From 91fd55c857f7d219b1c10d11dee8b783b04e923e Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@cs.stanford.edu>
Date: Sat, 26 Mar 2016 22:41:54 -0700
Subject: [PATCH] Fix #45, errors when ul/ol allowed without li.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
---
 NEWS                                           | 2 ++
 library/HTMLPurifier/ChildDef/List.php         | 6 ++++++
 tests/HTMLPurifier/HTMLT.php                   | 3 +++
 tests/HTMLPurifier/HTMLT/li-disabled.htmlt     | 7 +++++++
 tests/HTMLPurifier/Strategy/FixNestingTest.php | 7 +++++++
 5 files changed, 25 insertions(+)
 create mode 100644 tests/HTMLPurifier/HTMLT/li-disabled.htmlt

diff --git a/NEWS b/NEWS
index 9444d034..fd2282ce 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
   allowed.
 - Minor bounds error fix to squash a PHP 7 notice.
 - Support non-/tmp temporary directories for data:// validation
+- Give a better error message when a user attempts to allow
+  ul/ol without allowing li.
 
 4.7.0, released 2015-08-04
 # opacity is now considered a "tricky" CSS property rather than a
diff --git a/library/HTMLPurifier/ChildDef/List.php b/library/HTMLPurifier/ChildDef/List.php
index 891b9f6f..5a53a4b4 100644
--- a/library/HTMLPurifier/ChildDef/List.php
+++ b/library/HTMLPurifier/ChildDef/List.php
@@ -38,6 +38,12 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
             return false;
         }
 
+        // if li is not allowed, delete parent node
+        if (!isset($config->getHTMLDefinition()->info['li'])) {
+            trigger_error("Cannot allow ul/ol without allowing li", E_USER_WARNING);
+            return false;
+        }
+
         // the new set of children
         $result = array();
 
diff --git a/tests/HTMLPurifier/HTMLT.php b/tests/HTMLPurifier/HTMLT.php
index 49f8253b..9e389f4b 100644
--- a/tests/HTMLPurifier/HTMLT.php
+++ b/tests/HTMLPurifier/HTMLT.php
@@ -27,6 +27,9 @@ class HTMLPurifier_HTMLT extends HTMLPurifier_Harness
             $this->config->loadIni($ini_file);
         }
         $expect = isset($hash['EXPECT']) ? $hash['EXPECT'] : $hash['HTML'];
+        if (isset($hash['ERROR'])) {
+            $this->expectError($hash['ERROR']);
+        }
         $this->assertPurification(rtrim($hash['HTML']), rtrim($expect));
         if (isset($hash['INI'])) unlink($ini_file);
     }
diff --git a/tests/HTMLPurifier/HTMLT/li-disabled.htmlt b/tests/HTMLPurifier/HTMLT/li-disabled.htmlt
new file mode 100644
index 00000000..41fd703c
--- /dev/null
+++ b/tests/HTMLPurifier/HTMLT/li-disabled.htmlt
@@ -0,0 +1,7 @@
+ERROR: Cannot allow ul/ol without allowing li
+--INI--
+HTML.AllowedElements = ul
+--HTML--
+<ul><li>foo</li></ul>
+--EXPECT--
+--# vim: et sw=4 sts=4
diff --git a/tests/HTMLPurifier/Strategy/FixNestingTest.php b/tests/HTMLPurifier/Strategy/FixNestingTest.php
index ace642d0..9e390745 100644
--- a/tests/HTMLPurifier/Strategy/FixNestingTest.php
+++ b/tests/HTMLPurifier/Strategy/FixNestingTest.php
@@ -151,6 +151,13 @@ class HTMLPurifier_Strategy_FixNestingTest extends HTMLPurifier_StrategyHarness
         $this->assertResult('<pre><font><font></font></font></pre>');
     }
 
+    public function testDoubleKill()
+    {
+        $this->config->set('HTML.Allowed', 'ul');
+        $this->expectError('Cannot allow ul/ol without allowing li');
+        $this->assertResult('<ul>foo</ul>', '');
+    }
+
 }
 
 // vim: et sw=4 sts=4
-- 
2.11.4.GIT