub_utf8()`). - `chaos` — arbitrary bytes; no parse expectation. - - `mutated` — a supported selector with random byte mutations; no parse + - `mutated` — a supported selector with random byte mutations, including + raw ill-formed UTF-8 splices at arbitrary byte offsets; no parse expectation. - `edge-escape` — selectors that exercise otherwise-unreachable parser branches: hex escapes for NUL / surrogate / over-max codepoints (must diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index 345228ed1a570..fb93f8d66216d 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -1666,11 +1666,12 @@ private function mutate( string $selector ): string { $length = strlen( $selector ); $kind = $this->prng->weighted( array( - 'insert' => 30, - 'delete' => 25, - 'replace' => 25, - 'duplicate' => 10, - 'case-flip' => 10, + 'insert' => 30, + 'delete' => 25, + 'replace' => 25, + 'duplicate' => 10, + 'case-flip' => 10, + 'invalid-utf8' => 12, ) ); @@ -1714,6 +1715,17 @@ private function mutate( string $selector ): string { $selector = substr( $selector, 0, $at ) . $flip . substr( $selector, $at + 1 ); } break; + + case 'invalid-utf8': + // Splice a raw ill-formed sequence at an arbitrary byte + // offset — possibly splitting an existing multibyte + // character or landing before a continuation byte that + // completes a truncated lead. No expectations here; these + // exercise crash / scrub-notice / differential paths. + $bytes = $this->prng->choice( array_column( self::INVALID_UTF8_CLASSES, 0 ) ); + $at = $this->prng->int( 0, $length ); + $selector = substr( $selector, 0, $at ) . $bytes . substr( $selector, $at ); + break; } } diff --git a/tools/css-selector-fuzz/tests/self-check.php b/tools/css-selector-fuzz/tests/self-check.php index d6a9a19dec2d0..8d9df7e378b70 100644 --- a/tools/css-selector-fuzz/tests/self-check.php +++ b/tools/css-selector-fuzz/tests/self-check.php @@ -179,6 +179,24 @@ function check( bool $condition, string $message ): void { check( isset( $byte_classes[ $class_name ] ), "Invalid-utf8 variety: byte class {$class_name} was generated." ); } +// --- Mutated bucket: raw invalid-byte splicing ------------------------------- +// mutate() must be able to splice raw ill-formed UTF-8 into a selector at +// arbitrary byte offsets; these cases carry no AST expectation and exercise +// crash / scrub-notice / differential paths only. The marker bytes here can +// appear in NO rendered selector (the pools' multibyte characters use other +// lead bytes), so their presence proves the mutation operation fired. + +$mutated_with_invalid = 0; +for ( $seed = 1; $seed <= 200; $seed++ ) { + $prng = new Prng( (string) $seed, 'self-check-mutated-utf8' ); + $document = DocumentGenerator::generate( $prng->fork( 'doc' ) ); + $case = SelectorGenerator::generate( $prng->fork( 'sel' ), $document['pools'], null, 'mutated' ); + if ( false !== strpbrk( $case['selector'], "\xC0\xC1\xED\xF4\xF5\xFF" ) ) { + ++$mutated_with_invalid; + } +} +check( $mutated_with_invalid >= 10, "Mutated bucket splices raw invalid bytes ({$mutated_with_invalid} of 200 seeds)." ); + // --- Known-answer matching cases ------------------------------------------- $known_html = '' From 79691ca65461d3a7e6abdbcd974dd537363a1296 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 22:02:07 +0200 Subject: [PATCH 184/187] CSS selector fuzz: Record the lexbor invalid-byte probe and refresh docs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The handoff's open question — what does lexbor do with raw ill-formed UTF-8 in selectors — is resolved empirically: lexbor v3.0.0 accepts the bytes (no parse error) and replaces them with U+FFFD, but not per the WHATWG maximal-subpart rule CSS Syntax 3 §3.2 invokes. Truncated multi-byte sequences decode to one U+FFFD per byte (E2 8C to 2, spec 1; F0 9F 82 to 3, spec 1) and UTF-8-encoded surrogate halves decode permissively as a single unit (ED A0 80 to 1, spec 3); agreement on the other byte classes is coincidental overlap of the two algorithms. Drafted as UPSTREAM-ISSUES.md issue 6 with the probe table. On the document side lexbor keeps raw invalid bytes unchanged in the DOM (the same stance as the Tag Processor), so raw doc bytes match nothing in either engine. The differential needs no n/a gating for the invalid-utf8 bucket: the worker hands lexbor a canonical re-render of the post-scrub AST (pure ASCII), the same mechanism that sidesteps lexbor's other byte-level parsing bugs, so the bucket compares normally. NEXT-STEPS.md: the deferred scrub-coverage item resolves as implemented (bucket, splice, probe); the handoff's optional metamorphic relation parse(s) === parse(scrub(s)) is recorded as deliberately skipped (no public path bypasses from_selectors(), so it is near-tautological). New small open item from review: gen_chaos()'s whole-codepoint unicode branch is dead code (string-vs-key comparison), and its byte-sliced fallback is what makes chaos emit invalid UTF-8 organically (~15% of chaos cases) — making the branch live is a behavior decision now that deliberate ill-formed coverage exists. COVERAGE.md regenerated at the 3000-seed window: 396/424 = 93.4% raw, 408/424 = 96.2% effective. All 28 unreached lines accounted for: 12 phpdbg case-label artifacts, 12 defensive guards, the 2-line escape-decoder invalid-byte arm the scrub made unreachable through from_selectors() (pinned by PHPUnit), and 2 reachable lines this window misses (witnesses verified under phpdbg: '[' reaches the attribute length guard, '[a="b' reaches the string-to-EOF break). Stale 93.8%/96.8% references in NEXT-STEPS.md and FINDINGS.md updated to point at COVERAGE.md as the source of truth. Adversarial review: the same three hostile reviewers, all approved after two correction rounds. The issue-6 table was reproduced 10/10 rows against the pinned harness by two reviewers independently, the WHATWG column confirmed against an independent spec-transcribed decoder, and the ED-restricts-its-first-continuation-to-9F subpart reasoning checked against the Encoding Standard's ranges. The coverage table and uncovered-line list reproduced exactly; the case-label artifact demonstrated mechanistically (executable-but-unloggable label lines with executing bodies); the un-normalized-only claim verified in both directions (direct parse_ident hits the arm, from_selectors never does). Corrections from review: the issue-6 legend mislabeled U+FFFD counts as byte counts; stale coverage numbers contradicted the regenerated report; chaos's organic invalid UTF-8 was misattributed to pool corruption (it byte-slices its unicode alphabet); an 'all production moves' claim ignored mutated's residual organic corruption (~2% of pre-splice mutated cases). Gates: self-check OK; docs-only change — code identical to 8333b9347b, whose 5000-seed run was clean. --- tools/css-selector-fuzz/COVERAGE.md | 73 +++++++++++++------ tools/css-selector-fuzz/FINDINGS.md | 4 +- tools/css-selector-fuzz/NEXT-STEPS.md | 47 ++++++++++-- .../lexbor/UPSTREAM-ISSUES.md | 63 +++++++++++++++- 4 files changed, 153 insertions(+), 34 deletions(-) diff --git a/tools/css-selector-fuzz/COVERAGE.md b/tools/css-selector-fuzz/COVERAGE.md index 5279d0363201e..e7b715c0a8894 100644 --- a/tools/css-selector-fuzz/COVERAGE.md +++ b/tools/css-selector-fuzz/COVERAGE.md @@ -7,25 +7,27 @@ with phpdbg's opcode log over 3000 deterministic seeds: | file | covered / executable | % | |---|---|---| -| class-wp-css-attribute-selector.php | 106 / 116 | 91.4% | +| class-wp-css-attribute-selector.php | 108 / 119 | 90.8% | | class-wp-css-class-selector.php | 10 / 10 | 100% | | class-wp-css-complex-selector-list.php | 16 / 16 | 100% | | class-wp-css-complex-selector.php | 59 / 66 | 89.4% | | class-wp-css-compound-selector-list.php | 27 / 28 | 96.4% | | class-wp-css-compound-selector.php | 29 / 32 | 90.6% | | class-wp-css-id-selector.php | 12 / 12 | 100% | -| class-wp-css-selector-parser-matcher.php | 110 / 111 | 99.1% | +| class-wp-css-selector-parser-matcher.php | 120 / 124 | 96.8% | | class-wp-css-type-selector.php | 15 / 17 | 88.2% | -| **TOTAL** | **384 / 408** | **94.1%** | +| **TOTAL** | **396 / 424** | **93.4%** | -The 24 unreached lines are all accounted for below. Twelve are a phpdbg -measurement artifact (the code executes); the other twelve are defensive -guards that the public entry points cannot reach. Effective coverage of -reachable code is **396 / 408 = 97.1%**. +The 28 unreached lines are all accounted for below: twelve are a phpdbg +measurement artifact (the code executes), twelve are defensive guards the +public entry points cannot reach, two are the escape decoder's +invalid-byte arm that the input scrub made unreachable through +`from_selectors()`, and two are reachable lines this seed window happens +to miss. Counting the artifact lines as covered, effective coverage is +**408 / 424 = 96.2%**. -(Executable-line totals grew from 401 to 408 with the EOF-escape and -EOF-auto-close changes; two parser-matcher EOF guards that used to be -unreachable defensive lines are now genuinely exercised — see below.) +(Executable-line totals grew from 408 to 424 with the case-insensitive +attribute value list and the invalid-UTF-8 scrub changes.) ## phpdbg `case`-label artifact (12 lines — code executes) @@ -36,8 +38,8 @@ lexbor differential + self-check confirm the corresponding behavior). These are not real gaps: - `class-wp-css-attribute-selector.php` - - 309, 313, 317, 321, 325 — the `~= |= ^= $= *=` matcher operators. - - 350, 351, 356, 357 — the `i`/`I`/`s`/`S` case modifiers. + - 378, 382, 386, 390, 394 — the `~= |= ^= $= *=` matcher operators. + - 419, 420, 425, 426 — the `i`/`I`/`s`/`S` case modifiers. - `class-wp-css-compound-selector.php` - 120, 122, 124 — the `.