From 74f123a84cc011b085c489bc09d0551eb867ea30 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Tue, 7 Mar 2017 17:52:41 -0800
Subject: [PATCH] Fix #83.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 NEWS                                               |   3 +++
 configdoc/usage.xml                                |  22 ++++++++++++++++-----
 library/HTMLPurifier/ConfigSchema/schema.ser       | Bin 15800 -> 15923 bytes
 .../schema/Core.AggressivelyRemoveScript.txt       |  16 +++++++++++++++
 library/HTMLPurifier/Lexer.php                     |   6 ++++++
 5 files changed, 42 insertions(+), 5 deletions(-)
 rewrite library/HTMLPurifier/ConfigSchema/schema.ser (90%)
 create mode 100644 library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt

diff --git a/NEWS b/NEWS
index beef6b20..de383ae1 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   decoding entities that are missing trailing semicolon.
   To get old behavior, set %Core.LegacyEntityDecoder to true.
   (#119)
+- Workaround libxml bug when HTML tags are embedded inside
+  script tags.  To disable workaround set %Core.AggressivelyRemoveScript
+  to false. (#83)
 # By default, when a link has a target attribute associated
   with it, we now also add rel="noopener" in order to
   prevent the new window from being able to overwrite
diff --git a/configdoc/usage.xml b/configdoc/usage.xml
index 49bddaa5..de395b8d 100644
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@@ -6,7 +6,7 @@
   </file>
   <file name="HTMLPurifier/Lexer.php">
    <line>85</line>
-   <line>322</line>
+   <line>326</line>
   </file>
   <file name="HTMLPurifier/Lexer/DirectLex.php">
    <line>67</line>
@@ -124,7 +124,7 @@
    <line>122</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>304</line>
+   <line>308</line>
   </file>
  </directive>
  <directive id="Output.Newline">
@@ -172,7 +172,8 @@
    <line>234</line>
   </file>
   <file name="HTMLPurifier/Lexer.php">
-   <line>309</line>
+   <line>313</line>
+   <line>351</line>
   </file>
   <file name="HTMLPurifier/HTMLModule/Image.php">
    <line>37</line>
@@ -260,14 +261,25 @@
    <line>62</line>
   </file>
  </directive>
+ <directive id="Core.LegacyEntityDecoder">
+  <file name="HTMLPurifier/Lexer.php">
+   <line>215</line>
+   <line>337</line>
+  </file>
+ </directive>
  <directive id="Core.ConvertDocumentToFragment">
   <file name="HTMLPurifier/Lexer.php">
-   <line>320</line>
+   <line>324</line>
   </file>
  </directive>
  <directive id="Core.RemoveProcessingInstructions">
   <file name="HTMLPurifier/Lexer.php">
-   <line>343</line>
+   <line>347</line>
+  </file>
+ </directive>
+ <directive id="Core.AggressivelyRemoveScript">
+  <file name="HTMLPurifier/Lexer.php">
+   <line>351</line>
   </file>
  </directive>
  <directive id="URI.">
diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser
dissimilarity index 90%
index df8c5c466d9298cbb8fc0bce8676452324736ef4..371e948f1c76d99bacea65b4735454656858edbf 100644
GIT binary patch
delta 156
zcwXC4y}4$BIiu<3iNb7b@|IRg&iO^DdXDMoMXANbnPsUtl|iYw`DLlW$wiq3n|mci
scqe-Zdl0YQm6y?C@<d_T%^%e6vZ)eKU!r84X=OgyicNL%JKa<K0L{KPtpET3

delta 50
ycwXCFv!i-~IitzuUBYZ^n_o(D@lGxj_CWBhc^S<o?-G{X?4*8|ZL^2oYkmOF9TBSl

diff --git a/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt b/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
new file mode 100644
index 00000000..b2b6ab14
--- /dev/null
+++ b/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
@@ -0,0 +1,16 @@
+Core.AggressivelyRemoveScript
+TYPE: bool
+VERSION: 4.9.0
+DEFAULT: true
+--DESCRIPTION--
+<p>
+    This directive enables aggressive pre-filter removal of
+    script tags.  This is not necessary for security,
+    but it can help work around a bug in libxml where embedded
+    HTML elements inside script sections cause the parser to
+    choke.  To revert to pre-4.9.0 behavior, set this to false.
+    This directive has no effect if %Core.Trusted is true,
+    %Core.RemoveScriptContents is false, or %Core.HiddenElements
+    does not contain script.
+</p>
+--# vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/Lexer.php b/library/HTMLPurifier/Lexer.php
index 37174eae..0fc048f6 100644
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@@ -348,6 +348,12 @@ class HTMLPurifier_Lexer
             $html = preg_replace('#<\?.+?\?>#s', '', $html);
         }
 
+        if ($config->get('Core.AggressivelyRemoveScript') &&
+            !($config->get('HTML.Trusted') || !$config->get('Core.RemoveScriptContents')
+            || empty($config->get('Core.HiddenElements')["script"]))) {
+            $html = preg_replace('#<script[^>]*>.*?</script>#i', '', $html);
+        }
+
         return $html;
     }
 
-- 
2.11.4.GIT