Html decoder fuzzer

src/wp-includes/html-api/class-wp-html-decoder.php

@@ -60,17 +60,23 @@ public static function attribute_starts_with( $haystack, $search_text, $case_sen
 				continue;
 			}
 
-			// If there is a character reference, then the decoded value must exactly match what follows in the search string.
-			if ( 0 !== substr_compare( $search_text, $next_chunk, $search_at, strlen( $next_chunk ), $loose_case ) ) {
+			/*
+			 * If there is a character reference, then the decoded value must
+			 * match what follows in the search string. The search string may
+			 * end within a multi-code-point replacement, such as `<⃒`
+			 * decoding to `<⃒`, and still be a prefix match.
+			 */
+			$match_length = min( strlen( $next_chunk ), $search_length - $search_at );
+			if ( 0 !== substr_compare( $search_text, $next_chunk, $search_at, $match_length, $loose_case ) ) {
 				return false;
 			}
 
 			// The character reference matched, so continue checking.
 			$haystack_at += $token_length;
-			$search_at   += strlen( $next_chunk );
+			$search_at   += $match_length;
 		}
 
-		return true;
+		return $search_at === $search_length;
 	}
 
 	/**
@@ -361,7 +367,7 @@ public static function read_character_reference( $context, $text, $at = 0, &$mat
 
 		$name_length = 0;
 		$replacement = $html5_named_character_references->read_token( $text, $name_at, $name_length );
-		if ( false === $replacement ) {
+		if ( null === $replacement ) {
 			return null;
 		}
 
@@ -378,12 +384,14 @@ public static function read_character_reference( $context, $text, $at = 0, &$mat
 		 * character reference table but the match doesn't end in `;`.
 		 * It may be allowed if it's followed by something unambiguous.
 		 */
+		$follower_byte       = $after_name < $length ? ord( $text[ $after_name ] ) : null;
 		$ambiguous_follower = (
-			$after_name < $length &&
-			$name_at < $length &&
+			null !== $follower_byte &&
 			(
-				ctype_alnum( $text[ $after_name ] ) ||
-				'=' === $text[ $after_name ]
+				( $follower_byte >= 0x30 && $follower_byte <= 0x39 ) ||
+				( $follower_byte >= 0x41 && $follower_byte <= 0x5A ) ||
+				( $follower_byte >= 0x61 && $follower_byte <= 0x7A ) ||
+				0x3D === $follower_byte
 			)
 		);
 

tests/phpunit/tests/html-api/wpHtmlDecoder.php

@@ -61,6 +61,126 @@
 		$this->assertSame( "&\x00b", $decoded, 'Should have decoded the text without changing it.' );
 	}
 