` / `#` / `[` subclass-selector dispatch. @@ -46,7 +48,7 @@ are not real gaps: These are internal precondition checks that the calling code already guarantees, or branches for grammar the parser never emits: -- `class-wp-css-attribute-selector.php:282` — `return null` when the first +- `class-wp-css-attribute-selector.php:351` — `return null` when the first byte is not `[`. `parse()` is only ever called by `parse_subclass_selector()` *after* it has matched `[`, so the guard never fires. @@ -54,11 +56,11 @@ guarantees, or branches for grammar the parser never emits: "unsupported combinator" arm in the match walker. The parser only ever stores `' '` (descendant) or `'>'` (child) combinators, so the match-time default arm is dead defensively. -- `class-wp-css-compound-selector-list.php:87` — `return false` when the +- `class-wp-css-compound-selector-list.php:107` — `return false` when the processor is not on a `#tag` token. `select()` only invokes matching while positioned on a tag; reachable only by calling `matches()` directly off a non-tag token. -- `class-wp-css-selector-parser-matcher.php:351` — +- `class-wp-css-selector-parser-matcher.php:375` — `next_two_are_valid_escape()` EOF guard; every caller either bound-checks first or only calls it on a known backslash byte. - `class-wp-css-type-selector.php:45` — `return false` when `get_tag()` is @@ -66,11 +68,30 @@ guarantees, or branches for grammar the parser never emits: - `class-wp-css-type-selector.php:75` — `parse()` EOF guard; the compound parser checks `offset < strlen` before calling. -Two guards documented here in earlier revisions are now genuinely covered: -the `parse_string()` EOF guard and the -`check_if_three_code_points_would_start_an_ident_sequence()` EOF guard are -both reached since EOF auto-close lets `[a=` call the value parsers at the -end of input. +## Un-normalized input only (2 lines — pinned by PHPUnit) + +- `class-wp-css-selector-parser-matcher.php:287–288` — the escape decoder's + invalid-byte arm (consume the maximal subpart `_wp_scan_utf8()` reported, + return one U+FFFD). The invalid-UTF-8 scrub in `normalize_selector_input()` + made this arm structurally unreachable through `from_selectors()` — the + fuzzer's only entry point — and it exists for direct `parse()` callers + with un-normalized input. The escape pins in + `tests/phpunit/tests/html-api/wpCssSelectorParserMatcher.php` exercise it + for every invalid-byte decode class under the U+2603 canary. + +## Reachable, but missed by this seed window (2 lines) + +Both lines are demonstrably reachable (witnesses verified directly under +phpdbg) but sit behind enough generator coin flips that a fixed 3000-seed +window may or may not sample them; earlier revisions of this report saw +them flicker in and out across windows: + +- `class-wp-css-attribute-selector.php:345` — the `[x` minimum-length + guard; witness: `[` (also `.a[`, `a[`) at the end of input. +- `class-wp-css-selector-parser-matcher.php:149` — `parse_string()`'s + break when plain string content runs to end of input; witness: `[a="b` + (the `eof-truncated` edge-escape kind reaches it only when its quote-drop + and no-backslash coins both land, ~1 expected case per 3000 seeds). ## Notes on what raised coverage @@ -82,9 +103,17 @@ end of input. kind covers the EOF auto-close paths in the attribute parser, including unterminated strings (with and without a trailing "do nothing" backslash, which keeps the `parse_string` backslash-at-EOF arm exercised). +- The `invalid-utf8` bucket and the `mutated` bucket's raw-byte splice + drive the `wp_scrub_utf8()` replacement branch and its + `_doing_it_wrong()` notice in `normalize_selector_input()` + deterministically (previously hit only organically — `chaos` + byte-slicing its multibyte `unicode` alphabet, `mutated` corrupting the + pools' few multibyte characters), and the splice makes the + unparseable-and-invalid-UTF-8 notice ordering in the worker hot. - A few `invalid`-bucket templates (`[a=`, `[a~`, `[a="bc`, `a.`) reach attribute / string / class parse guards that random structural generation - rarely lands on. With them the per-file numbers above are **deterministic** + rarely lands on. With them the per-file numbers above are stable at the documented 3000-seed window (e.g. `class-wp-css-class-selector.php` reaches 10/10 reliably rather than depending on whether a bare `.` happened - to be sampled). + to be sampled) — apart from the two borderline-frequency lines listed + above. diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index 5e650aac73549..ca408ad84c591 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -163,8 +163,8 @@ Implemented and validated: - **Parser-derived oracle tree** (`TreeCapture`): the processor's own parse is ground truth, so **wild / restructured HTML** and **`` fragments** are fuzzed, not only clean trees. -- **Line coverage** measured (93.8%, see `COVERAGE.md`; 96.8% of reachable - code, remainder justified). +- **Line coverage** measured (93.4%, see `COVERAGE.md` — the source of truth + for current numbers; 96.2% effective, remainder justified). - **Automatic minimizer** (`minimize.php`): delta-debugs selector and HTML to a minimal reproducer preserving a chosen signature. diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index b84ec6130f47a..dd3f52d8e774b 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -2,7 +2,8 @@ > **Status: all seven work items below are implemented and validated** (see > `README.md`, `COVERAGE.md`, `FINDINGS.md`). The acceptance bar is met: -> coverage measured (93.8%; 96.8% of reachable code, remainder justified); +> coverage measured (93.4%; 96.2% effective — `COVERAGE.md` is the source +> of truth for the current numbers, remainder justified); > three oracles agree on no-quirks supported cases with every divergence > triaged; metamorphic invariants passing; combinator positive-match rate > raised from 14.5% to ~68% (path-directed bucket); minimizer working; a clean @@ -148,15 +149,45 @@ > its quadratic tail were removed by the scrub implementation — see the > invalid-UTF-8 policy entry above.) > +> **Fuzzer coverage for the scrub surface — IMPLEMENTED (2026-06-11):** +> the deferred coverage work for the invalid-UTF-8 scrub landed in three +> pieces. (1) A dedicated `invalid-utf8` generator bucket injects raw +> ill-formed sequences into class/ID/attribute-name idents and quoted +> string operands and carries the post-scrub AST; the per-class maximal- +> subpart U+FFFD counts are pinned independently of `wp_scrub_utf8()` +> (self-check additionally duplicates the class names and byte values, so +> a deleted or drifted table entry fails instead of shrinking the +> assertion). (2) A `mutated`-bucket splice kind inserts raw ill-formed +> sequences at arbitrary byte offsets — no expectations, but it makes the +> worker's invalid-UTF-8 rejection branch hot (scrub + two `select()` +> notices), which no other bucket reached. (3) The explicit lexbor probe: +> lexbor accepts raw invalid selector bytes and replaces them with U+FFFD, +> but NOT per the WHATWG maximal-subpart rule — one U+FFFD per byte for +> truncated sequences (`E2 8C` → 2, spec 1) and one per whole sequence for +> UTF-8-encoded surrogate halves (`ED A0 80` → 1, spec 3) — drafted as +> `lexbor/UPSTREAM-ISSUES.md` issue 6. The differential is unaffected and +> stays live for the bucket: it feeds lexbor the canonical re-render of +> the post-scrub AST (escaped, pure ASCII), the same mechanism that +> sidesteps lexbor's other byte-level parsing bugs. Doc-side observation: +> lexbor keeps raw invalid bytes in the DOM unchanged (same stance as the +> Tag Processor), so raw doc bytes match nothing in either engine. The +> handoff's optional metamorphic relation `parse(s) === parse(scrub(s))` +> was skipped deliberately: it is near-tautological (it could only catch +> a `from_selectors()` bypass, and no public path bypasses it). +> > **Still open from the original follow-up list:** the tooling items in > this file's hardening notes (self-check decoupling, class-NUL injection, -> vacuous-assertion rate, quirks-mode single-oracle gap), plus deferred -> fuzzer coverage for the scrub surface (dedicated invalid-UTF-8 generator -> bucket with maximal-subpart AST expectations, raw-byte mutation class, -> explicit lexbor invalid-byte probe — handoff drafted 2026-06-11; note -> the chaos/mutated buckets already produce invalid-UTF-8 selectors -> organically and lexbor agreed with the scrubbed results across a clean -> 5000-seed run). +> vacuous-assertion rate, quirks-mode single-oracle gap). New small item +> from the 2026-06-11 review: `gen_chaos()`'s whole-codepoint `unicode` +> branch is dead code — it compares the alphabet *string* against the key +> `'unicode'` after the value lookup already happened — so the unicode +> alphabet is byte-sliced by the generic fallback instead. That slicing is +> what makes chaos emit invalid UTF-8 organically (~15% of chaos cases), +> so making the branch live is a behavior decision, not just a cleanup: +> it would remove chaos's organic ill-formed-byte production, leaving the +> deliberate paths (`invalid-utf8` bucket, `mutated` splice) plus +> `mutated`'s residual organic corruption of pool multibyte characters +> (~2% of mutated cases even without the splice). Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` (trunk + merged `html-api/add-css-selector-parser`). diff --git a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md index 9ec23e414dcfa..ef167f2814959 100644 --- a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md +++ b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md @@ -1,10 +1,12 @@ # lexbor — draft upstream bug reports -Five spec-conformance bugs in liblexbor's CSS selectors support, found while +Six spec-conformance bugs in liblexbor's CSS selectors support, found while using lexbor as a differential oracle for the WordPress HTML-API CSS selector fuzzer (`tools/css-selector-fuzz/`). Issues 1–3 were re-verified directly against the harness on 2026-06-10; issues 4–5 surfaced during the WP -conformance-fix session and were re-verified on 2026-06-11. +conformance-fix session and were re-verified on 2026-06-11; issue 6 came out +of the explicit invalid-byte probe for the WP scrub coverage work +(2026-06-11). - **Pinned version:** lexbor v3.0.0 (`2ae88a1c6b52`), built by `tools/css-selector-fuzz/lexbor/build.sh`. @@ -217,3 +219,60 @@ a feature request rather than a bug if lexbor considers document-language selector rules out of scope for its selectors module — but lexbor is an HTML engine and browsers uniformly implement the folding, so matching against HTML documents diverges from every browser without it. + +## Issue 6 — ill-formed UTF-8 in selectors is not decoded per the Encoding Standard + +CSS Syntax Level 3 decodes the input byte stream via the Encoding Standard +before tokenizing: + +> To decode bytes, ... Otherwise, decode bytes with fallback encoding utf-8. +> — https://www.w3.org/TR/css-syntax-3/#input-byte-stream (§3.2) + +The Encoding Standard's UTF-8 decoder replaces each **maximal subpart of an +ill-formed subsequence** with a single U+FFFD (the boundaries follow the +decoder's byte-range tables; see also Unicode §3.9 "U+FFFD Substitution of +Maximal Subparts"): + +> https://encoding.spec.whatwg.org/#utf-8-decoder + +lexbor accepts raw ill-formed bytes in selectors (no parse error) and +replaces them with U+FFFD, but with different boundaries: a truncated +multi-byte sequence yields one U+FFFD **per byte** instead of one per +maximal subpart, and a UTF-8-encoded surrogate half (`ED A0 80`–`ED BF +BF`) is decoded permissively as a **single unit** yielding one U+FFFD +instead of three. Verified at v3.0.0 by matching raw-byte class selectors +against elements whose class attributes contain literal U+FFFD runs +(`
` = 1×U+FFFD ... `
` = 4×U+FFFD; +`�` below is U+FFFD, U+FFFD counts in parentheses): + +| selector bytes | WHATWG decode | lexbor | +|-----------------------|----------------|----------------| +| `.ab` | `a�b` (1) ✅ | `a��b` (2) ❌ | +| `.ab` | `a�b` (1) ✅ | `a���b` (3) ❌ | +| `.ab` | `a���b` (3) ✅ | `a�b` (1) ❌ | +| `.ab` | `a���b` (3) ✅ | `a�b` (1) ❌ | +| `.a<80>b` | `a�b` (1) | `a�b` (1) ✅ | +| `.ab` | `a�b` (1) | `a�b` (1) ✅ | +| `.ab` | `a��b` (2) | `a��b` (2) ✅ | +| `.ab` | `a���b` (3) | `a���b` (3) ✅ | +| `.ab` | `a����b` (4) | `a����b` (4) ✅ | + +The agreeing rows are controls where per-byte replacement coincides with +the maximal-subpart rule (lone continuation/lead bytes, overlongs whose +subparts are all single bytes, beyond-U+10FFFF). The same behavior applies +inside string tokens (`[x="p<80>q"]` matches `x="p�q"`). Two truncated +sequences are exactly where the algorithms separate: `E2 8C` is **one** +maximal subpart (E2 accepts two continuations and 8C is a valid first +continuation), while `ED A0` is **not** a subpart at all (ED restricts its +first continuation to 80–9F), so `ED A0 80` is three. + +Notes for the filing agent: browsers only exercise this decode through the +stylesheet byte stream (JS `querySelectorAll` strings are already UTF-16), +so compare against an external stylesheet with raw bytes, or against +another Encoding Standard implementation (e.g. `TextDecoder('utf-8')`, +whose output for the byte sequences above shows the maximal-subpart +boundaries directly). Document-side context: lexbor stores raw ill-formed +bytes from the HTML byte stream unchanged in the DOM (a raw `<80>` in a +class attribute is matched by no selector, not even one with the same raw +bytes), so the repro must put literal U+FFFD characters in the document +and raw bytes only in the selector. From 42c267a642ae46bac2298bf35f11e8059e74b352 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Thu, 11 Jun 2026 23:48:05 +0200 Subject: [PATCH 185/187] Build lexbor harness from master --- tools/css-selector-fuzz/NEXT-STEPS.md | 6 +++--- tools/css-selector-fuzz/README.md | 10 ++++----- .../lexbor/UPSTREAM-ISSUES.md | 12 +++++------ tools/css-selector-fuzz/lexbor/build.sh | 21 ++++++++++++------- tools/css-selector-fuzz/lexbor/harness.c | 4 ++-- tools/css-selector-fuzz/lib/LexborOracle.php | 4 ++-- 6 files changed, 31 insertions(+), 26 deletions(-) diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index dd3f52d8e774b..36988221a90fe 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -292,9 +292,9 @@ case-sensitively in no-quirks (`WP_HTML_Tag_Processor::is_quirks_mode()`); type names are always case-insensitive. Do NOT trust lexbor on quirks-mode case behavior. Restrict the lexbor differential to **no-quirks documents** (emit ``), and keep `ReferenceMatcher` as the authority for the -quirks-mode path. Pin the exact lexbor version used and note whether #368 is -fixed in it. Re-evaluate enabling quirks comparison only after verifying lexbor's -behavior against that issue. +quirks-mode path. Record the exact lexbor master commit used and note whether +#368 is fixed in it. Re-evaluate enabling quirks comparison only after verifying +lexbor's behavior against that issue. - Also surface (don't auto-fail) **attribute default case-insensitivity**: Selectors-4/HTML define a set of attributes matched case-insensitively by diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index f0abff0934da5..cfcfda666cf7e 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -106,9 +106,9 @@ produces the same document, the same selector, and the same verdict. ## lexbor harness Build with `sh tools/css-selector-fuzz/lexbor/build.sh` (clones and builds -liblexbor, pinned to v3.0.0 = `2ae88a1c6b52`). The worker auto-detects the -binary at `tools/css-selector-fuzz/lexbor/harness` and reports per-batch -tallies, persisted to `state.json` under `lexbor`: +liblexbor from upstream `master`; the build script prints the exact commit). +The worker auto-detects the binary at `tools/css-selector-fuzz/lexbor/harness` +and reports per-batch tallies, persisted to `state.json` under `lexbor`: - `compared` — the differential ran and matched fid-multisets. - `tree-gated` — WP and lexbor built different trees; differential skipped. @@ -119,9 +119,9 @@ tallies, persisted to `state.json` under `lexbor`: a loud warning if these appear after the harness had run, so a third oracle that dies mid-run cannot hide behind a green run. -Known lexbor issues compensated for at this pin: +Known lexbor issues compensated for when present: -- [#368](https://github.com/lexbor/lexbor/issues/368) (open at v3.0.0): +- [#368](https://github.com/lexbor/lexbor/issues/368): class and `#id` selectors match ASCII case-insensitively even in no-quirks documents (`[id=…]` attribute matching is correctly case-sensitive). Detected by a startup probe; when present, lexbor is diff --git a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md index ef167f2814959..40c2ccb80f97c 100644 --- a/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md +++ b/tools/css-selector-fuzz/lexbor/UPSTREAM-ISSUES.md @@ -8,8 +8,9 @@ conformance-fix session and were re-verified on 2026-06-11; issue 6 came out of the explicit invalid-byte probe for the WP scrub coverage work (2026-06-11). -- **Pinned version:** lexbor v3.0.0 (`2ae88a1c6b52`), built by - `tools/css-selector-fuzz/lexbor/build.sh`. +- **Default build target:** lexbor upstream `master`, built by + `tools/css-selector-fuzz/lexbor/build.sh`. Record the exact commit printed + by the build script when verifying any issue. - **Upstream repo:** https://github.com/lexbor/lexbor - **Already filed upstream — do NOT refile:** [#368](https://github.com/lexbor/lexbor/issues/368) (class/`#id` selectors @@ -17,10 +18,9 @@ of the explicit invalid-byte probe for the WP scrub coverage work ## Instructions for the filing agent -1. **Re-verify at lexbor master first.