HTML API: Replace null-bytes in class_list class names

dmsnell · dmsnell · commit b37cbf952ffa · 2024-09-02T22:26:22.000Z
As part of an audit of HTML API CSS behaviors, this patch resolves an issue with how the HTML API reports class names containing the NULL byte. NULL bytes should be replaced by the Unicode replacement character, U+FFFD, but previously weren't. This patch performs that replacement. Developed in #7187 Discussed in https://core.trac.wordpress.org/ticket/61531 Follow-up to [56703]. Props dmsnell, jonsurrell. See #61531. git-svn-id: https://develop.svn.wordpress.org/trunk@58969 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/html-api/class-wp-html-tag-processor.php b/src/wp-includes/html-api/class-wp-html-tag-processor.php
@@ -1160,7 +1160,7 @@ public function class_list() {
 			 *
 			 * @see https://www.w3.org/TR/CSS2/syndata.html#x1
 			 */
-			$name = strtolower( substr( $class, $at, $length ) );
+			$name = str_replace( "\x00", "\u{FFFD}", strtolower( substr( $class, $at, $length ) ) );
 			$at  += $length;
 
 			/*
diff --git a/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php b/tests/phpunit/tests/html-api/wpHtmlTagProcessor.php
@@ -2236,6 +2236,35 @@ public function test_class_list_visits_unique_class_names_only_once() {
 		$this->assertSame( array( 'one' ), $found_classes, 'Visited multiple copies of the same class name when it should have skipped the duplicates.' );
 	}
 
+	/**
+	 * Ensures that null bytes are replaced with the replacement character (U+FFFD) in class_list.
+	 *
+	 * @ticket 61531
+	 *
+	 * @covers WP_HTML_Tag_Processor::class_list
+	 */
+	public function test_class_list_null_bytes_replaced() {
+		$processor = new WP_HTML_Tag_Processor( "<div class='a \0 b\0 \0c\0'>" );
+		$processor->next_tag();
+
+		$found_classes = iterator_to_array( $processor->class_list() );
+
+		$this->assertSame( array( 'a', "\u{FFFD}", "b\u{FFFD}", "\u{FFFD}c\u{FFFD}" ), $found_classes );
+	}
+
+	/**
+	 * Ensures that the tag processor matches class names with null bytes correctly.
+	 *
+	 * @ticket 61531
+	 *
+	 * @covers WP_HTML_Tag_Processor::has_class
+	 */
+	public function test_has_class_null_byte_class_name() {
+		$processor = new WP_HTML_Tag_Processor( "<div class='null-byte-\0-there'>" );
+		$processor->next_tag();
+		$this->assertTrue( $processor->has_class( 'null-byte-�-there' ) );
+	}
+
 	/**
 	 * @ticket 59209
 	 *

Original file line number	Diff line number	Diff line change
`@@ -1160,7 +1160,7 @@ public function class_list() {`
`1160`	`1160`	`*`
`1161`	`1161`	`* @see https://www.w3.org/TR/CSS2/syndata.html#x1`
`1162`	`1162`	`*/`
`1163`		`- $name = strtolower( substr( $class, $at, $length ) );`
	`1163`	`+ $name = str_replace( "\x00", "\u{FFFD}", strtolower( substr( $class, $at, $length ) ) );`
`1164`	`1164`	`$at += $length;`
`1165`	`1165`
`1166`	`1166`	`/*`