+	/**
+	 * Ensures semicolonless legacy references decode before non-ASCII UTF-8 bytes in attributes.
+	 */
+	public function test_semicolonless_legacy_reference_before_multibyte_attribute_follower() {
+		$raw_attribute = "&Aacute\xC2\x80";
+
+		$this->assertSame(
+			"\xC3\x81\xC2\x80",
+			WP_HTML_Decoder::decode_attribute( $raw_attribute ),
+			'Should have decoded the semicolonless legacy reference before a multibyte follower.'
+		);
+
+		$match_byte_length = null;
+		$this->assertSame(
+			"\xC3\x81",
+			WP_HTML_Decoder::read_character_reference( 'attribute', $raw_attribute, 0, $match_byte_length ),
+			'Should have matched the semicolonless legacy reference before a multibyte follower.'
+		);
+		$this->assertSame( strlen( '&Aacute' ), $match_byte_length );
+	}
+
+	/**
+	 * Ensures semicolonless legacy references remain ambiguous before ASCII alnum or equals.
+	 *
+	 * @dataProvider data_ambiguous_ascii_attribute_followers
+	 *
+	 * @param string $raw_attribute Raw attribute value with an ambiguous legacy reference follower.
+	 */
+	public function test_semicolonless_legacy_reference_before_ascii_attribute_follower_is_ambiguous( $raw_attribute ) {
+		$this->assertSame(
+			$raw_attribute,
+			WP_HTML_Decoder::decode_attribute( $raw_attribute ),
+			'Should not have decoded an ambiguous semicolonless legacy reference.'
+		);
+
+		$match_byte_length = 'sentinel';
+		$this->assertNull(
+			WP_HTML_Decoder::read_character_reference( 'attribute', $raw_attribute, 0, $match_byte_length ),
+			'Should not have matched an ambiguous semicolonless legacy reference.'
+		);
+		$this->assertSame( 'sentinel', $match_byte_length );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[].
+	 */
+	public static function data_ambiguous_ascii_attribute_followers() {
+		return array(
+			'ASCII digit' => array( '&Aacute0' ),
+			'ASCII uppercase alpha' => array( '&AacuteA' ),
+			'ASCII lowercase alpha' => array( '&Aacutea' ),
+			'equals' => array( '&Aacute=' ),
+		);
+	}
+
+	/**
+	 * Ensures unmatched named character references leave the by-ref match length unchanged.
+	 *
+	 * @dataProvider data_unmatched_named_character_references
+	 *
+	 * @param string $context       Decoder context.
+	 * @param string $raw_text_node Raw text containing an unmatched named character reference.
+	 */
+	public function test_unmatched_named_character_reference_does_not_set_match_byte_length( $context, $raw_text_node ) {
+		$match_byte_length = 'sentinel';
+		$this->assertNull(
+			WP_HTML_Decoder::read_character_reference( $context, $raw_text_node, 0, $match_byte_length ),
+			'Should not have matched an unmatched named character reference.'
+		);
+		$this->assertSame( 'sentinel', $match_byte_length );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[].
+	 */
+	public static function data_unmatched_named_character_references() {
+		return array(
+			'text invalid name'                 => array( 'data', '&bogus;' ),
+			'text invalid short-name candidate' => array( 'data', '&Fv=q' ),
+			'attribute invalid name'            => array( 'attribute', '&bogus;' ),
+			'attribute invalid short-name candidate' => array( 'attribute', '&Fv=q' ),
+		);
+	}
+
+	/**
+	 * Ensures non-ampersand offsets never match character references.
+	 *
+	 * @dataProvider data_non_ampersand_character_reference_offsets
+	 *
+	 * @param string $context       Decoder context.
+	 * @param string $raw_text_node Raw text containing a character reference away from offset.
+	 * @param int    $offset        Offset that does not point at an ampersand.
+	 */
+	public function test_non_ampersand_offset_does_not_set_match_byte_length( $context, $raw_text_node, $offset ) {
+		$match_byte_length = 'sentinel';
+		$this->assertNull(
+			WP_HTML_Decoder::read_character_reference( $context, $raw_text_node, $offset, $match_byte_length ),
+			'Should not have matched a character reference away from an ampersand.'
+		);
+		$this->assertSame( 'sentinel', $match_byte_length );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[].
+	 */
+	public static function data_non_ampersand_character_reference_offsets() {
+		return array(
+			'text before reference'       => array( 'data', 'a&b', 0 ),
+			'text inside reference name'  => array( 'data', 'a&b', 2 ),
+			'attribute before reference'  => array( 'attribute', 'a&b', 0 ),
+			'attribute inside reference name' => array( 'attribute', 'a&b', 2 ),
+		);
+	}
+
 	/**
 	 * Ensures proper detection of attribute prefixes ignoring ASCII case.
 	 *
@@ -161,6 +281,11 @@
 			array( 'http://wordpress.org', 'Http', 'ascii-case-insensitive', true ),
 			array( 'http://wordpress.org', 'https', 'case-sensitive', false ),
 			array( 'http://wordpress.org', 'https', 'ascii-case-insensitive', false ),
+			array( '', 'http', 'case-sensitive', false ),
+			array( 'jav', 'javascript:', 'case-sensitive', false ),
+			array( 'jav', 'javascript:', 'ascii-case-insensitive', false ),
+			array( '&nvlt;script', '<', 'case-sensitive', true ),
+			array( '&nvgt;script', '>', 'case-sensitive', true ),
 		);
 	}
 }