** The pin is v3.0.0; any of these may - already be fixed. Edit `build.sh` to build master (or clone/build manually) - and re-run the repros below. Only file what still reproduces, and say in - the report which commit you tested. +1. **Re-verify at current lexbor master first.** Any of these may already be + fixed. Run `build.sh` and re-run the repros below. Only file what still + reproduces, and say in the report which commit you tested. 2. **Search for duplicates** before filing (suggested queries: `~=`, `attr-modifier`, `case insensitive modifier`, `ident code point`, `U+00B7`, `non-ascii`, `EOF`, `unclosed`, `simple block`, diff --git a/tools/css-selector-fuzz/lexbor/build.sh b/tools/css-selector-fuzz/lexbor/build.sh index 186a7e5b703b6..a1471675bc815 100644 --- a/tools/css-selector-fuzz/lexbor/build.sh +++ b/tools/css-selector-fuzz/lexbor/build.sh @@ -2,10 +2,11 @@ # # Builds the lexbor differential harness. # -# Pinned lexbor version: v3.0.0 (2ae88a1c6b5261830eff73ee12bb3cdf805f3cfe). +# Builds against upstream lexbor master. The exact commit is printed after +# each build and recorded in the build cache. # Note: lexbor issue #368 ("Class/ID selectors are ASCII case-insensitive -# even in no-quirks mode") is still OPEN at this version; the PHP adapter -# detects it at startup and compensates (see LexborOracle.php). +# even in no-quirks mode") is detected at startup and compensated for when +# present (see LexborOracle.php). # # Usage: # sh tools/css-selector-fuzz/lexbor/build.sh [lexbor-src-dir] @@ -16,27 +17,31 @@ set -e HERE="$(cd "$(dirname "$0")" && pwd)" SRC="${1:-/tmp/lexbor-src}" -PIN="2ae88a1c6b5261830eff73ee12bb3cdf805f3cfe" +BRANCH="master" if [ ! -d "$SRC" ]; then echo "Cloning lexbor into $SRC ..." git clone https://github.com/lexbor/lexbor "$SRC" fi -git -C "$SRC" checkout --quiet "$PIN" +git -C "$SRC" fetch --quiet origin "$BRANCH" +git -C "$SRC" checkout --quiet -B "$BRANCH" "origin/$BRANCH" +REV="$(git -C "$SRC" rev-parse --verify HEAD)" +STAMP="$SRC/build/.lexbor-rev" -if [ ! -f "$SRC/build/liblexbor_static.a" ]; then - echo "Building liblexbor_static ..." +if [ ! -f "$SRC/build/liblexbor_static.a" ] || [ ! -f "$STAMP" ] || [ "$(cat "$STAMP")" != "$REV" ]; then + echo "Building liblexbor_static ($BRANCH $REV) ..." mkdir -p "$SRC/build" cd "$SRC/build" cmake -DCMAKE_BUILD_TYPE=Release -DLEXBOR_BUILD_SHARED=OFF \ -DLEXBOR_BUILD_STATIC=ON -DLEXBOR_BUILD_TESTS=OFF \ -DLEXBOR_BUILD_EXAMPLES=OFF .. > /dev/null make -j8 lexbor_static > /dev/null + printf '%s\n' "$REV" > "$STAMP" cd "$HERE" fi cc -O2 -Wall -Wextra -o "$HERE/harness" "$HERE/harness.c" \ -I "$SRC/source" "$SRC/build/liblexbor_static.a" -echo "Built $HERE/harness (lexbor $PIN)" +echo "Built $HERE/harness (lexbor $BRANCH $REV)" diff --git a/tools/css-selector-fuzz/lexbor/harness.c b/tools/css-selector-fuzz/lexbor/harness.c index ebd3aa32f4b4a..582c387a92f86 100644 --- a/tools/css-selector-fuzz/lexbor/harness.c +++ b/tools/css-selector-fuzz/lexbor/harness.c @@ -21,8 +21,8 @@ * for elements without one (matching the fuzzer's placeholder convention). * Tags are ASCII-uppercased. * - * Build: see build.sh next to this file. Pinned lexbor version recorded - * there and in the fuzzer README. + * Build: see build.sh next to this file. The script builds upstream lexbor + * master and prints the exact commit used. */ #include diff --git a/tools/css-selector-fuzz/lib/LexborOracle.php b/tools/css-selector-fuzz/lib/LexborOracle.php index a7a6864aa62ab..2dd74c9e92e54 100644 --- a/tools/css-selector-fuzz/lib/LexborOracle.php +++ b/tools/css-selector-fuzz/lib/LexborOracle.php @@ -19,7 +19,7 @@ * ASCII case-insensitively even in no-quirks mode ( attribute selectors * like [id=x] are correctly case-sensitive ). Detected by probe at startup; * when present, lexbor is compared against the reference matcher run with - * quirks-style class/ID folding. Open at the pinned v3.0.0. + * quirks-style class/ID folding. */ class LexborOracle { @@ -62,7 +62,7 @@ public static function available(): bool { return true; } - /** Whether the pinned lexbor exhibits issue #368 ( class/ID case folding ). */ + /** Whether the built lexbor exhibits issue #368 ( class/ID case folding ). */ public static function has_issue_368(): bool { return self::$issue368; } From 9d1129c2135266461280ae4d113edcf6bcc42779 Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 12 Jun 2026 08:42:56 +0200 Subject: [PATCH 186/187] CSS selector fuzz: harden fuzzer follow-ups --- tools/css-selector-fuzz/FINDINGS.md | 7 +- tools/css-selector-fuzz/NEXT-STEPS.md | 43 +++---- tools/css-selector-fuzz/README.md | 44 ++++--- .../lib/DocumentGenerator.php | 52 +++++++- tools/css-selector-fuzz/lib/LexborOracle.php | 32 ++++- .../lib/ReferenceMatcher.php | 20 +-- .../lib/SelectorGenerator.php | 5 +- .../lib/WildDocumentGenerator.php | 27 +++- tools/css-selector-fuzz/lib/Worker.php | 65 ++++++++-- tools/css-selector-fuzz/runner.php | 59 ++++++++- tools/css-selector-fuzz/tests/self-check.php | 119 ++++++++++++++++-- 11 files changed, 369 insertions(+), 104 deletions(-) diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index ca408ad84c591..e58b256962364 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -17,9 +17,10 @@ completely clean, and the lexbor differential (third independent oracle) agreed with the reference matcher on every compared no-quirks case (0 `lexbor-divergence`). Caveats on the strength of that agreement: roughly half of the `compared` cases (and ~62% of all match assertions across buckets) are vacuous `[] == []`; -quirks-mode class/ID matching is excluded from the differential (lexbor #368) -and so rests on `ReferenceMatcher` alone. See `README.md` for the full -disclosure. +older lexbor builds with #368 exclude quirks-mode class/ID matching from the +differential, though current harnesses include it when the startup probe reports +reliable class/#id behavior in both no-quirks and quirks mode. See `README.md` +for the full disclosure. Reproduce any case: `php tools/css-selector-fuzz/replay.php --selector '' [--html '']`. Auto-minimize a failing seed: `php tools/css-selector-fuzz/minimize.php --seed ` diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 36988221a90fe..8746f5493c529 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -14,16 +14,17 @@ > (`CSS selector:` commits `7419a9fef6` / `0cefeb2fc8` / `16d03e2c5f`), each > with PHPUnit regression tests. A post-fix 5000-seed run is clean. > -> **Open follow-up hardening (post-review):** `tests/self-check.php` runs its -> parse-expectation assertions over a fixed seed window (1–400) that, against -> an *unfixed* core, dodges the known core bugs only by seed luck. On this -> branch the bugs are fixed so the collision risk is gone, but the hazard -> returns whenever the tooling runs against a core without the fixes (e.g. -> cherry-picked onto trunk before the fixes land) or when a future unfixed bug -> is found. Decouple self-check from unfixed core bugs — e.g. allowlist known -> signatures in the parse-expectation loop — as a standalone hardening. This is -> worth doing on its own (it makes self-check robust to *any* future generator -> change) and is the prerequisite for randomized class-NUL document injection. +> **Fuzzer-side follow-up hardening implemented (2026-06-12):** +> `tests/self-check.php` now allowlists known core parse-bug signatures in its +> fixed seed-window parse-expectation loop, while unknown mismatches still fail. +> The safe and wild document generators now inject NUL into random class tokens +> and expose the decoded U+FFFD token to class-selector generation, without +> leaking raw class values into the generic attribute-value pool. The lexbor +> differential includes quirks documents whenever the startup probe confirms +> class/#id behavior in both no-quirks and quirks mode (local master-built +> harness `3a2d595fe8c50e5076ac79c02b2ded79a777bb52` passes), and `runner.php` +> reports per-bucket/per-target vacuous and non-vacuous match assertion rates +> under `matchStats`. > > **Candidate finding 4 — FIXED:** per CSS Syntax 3 §4.3.8, `\` followed by > EOF is a valid escape (EOF is not a newline), and §4.3.7 says consuming it @@ -175,19 +176,15 @@ > was skipped deliberately: it is near-tautological (it could only catch > a `from_selectors()` bypass, and no public path bypasses it). > -> **Still open from the original follow-up list:** the tooling items in -> this file's hardening notes (self-check decoupling, class-NUL injection, -> vacuous-assertion rate, quirks-mode single-oracle gap). New small item -> from the 2026-06-11 review: `gen_chaos()`'s whole-codepoint `unicode` -> branch is dead code — it compares the alphabet *string* against the key -> `'unicode'` after the value lookup already happened — so the unicode -> alphabet is byte-sliced by the generic fallback instead. That slicing is -> what makes chaos emit invalid UTF-8 organically (~15% of chaos cases), -> so making the branch live is a behavior decision, not just a cleanup: -> it would remove chaos's organic ill-formed-byte production, leaving the -> deliberate paths (`invalid-utf8` bucket, `mutated` splice) plus -> `mutated`'s residual organic corruption of pool multibyte characters -> (~2% of mutated cases even without the splice). +> **Still open:** `gen_chaos()`'s whole-codepoint `unicode` branch is dead +> code — it compares the alphabet *string* against the key `'unicode'` after +> the value lookup already happened — so the unicode alphabet is byte-sliced +> by the generic fallback instead. That slicing is what makes chaos emit +> invalid UTF-8 organically (~15% of chaos cases), so making the branch live +> is a behavior decision, not just a cleanup: it would remove chaos's organic +> ill-formed-byte production, leaving the deliberate paths (`invalid-utf8` +> bucket, `mutated` splice) plus `mutated`'s residual organic corruption of +> pool multibyte characters (~2% of mutated cases even without the splice). Repo: `/Users/jonsurrell/a8c/wordpress-develop/html-css-fuzz`, branch `html-css-fuzz` (trunk + merged `html-api/add-css-selector-parser`). diff --git a/tools/css-selector-fuzz/README.md b/tools/css-selector-fuzz/README.md index cfcfda666cf7e..655d52293cc29 100644 --- a/tools/css-selector-fuzz/README.md +++ b/tools/css-selector-fuzz/README.md @@ -45,6 +45,9 @@ produces the same document, the same selector, and the same verdict. path-directed generation is that the *combinator/breadcrumb* walker — the part most likely to harbor a matching bug — is now exercised with real depth, not that every assertion is non-vacuous. + `runner.php` persists per-bucket/per-target match assertion counts and + vacuous/non-vacuous rates under `matchStats` in `state.json`, so this + distribution is reported on every run instead of relying on stale notes. - `unsupported` — valid CSS the API intentionally rejects (pseudo-classes and -elements, `+`/`~`/`||` combinators, namespaces, non-type context selectors); must not parse. @@ -88,15 +91,16 @@ produces the same document, the same selector, and the same verdict. Skipped for ASTs containing invalid UTF-8 (reachable only from chaos/mutated inputs), which the renderer cannot round-trip. - lexbor differential (third, independent oracle; requires the harness — - see below): on no-quirks documents whose selector parsed, a canonical + see below): on full-document cases whose selector parsed, a canonical re-render of the verified AST is matched by liblexbor and compared, - as a multiset of fids, against the reference matcher. Gated on WP and + as a multiset of fids, against the reference matcher. Quirks documents + participate only when the startup probe confirms lexbor's class/#id + folding behavior in both no-quirks and quirks mode. Gated on WP and lexbor building the same element tree (fid/tag/ancestry), so it tests - the selector layer, not tree construction. Verdicts: `lexbor-divergence` - (lexbor ≠ reference) is a fuzzer-oracle problem; `match-mismatch-html` - with no accompanying divergence means reference == lexbor ≠ WP — a - high-confidence WP finding. (Roughly half of `compared` cases are - themselves non-vacuous; the rest assert `[] == []` on both engines.) + the selector layer, not tree construction. Verdicts: + `lexbor-divergence` (lexbor ≠ reference) is a fuzzer-oracle problem; + `match-mismatch-html` with no accompanying divergence means reference + == lexbor ≠ WP — a high-confidence WP finding. - Repeating a case yields a byte-identical result digest (determinism). Note the digest covers the WP-under-test surface (selector, html, parse-nullness, ASTs, failure invariants) but **not** the lexbor @@ -112,7 +116,8 @@ and reports per-batch tallies, persisted to `state.json` under `lexbor`: - `compared` — the differential ran and matched fid-multisets. - `tree-gated` — WP and lexbor built different trees; differential skipped. -- `skipped-quirks` / `skipped-utf8` — quirks document / non-UTF-8 AST. +- `skipped-quirks` / `skipped-utf8` — quirks document while lexbor class/#id + case behavior is not trusted / non-UTF-8 AST. - `n/a` — the differential does not apply (unparseable selector, fragment, no captured tree). - `unavailable` / `error` — the harness was missing or died. The runner prints @@ -127,14 +132,9 @@ Known lexbor issues compensated for when present: case-sensitive). Detected by a startup probe; when present, lexbor is compared against the reference matcher run with quirks-style class/ID folding, and quirks-mode documents are excluded from the differential - entirely. **Consequence — a real coverage hole:** quirks-mode class/ID - matching has no independent third oracle. `ReferenceMatcher` is the sole - authority there, and it encodes the same "ASCII-only case fold in quirks" - reading WP does (both fold via ASCII-only lowercasing), so if that reading - is wrong they would be wrong identically and lexbor — the one engine that - could disagree — is excluded. This is inherent to lexbor #368 being open; - it is the weakest-covered behavior in the suite and is called out here - rather than papered over. + entirely. The same startup probe also checks class and `#id` selectors in + quirks mode; only when all four probes pass is quirks-mode class/ID matching + included in the differential. - lexbor rejects uppercase `I`/`S` attribute-selector modifiers, and its non-ASCII ident-codepoint table omits U+00B7 and U+00C0–U+00F6 (it starts at U+00F8), rejecting e.g. `.Über` while accepting `.über`. @@ -159,13 +159,11 @@ The match oracle's independence differs between class and attribute selectors: splits on ASCII whitespace and folds NUL → U+FFFD per token; `ReferenceMatcher::class_matches()` reimplements that independently (and is pinned against `class_list()` on NUL/FF boundary inputs by `self-check.php`). - The random document generators do **not** emit control bytes inside class - values, so the *randomized* fuzzing never exercises this boundary — it is - covered only by the deterministic self-check cases. Randomized document-side - injection is deliberately deferred: adding it to the hot path perturbs the - deterministic self-check seed space enough to surface the known Bug 3, which - would first require decoupling `self-check.php` from the unfixed core bugs. - A worthwhile, scoped future improvement. + The safe and wild random document generators now inject NUL into class + tokens occasionally and expose the decoded U+FFFD token to class-selector + generation. Raw class attribute values are intentionally kept out of the + generic `attrValues` pool so attribute-selector generation does not inherit + class-list-only decoding semantics. - **Attribute values are matched through a single shared read.** Both WP's attribute matcher and `ReferenceMatcher::attr_matches()` read the same `get_attribute()` output, so a value-decoding bug there would be shared and diff --git a/tools/css-selector-fuzz/lib/DocumentGenerator.php b/tools/css-selector-fuzz/lib/DocumentGenerator.php index 20e6e99607421..20da2825b6ed2 100644 --- a/tools/css-selector-fuzz/lib/DocumentGenerator.php +++ b/tools/css-selector-fuzz/lib/DocumentGenerator.php @@ -314,7 +314,7 @@ private function random_attrs(): array { } $this->pools['attrNames'][] = ascii_strtolower( $name ); - if ( is_string( $value ) ) { + if ( is_string( $value ) && 'class' !== $lower ) { $this->pools['attrValues'][] = $value; } @@ -328,9 +328,12 @@ private function random_class_value(): string { $count = $this->prng->int( 1, 4 ); $classes = array(); for ( $i = 0; $i < $count; $i++ ) { - $class = $this->random_word( true ); - $classes[] = $class; - $this->pools['classes'][] = $class; + $class = $this->random_word( true ); + $raw_class = $this->maybe_inject_class_nul( $class ); + $classes[] = $raw_class; + foreach ( self::class_tokens( $raw_class ) as $token ) { + $this->pools['classes'][] = $token; + } } $ws = array( ' ', ' ', ' ', "\t", "\n", "\f", ' ' ); @@ -347,6 +350,23 @@ private function random_class_value(): string { return $value; } + private function maybe_inject_class_nul( string $class ): string { + if ( '' === $class || ! $this->prng->chance( 12 ) ) { + return $class; + } + + $points = utf8_codepoints( $class ); + $at = $this->prng->int( 0, count( $points ) ); + $out = ''; + foreach ( $points as $i => $point ) { + if ( $i === $at ) { + $out .= "\0"; + } + $out .= $point[0]; + } + return $at === count( $points ) ? $out . "\0" : $out; + } + private function random_id_value(): string { $id = $this->random_word( true ); $this->pools['ids'][] = $id; @@ -581,4 +601,28 @@ public static function get_attribute_value( array $element, string $name ) { } return null; } + + /** + * Class tokens as seen by selector matching: ASCII whitespace separates + * tokens, and NUL inside a token is exposed as U+FFFD by class_list(). + * + * @return string[] + */ + public static function class_tokens( string $class_value ): array { + $tokens = array(); + $length = strlen( $class_value ); + $at = 0; + $ws = " \t\r\n\f"; + while ( $at < $length ) { + $at += strspn( $class_value, $ws, $at ); + if ( $at >= $length ) { + break; + } + + $token_length = strcspn( $class_value, $ws, $at ); + $tokens[] = str_replace( "\0", "\u{FFFD}", substr( $class_value, $at, $token_length ) ); + $at += $token_length; + } + return $tokens; + } } diff --git a/tools/css-selector-fuzz/lib/LexborOracle.php b/tools/css-selector-fuzz/lib/LexborOracle.php index 2dd74c9e92e54..afb508ddc1278 100644 --- a/tools/css-selector-fuzz/lib/LexborOracle.php +++ b/tools/css-selector-fuzz/lib/LexborOracle.php @@ -19,7 +19,8 @@ * ASCII case-insensitively even in no-quirks mode ( attribute selectors * like [id=x] are correctly case-sensitive ). Detected by probe at startup; * when present, lexbor is compared against the reference matcher run with - * quirks-style class/ID folding. + * quirks-style class/ID folding. Quirks documents are compared only when + * the probe also confirms class and #id selectors fold in quirks mode. */ class LexborOracle { @@ -33,6 +34,8 @@ class LexborOracle { private static $available = null; /** @var bool */ private static $issue368 = false; + /** @var bool */ + private static $quirks_class_id_reliable = false; public static function harness_path(): string { return dirname( __DIR__ ) . '/lexbor/harness'; @@ -49,15 +52,31 @@ public static function available(): bool { return false; } - // Probe: sanity plus issue-#368 detection. + // Probe: sanity plus class/#id case-sensitivity behavior. $sane = self::query( '
', 'div.a' ); if ( null === $sane || array( 'x' ) !== $sane['matches'] ) { self::stop(); return false; } - $folded = self::query( '
', '.A' ); - self::$issue368 = null !== $folded && array( 'x' ) === $folded['matches']; + $no_quirks_class = self::query( '
', '.A' ); + $no_quirks_id = self::query( '
', '#A' ); + $quirks_class = self::query( '
', '.A' ); + $quirks_id = self::query( '
', '#A' ); + foreach ( array( $no_quirks_class, $no_quirks_id, $quirks_class, $quirks_id ) as $probe ) { + if ( null === $probe || null !== $probe['error'] ) { + self::stop(); + return false; + } + } + + self::$issue368 = array( 'x' ) === $no_quirks_class['matches'] + || array( 'x' ) === $no_quirks_id['matches']; + self::$quirks_class_id_reliable = ! self::$issue368 + && array() === $no_quirks_class['matches'] + && array() === $no_quirks_id['matches'] + && array( 'x' ) === $quirks_class['matches'] + && array( 'x' ) === $quirks_id['matches']; self::$available = true; return true; } @@ -67,6 +86,11 @@ public static function has_issue_368(): bool { return self::$issue368; } + /** Whether lexbor can be trusted on quirks class/#id case folding. */ + public static function quirks_class_id_reliable(): bool { + return self::$quirks_class_id_reliable; + } + /** * Runs one case through lexbor. * diff --git a/tools/css-selector-fuzz/lib/ReferenceMatcher.php b/tools/css-selector-fuzz/lib/ReferenceMatcher.php index e86aa4e2e990b..ea422078e9893 100644 --- a/tools/css-selector-fuzz/lib/ReferenceMatcher.php +++ b/tools/css-selector-fuzz/lib/ReferenceMatcher.php @@ -223,25 +223,7 @@ private static function class_matches( string $wanted, array $row, bool $quirks return false; } - $length = strlen( $class_value ); - $at = 0; - while ( $at < $length ) { - $at += strspn( $class_value, self::WHITESPACE, $at ); - if ( $at >= $length ) { - break; - } - $word_length = strcspn( $class_value, self::WHITESPACE, $at ); - $word = substr( $class_value, $at, $word_length ); - $at += $word_length; - - /* - * WP_HTML_Tag_Processor::class_list() replaces NUL with U+FFFD in - * each class token before comparison; model that so a class value - * containing a raw NUL matches a `\0`-escaped ( U+FFFD ) selector - * the same way select() does. - */ - $word = str_replace( "\0", "\u{FFFD}", $word ); - + foreach ( DocumentGenerator::class_tokens( $class_value ) as $word ) { if ( $quirks ? ascii_strtolower( $word ) === ascii_strtolower( $wanted ) diff --git a/tools/css-selector-fuzz/lib/SelectorGenerator.php b/tools/css-selector-fuzz/lib/SelectorGenerator.php index fb93f8d66216d..668ad57bcace2 100644 --- a/tools/css-selector-fuzz/lib/SelectorGenerator.php +++ b/tools/css-selector-fuzz/lib/SelectorGenerator.php @@ -957,7 +957,7 @@ private function path_compound_for( array $element ): array { $class_value = DocumentGenerator::get_attribute_value( $element, 'class' ); if ( is_string( $class_value ) ) { - foreach ( preg_split( '/[ \t\n\f\r]+/', $class_value, -1, PREG_SPLIT_NO_EMPTY ) as $word ) { + foreach ( DocumentGenerator::class_tokens( $class_value ) as $word ) { $features[] = array( 'kind' => 'class', 'name' => $word ); } } @@ -974,6 +974,9 @@ private function path_compound_for( array $element ): array { continue; } $seen_attrs[ $lower ] = true; + if ( 'class' === $lower && is_string( $attr[1] ) && false !== strpos( $attr[1], "\0" ) ) { + continue; + } $features[] = $this->path_attr_feature( $lower, $attr[1], 'html' === ( $element['namespace'] ?? 'html' ) ); } diff --git a/tools/css-selector-fuzz/lib/WildDocumentGenerator.php b/tools/css-selector-fuzz/lib/WildDocumentGenerator.php index 78ae5a329f162..3cd7dada17cc6 100644 --- a/tools/css-selector-fuzz/lib/WildDocumentGenerator.php +++ b/tools/css-selector-fuzz/lib/WildDocumentGenerator.php @@ -299,9 +299,11 @@ private function random_attrs(): array { $words = array(); $n = $this->prng->int( 1, 3 ); for ( $j = 0; $j < $n; $j++ ) { - $word = $this->random_word(); - $words[] = $word; - $this->pools['classes'][] = $word; + $word = $this->maybe_inject_class_nul( $this->random_word() ); + $words[] = $word; + foreach ( DocumentGenerator::class_tokens( $word ) as $token ) { + $this->pools['classes'][] = $token; + } } $value = implode( ' ', $words ); } elseif ( 'id' === $lower ) { @@ -317,7 +319,7 @@ private function random_attrs(): array { } $this->pools['attrNames'][] = $lower; - if ( is_string( $value ) ) { + if ( is_string( $value ) && 'class' !== $lower ) { $this->pools['attrValues'][] = $value; } $attrs[] = array( $name, $value ); @@ -326,6 +328,23 @@ private function random_attrs(): array { return $attrs; } + private function maybe_inject_class_nul( string $class ): string { + if ( '' === $class || ! $this->prng->chance( 12 ) ) { + return $class; + } + + $points = utf8_codepoints( $class ); + $at = $this->prng->int( 0, count( $points ) ); + $out = ''; + foreach ( $points as $i => $point ) { + if ( $i === $at ) { + $out .= "\0"; + } + $out .= $point[0]; + } + return $at === count( $points ) ? $out . "\0" : $out; + } + private function render_attrs( array $attrs ): string { $out = ''; foreach ( $attrs as $attr ) { diff --git a/tools/css-selector-fuzz/lib/Worker.php b/tools/css-selector-fuzz/lib/Worker.php index 86ad865d50e37..f701d87974657 100644 --- a/tools/css-selector-fuzz/lib/Worker.php +++ b/tools/css-selector-fuzz/lib/Worker.php @@ -62,6 +62,8 @@ class Worker { * failures: array, * selector: string, * html: string, + * lexbor: string, + * matchStats: array, * } */ public static function run_case( int $seed ): array { @@ -78,6 +80,7 @@ public static function run_case( int $seed ): array { 'detail' => $detail, ); }; + $match_stats = array(); /* * The processor's own parse is the matching oracle's ground truth. @@ -301,6 +304,9 @@ static function () use ( $complex_list ) { } $html_matches = self::check_select_matches( 'html', $selector_string, $document, $expected, $record ); + if ( null !== $html_matches ) { + self::note_match_assertion( $match_stats, 'html', $expected, $html_matches ); + } // lexbor parses full documents only; fragments skip it. if ( ! ( $document['fragment'] ?? false ) ) { @@ -312,7 +318,10 @@ static function () use ( $complex_list ) { if ( null !== $compound_ast && null !== $tag_rows ) { $expected = ReferenceMatcher::expected_tag_matches_rows( $compound_ast, $tag_rows ); - self::check_select_matches( 'tag', $selector_string, $document, $expected, $record ); + $tag_matches = self::check_select_matches( 'tag', $selector_string, $document, $expected, $record ); + if ( null !== $tag_matches ) { + self::note_match_assertion( $match_stats, 'tag', $expected, $tag_matches ); + } } elseif ( null === $compound_list && null === $compound_error ) { self::check_select_rejection( 'tag', $selector_string, $document, $record ); } @@ -359,6 +368,7 @@ static function ( $failure ) { 'selector' => $selector_string, 'html' => $document['html'], 'lexbor' => $lexbor_state, + 'matchStats' => $match_stats, ); } @@ -768,14 +778,43 @@ private static function check_select_matches( string $target, string $selector_s return $actual; } + private static function note_match_assertion( array &$match_stats, string $target, array $expected, array $actual ): void { + if ( ! isset( $match_stats[ $target ] ) ) { + $match_stats[ $target ] = array( + 'assertions' => 0, + 'nonVacuous' => 0, + ); + } + + ++$match_stats[ $target ]['assertions']; + if ( array() !== $expected || array() !== $actual ) { + ++$match_stats[ $target ]['nonVacuous']; + } + } + + private static function finalize_match_stats( array $match_stats ): array { + foreach ( $match_stats as $bucket => $targets ) { + foreach ( $targets as $target => $counts ) { + $assertions = (int) ( $counts['assertions'] ?? 0 ); + $non_vacuous = (int) ( $counts['nonVacuous'] ?? 0 ); + $vacuous = max( 0, $assertions - $non_vacuous ); + + $match_stats[ $bucket ][ $target ]['vacuous'] = $vacuous; + $match_stats[ $bucket ][ $target ]['nonVacuousRate'] = $assertions > 0 ? round( $non_vacuous / $assertions, 4 ) : 0.0; + $match_stats[ $bucket ][ $target ]['vacuousRate'] = $assertions > 0 ? round( $vacuous / $assertions, 4 ) : 0.0; + } + } + return $match_stats; + } + /** * Runs the lexbor differential — the THIRD, independent matching opinion. * - * Quirks-mode documents are excluded ( lexbor #368 makes its quirks - * behavior untrustworthy and WP's quirks class/ID folding is owned by - * ReferenceMatcher ). The comparison only runs when lexbor built the - * same element tree as WP ( fid/tag/ancestry multiset ), so it tests - * the selector layer, not tree construction. + * Quirks-mode documents are excluded unless the startup probe confirms + * lexbor has reliable class/#id case folding in both no-quirks and quirks + * mode. The comparison only runs when lexbor built the same element tree + * as WP ( fid/tag/ancestry multiset ), so it tests the selector layer, + * not tree construction. * * Verdict triage: * - 'lexbor-divergence' lexbor != reference: a fuzzer-oracle problem @@ -793,7 +832,7 @@ private static function check_lexbor_differential( array $complex_ast, string $s if ( ! LexborOracle::available() ) { return 'unavailable'; } - if ( $quirks ) { + if ( $quirks && ! LexborOracle::quirks_class_id_reliable() ) { return 'skipped-quirks'; } @@ -1115,6 +1154,7 @@ public static function run_batch( array $options ): array { $buckets = array(); $signatures = array(); $lexbor = array(); + $match_stats = array(); $last_seed = null; $stop_reason = 'completed'; @@ -1145,6 +1185,16 @@ public static function run_batch( array $options ): array { $buckets[ $result['bucket'] ] = ( $buckets[ $result['bucket'] ] ?? 0 ) + 1; $lexbor[ $result['lexbor'] ] = ( $lexbor[ $result['lexbor'] ] ?? 0 ) + 1; $last_seed = $seed; + foreach ( $result['matchStats'] as $target => $stats ) { + if ( ! isset( $match_stats[ $result['bucket'] ][ $target ] ) ) { + $match_stats[ $result['bucket'] ][ $target ] = array( + 'assertions' => 0, + 'nonVacuous' => 0, + ); + } + $match_stats[ $result['bucket'] ][ $target ]['assertions'] += $stats['assertions']; + $match_stats[ $result['bucket'] ][ $target ]['nonVacuous'] += $stats['nonVacuous']; + } foreach ( $result['failures'] as $failure ) { ++$failures; @@ -1179,6 +1229,7 @@ public static function run_batch( array $options ): array { 'buckets' => $buckets, 'signatures' => $signatures, 'lexbor' => $lexbor, + 'matchStats' => self::finalize_match_stats( $match_stats ), 'stopReason' => $stop_reason, 'durationMs' => (int) round( 1000 * ( microtime( true ) - $started_at ) ), ); diff --git a/tools/css-selector-fuzz/runner.php b/tools/css-selector-fuzz/runner.php index fc3db262b282a..414eb167a660e 100644 --- a/tools/css-selector-fuzz/runner.php +++ b/tools/css-selector-fuzz/runner.php @@ -114,6 +114,48 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { return null; } +/** Merges per-bucket/per-target match assertion counts. */ +function css_selector_fuzz_merge_match_stats( array &$target, array $source ): void { + foreach ( $source as $bucket => $targets ) { + foreach ( $targets as $match_target => $stats ) { + if ( ! isset( $target[ $bucket ][ $match_target ] ) ) { + $target[ $bucket ][ $match_target ] = array( + 'assertions' => 0, + 'nonVacuous' => 0, + ); + } + $target[ $bucket ][ $match_target ]['assertions'] += (int) ( $stats['assertions'] ?? 0 ); + $target[ $bucket ][ $match_target ]['nonVacuous'] += (int) ( $stats['nonVacuous'] ?? 0 ); + } + } +} + +/** Adds derived rates after all count aggregation is finished. */ +function css_selector_fuzz_finalize_match_stats( array $stats ): array { + foreach ( $stats as $bucket => $targets ) { + foreach ( $targets as $match_target => $counts ) { + $assertions = (int) ( $counts['assertions'] ?? 0 ); + $non_vacuous = (int) ( $counts['nonVacuous'] ?? 0 ); + $vacuous = max( 0, $assertions - $non_vacuous ); + + $stats[ $bucket ][ $match_target ]['vacuous'] = $vacuous; + $stats[ $bucket ][ $match_target ]['nonVacuousRate'] = $assertions > 0 ? round( $non_vacuous / $assertions, 4 ) : 0.0; + $stats[ $bucket ][ $match_target ]['vacuousRate'] = $assertions > 0 ? round( $vacuous / $assertions, 4 ) : 0.0; + } + } + return $stats; +} + +function css_selector_fuzz_write_state( string $state_path, array $state ): void { + $state['matchStats'] = css_selector_fuzz_finalize_match_stats( $state['matchStats'] ?? array() ); + write_json_file( $state_path, $state ); +} + +function css_selector_fuzz_state_for_output( array $state ): array { + $state['matchStats'] = css_selector_fuzz_finalize_match_stats( $state['matchStats'] ?? array() ); + return $state; +} + $options = parse_cli_options( $argv ); if ( option_bool( $options, 'help', false ) || option_bool( $options, 'h', false ) ) { echo "Usage: php tools/css-selector-fuzz/runner.php [--start-seed N] [--max-seeds N] [--duration-seconds N] [--chunk-size N] [--timeout-ms N] [--output-dir DIR] [--stop-on-failure]\n"; @@ -159,10 +201,11 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { 'buckets' => array(), 'signatures' => array(), 'lexbor' => array(), + 'matchStats' => array(), 'nextSeed' => $start_seed, 'stopReason' => null, ); -write_json_file( $state_path, $state ); +css_selector_fuzz_write_state( $state_path, $state ); $deadline = $duration_seconds > 0 ? microtime( true ) + $duration_seconds : null; $seed = $start_seed; @@ -231,9 +274,16 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { } else { ++$state['casesCompleted']; $state['failures'] += $single_summary['failures']; + foreach ( $single_summary['buckets'] as $bucket => $bucket_count ) { + $state['buckets'][ $bucket ] = ( $state['buckets'][ $bucket ] ?? 0 ) + $bucket_count; + } foreach ( $single_summary['signatures'] as $signature => $signature_count ) { $state['signatures'][ $signature ] = ( $state['signatures'][ $signature ] ?? 0 ) + $signature_count; } + foreach ( $single_summary['lexbor'] ?? array() as $lexbor_state => $lexbor_count ) { + $state['lexbor'][ $lexbor_state ] = ( $state['lexbor'][ $lexbor_state ] ?? 0 ) + $lexbor_count; + } + css_selector_fuzz_merge_match_stats( $state['matchStats'], $single_summary['matchStats'] ?? array() ); } } } else { @@ -248,12 +298,13 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { foreach ( $summary['lexbor'] ?? array() as $lexbor_state => $lexbor_count ) { $state['lexbor'][ $lexbor_state ] = ( $state['lexbor'][ $lexbor_state ] ?? 0 ) + $lexbor_count; } + css_selector_fuzz_merge_match_stats( $state['matchStats'], $summary['matchStats'] ?? array() ); } $seed += $count; $state['nextSeed'] = $seed; $state['updatedAt'] = gmdate( 'c' ); - write_json_file( $state_path, $state ); + css_selector_fuzz_write_state( $state_path, $state ); if ( $stop_on_failure && $state['failures'] > 0 ) { $state['stopReason'] = 'stop-on-failure'; @@ -265,7 +316,7 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { $state['stopReason'] = 'max-seeds'; } $state['updatedAt'] = gmdate( 'c' ); -write_json_file( $state_path, $state ); +css_selector_fuzz_write_state( $state_path, $state ); /* * The lexbor differential is the third oracle. If it ever ran ( 'compared' ) @@ -282,5 +333,5 @@ function css_selector_fuzz_worker_summary( string $stdout ): ?array { fwrite( STDERR, "NOTE: lexbor third oracle never ran (harness not built?); run `sh tools/css-selector-fuzz/lexbor/build.sh` for the differential.\n" ); } -echo json_encode_safe( $state ) . "\n"; +echo json_encode_safe( css_selector_fuzz_state_for_output( $state ) ) . "\n"; exit( 0 === $state['failures'] ? 0 : 2 ); diff --git a/tools/css-selector-fuzz/tests/self-check.php b/tools/css-selector-fuzz/tests/self-check.php index 8d9df7e378b70..9664367f1e300 100644 --- a/tools/css-selector-fuzz/tests/self-check.php +++ b/tools/css-selector-fuzz/tests/self-check.php @@ -14,6 +14,7 @@ use CssSelectorFuzz\DocumentGenerator; use CssSelectorFuzz\Prng; use CssSelectorFuzz\SelectorGenerator; +use CssSelectorFuzz\WildDocumentGenerator; use CssSelectorFuzz\Worker; use function CssSelectorFuzz\utf8_codepoints; @@ -28,6 +29,52 @@ function check( bool $condition, string $message ): void { fwrite( STDERR, "FAIL: {$message}\n" ); } +function known_core_parse_mismatch( string $selector, bool $expected, bool $actual ): ?string { + if ( $expected === $actual || ! $expected || $actual ) { + return null; + } + + if ( ! wp_is_valid_utf8( $selector ) ) { + return 'invalid-utf8-input-scrub'; + } + if ( str_ends_with( $selector, '\\' ) ) { + return 'backslash-at-eof-escape'; + } + if ( substr_count( $selector, '[' ) > substr_count( $selector, ']' ) ) { + return 'eof-auto-closes-attribute-selector'; + } + if ( preg_match( '/\\[[^\\]]*=\\s*[-_a-zA-Z0-9]\\]$/', $selector ) ) { + return 'single-char-unquoted-attribute-value-at-eof'; + } + if ( has_identity_escape_after_multibyte( $selector ) ) { + return 'identity-escape-after-multibyte'; + } + + return null; +} + +function has_identity_escape_after_multibyte( string $selector ): bool { + $seen_multibyte = false; + $length = strlen( $selector ); + for ( $i = 0; $i < $length; $i++ ) { + $byte = ord( $selector[ $i ] ); + if ( $byte > 0x7F ) { + $seen_multibyte = true; + continue; + } + if ( ! $seen_multibyte || '\\' !== $selector[ $i ] || $i + 1 >= $length ) { + continue; + } + + $next = $selector[ $i + 1 ]; + if ( "\n" === $next || "\r" === $next || "\f" === $next || ctype_xdigit( $next ) ) { + continue; + } + return true; + } + return false; +} + Bootstrap::load(); // --- Prng determinism and independence ------------------------------------- @@ -65,6 +112,7 @@ function check( bool $condition, string $message ): void { // --- Selector generator expectations over many seeds ----------------------- $by_bucket = array(); +$allowed_parse_mismatches = array(); for ( $seed = 1; $seed <= 400; $seed++ ) { $prng = new Prng( (string) $seed, 'self-check-selector' ); $document = DocumentGenerator::generate( $prng->fork( 'doc' ) ); @@ -76,20 +124,67 @@ function check( bool $condition, string $message ): void { $complex = WP_CSS_Complex_Selector_List::from_selectors( $selector['selector'] ); if ( null !== $selector['expectCompound'] ) { - check( - $selector['expectCompound'] === ( null !== $compound ), - "Seed {$seed} ({$selector['bucket']}): compound parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] ) - ); + $expected = $selector['expectCompound']; + $actual = null !== $compound; + $known = known_core_parse_mismatch( $selector['selector'], $expected, $actual ); + if ( null !== $known ) { + $allowed_parse_mismatches[ "compound:{$known}" ] = ( $allowed_parse_mismatches[ "compound:{$known}" ] ?? 0 ) + 1; + } else { + check( + $expected === $actual, + "Seed {$seed} ({$selector['bucket']}): compound parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] ) + ); + } } if ( null !== $selector['expectComplex'] ) { - check( - $selector['expectComplex'] === ( null !== $complex ), - "Seed {$seed} ({$selector['bucket']}): complex parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] ) - ); + $expected = $selector['expectComplex']; + $actual = null !== $complex; + $known = known_core_parse_mismatch( $selector['selector'], $expected, $actual ); + if ( null !== $known ) { + $allowed_parse_mismatches[ "complex:{$known}" ] = ( $allowed_parse_mismatches[ "complex:{$known}" ] ?? 0 ) + 1; + } else { + check( + $expected === $actual, + "Seed {$seed} ({$selector['bucket']}): complex parse expectation for: " . \CssSelectorFuzz\printable_bytes( $selector['selector'] ) + ); + } } } check( count( $by_bucket ) >= 5, 'Bucket variety: saw ' . count( $by_bucket ) . ' buckets.' ); +if ( array() !== $allowed_parse_mismatches ) { + fwrite( STDERR, 'Allowed known core parse bug signatures: ' . \CssSelectorFuzz\json_encode_safe( $allowed_parse_mismatches ) . "\n" ); +} + +// --- Document generator: randomized class NUL injection -------------------- + +$safe_class_nul = 0; +for ( $seed = 1; $seed <= 200; $seed++ ) { + $document = DocumentGenerator::generate( new Prng( (string) $seed, 'self-check-class-nul-safe' ) ); + if ( false !== strpos( $document['html'], "\0" ) ) { + ++$safe_class_nul; + check( false === str_contains( implode( "\n", $document['pools']['attrValues'] ), "\0" ), "Safe document {$seed}: class NUL does not leak into attrValues pool." ); + check( \CssSelectorFuzz\ast_strings_are_utf8( $document['pools']['classes'] ), "Safe document {$seed}: class pool strings stay valid UTF-8." ); + check( in_array( true, array_map( static function ( string $class ): bool { + return false !== strpos( $class, "\u{FFFD}" ); + }, $document['pools']['classes'] ), true ), "Safe document {$seed}: class pool contains decoded U+FFFD token." ); + } +} +check( $safe_class_nul > 0, "Safe document generator emits randomized class NUL values ({$safe_class_nul} of 200)." ); + +$wild_class_nul = 0; +for ( $seed = 1; $seed <= 200; $seed++ ) { + $document = WildDocumentGenerator::generate( new Prng( (string) $seed, 'self-check-class-nul-wild' ) ); + if ( false !== strpos( $document['html'], "\0" ) ) { + ++$wild_class_nul; + check( false === str_contains( implode( "\n", $document['pools']['attrValues'] ), "\0" ), "Wild document {$seed}: class NUL does not leak into attrValues pool." ); + check( \CssSelectorFuzz\ast_strings_are_utf8( $document['pools']['classes'] ), "Wild document {$seed}: class pool strings stay valid UTF-8." ); + check( in_array( true, array_map( static function ( string $class ): bool { + return false !== strpos( $class, "\u{FFFD}" ); + }, $document['pools']['classes'] ), true ), "Wild document {$seed}: class pool contains decoded U+FFFD token." ); + } +} +check( $wild_class_nul > 0, "Wild document generator emits randomized class NUL values ({$wild_class_nul} of 200)." ); // --- Invalid-UTF-8 bucket: post-scrub AST expectations by construction ------ // from_selectors() replaces each maximal subpart of an ill-formed UTF-8 @@ -224,10 +319,10 @@ function select_fids( string $html, string $selector ): array { // --- Class-value decode boundary (ReferenceMatcher vs WP class_list) -------- // WP's class_list() folds NUL -> U+FFFD and treats FF as a separator; the // reference matcher reimplements tokenization independently. Pin both engines -// against each other on these boundary inputs ( exercised deterministically -// here since the random document generator does not emit control bytes in -// class values — see README #10 ). Each case also checks the reference matcher -// agrees with select() over a TreeCapture of the same markup. +// against each other on these boundary inputs; randomized generator sampling +// above verifies that the same NUL boundary is present in the hot path. Each +// case also checks the reference matcher agrees with select() over a +// TreeCapture of the same markup. function ref_fids( string $html, string $selector ): array { $capture = \CssSelectorFuzz\TreeCapture::capture( $html ); From 202905aec712af214c224988b5cca6154f61a42d Mon Sep 17 00:00:00 2001 From: Jon Surrell Date: Fri, 12 Jun 2026 21:18:51 +0200 Subject: [PATCH 187/187] CSS selector fuzz: Update moved selector-fix references --- tools/css-selector-fuzz/FINDINGS.md | 10 +++++----- tools/css-selector-fuzz/NEXT-STEPS.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/css-selector-fuzz/FINDINGS.md b/tools/css-selector-fuzz/FINDINGS.md index e58b256962364..16ed2d734e79e 100644 --- a/tools/css-selector-fuzz/FINDINGS.md +++ b/tools/css-selector-fuzz/FINDINGS.md @@ -1,12 +1,12 @@ # CSS Selector Fuzzer — Findings -Run: branch `html-css-fuzz` @ `46334f170b`, PHP 8.4.21. 5000 deterministic +Run: branch `html-css-fuzz` @ `5da3afedd0`, PHP 8.4.21. 5000 deterministic seeds, 0 crashes/timeouts. Three distinct, reproduced WordPress-core correctness bugs in the new HTML-API CSS selector support. Every selector below is valid, supported CSS that the API mis-handles **without** reporting lack of support. **Status: all three bugs are fixed on this branch** (commit prefix -`CSS selector:` — Bug 1 `7419a9fef6`, Bug 2 `0cefeb2fc8`, Bug 3 `16d03e2c5f`), +`CSS selector:` — Bug 1 `aed6cfb4aa`, Bug 2 `989e18da8a`, Bug 3 `0a87b20178`), each with PHPUnit regression tests that fail pre-fix. A post-fix 5000-seed run is clean (0 failures, 0 crashes). The repros below no longer trigger; they remain as regression anchors and Trac-ready minimal test cases. @@ -61,7 +61,7 @@ non-hex identity-escape branch is wrong. Depending on what wrong codepoint is produced this also causes spurious parse failures (a valid selector returns `null`). -**Fix (landed in `7419a9fef6`):** read the next codepoint from the byte +**Fix (landed in `aed6cfb4aa`):** read the next codepoint from the byte offset: `mb_substr( substr( $input, $offset ), 0, 1, 'UTF-8' )`. --- @@ -88,7 +88,7 @@ Reproduction against ``: | `[x$=""]` | `I` | none | | `[x~=""]` | none ✅ | none | -**Fix (landed in `0cefeb2fc8`):** in `matches()`, return `false` for `^= $= *=` +**Fix (landed in `989e18da8a`):** in `matches()`, return `false` for `^= $= *=` when `'' === $this->value`, before the `substr_compare`/`strpos` calls. `~=` needs no guard — a whitespace-delimited list never yields an empty item — and a test pins that. (No `substr_compare` length edge exists here: `-strlen('')` @@ -123,7 +123,7 @@ character of the selector string. | `[a^=b]` | parsed ✅ (2-char operator) | | `[a=b].c` | parsed ✅ (trailing content) | -**Fix (landed in `16d03e2c5f`):** change `>=` to `>` (need +**Fix (landed in `0a87b20178`):** change `>=` to `>` (need `strlen - $updated_offset >= 3`). --- diff --git a/tools/css-selector-fuzz/NEXT-STEPS.md b/tools/css-selector-fuzz/NEXT-STEPS.md index 8746f5493c529..322d666ad1fe4 100644 --- a/tools/css-selector-fuzz/NEXT-STEPS.md +++ b/tools/css-selector-fuzz/NEXT-STEPS.md @@ -11,7 +11,7 @@ > which still reproduce. The notes below are retained as the design rationale. > > **Core fixes landed:** the three FINDINGS.md bugs are fixed on this branch -> (`CSS selector:` commits `7419a9fef6` / `0cefeb2fc8` / `16d03e2c5f`), each +> (`CSS selector:` commits `aed6cfb4aa` / `989e18da8a` / `0a87b20178`), each > with PHPUnit regression tests. A post-fix 5000-seed run is clean. > > **Fuzzer-side follow-up hardening implemented (2026-06-12):**