Update sanitization of <progress> attrs to mimic browsers' impl

xemlock · xemlock · commit 46071f373ec5 · 2018-08-14T10:41:04.000+02:00
diff --git a/library/HTMLPurifier/AttrTransform/Progress.php b/library/HTMLPurifier/AttrTransform/Progress.php
@@ -3,6 +3,9 @@
 /**
  * Post-transform performing validations for <progress> elements ensuring
  * that if value is present, it is within a valid range (0..1) or (0..max)
+ *
+ * Implementation is based on sanitization performed by browsers (compared
+ * against Chrome 68 and Firefox 61).
  */
 class HTMLPurifier_AttrTransform_Progress extends HTMLPurifier_AttrTransform
 {
@@ -14,12 +17,19 @@ class HTMLPurifier_AttrTransform_Progress extends HTMLPurifier_AttrTransform
      */
     public function transform($attr, $config, $context)
     {
+        $max = isset($attr['max']) ? (float) $attr['max'] : 1;
+
+        if ($max <= 0) {
+            $this->confiscateAttr($attr, 'max');
+        }
+
         if (isset($attr['value'])) {
-            $max = isset($attr['max']) ? (float) $attr['max'] : 1;
             $value = (float) $attr['value'];
 
-            if ($value < 0 || $value > $max) {
+            if ($value < 0) {
                 $this->confiscateAttr($attr, 'value');
+            } elseif ($value > $max) {
+                $attr['value'] = isset($attr['max']) ? $attr['max'] : 1;
             }
         }
 
diff --git a/tests/HTMLPurifier/AttrTransform/ProgressTest.php b/tests/HTMLPurifier/AttrTransform/ProgressTest.php
@@ -24,20 +24,55 @@ public function setUp()
         $this->progress = new HTMLPurifier_AttrTransform_Progress();
     }
 
-    protected function assertTransform($expected, array $input)
+    public function transformInput()
     {
-        $this->assertEquals($expected, $this->progress->transform($input, $this->config, $this->context));
+        return array(
+            array(
+                array(),
+                array(),
+            ),
+            array(
+                array('value' => 0),
+                array('value' => 0),
+            ),
+            array(
+                array('value' => 1),
+                array('value' => 1),
+            ),
+            array(
+                array('value' => 10),
+                array('value' => 1),
+            ),
+            array(
+                array('value' => '.1'),
+                array('value' => '.1'),
+            ),
+            array(
+                array('value' => -1),
+                array(),
+            ),
+            array(
+                array('value' => 10, 'max' => 10),
+                array('value' => 10, 'max' => 10),
+            ),
+            array(
+                array('value' => 100, 'max' => 10),
+                array('value' => 10, 'max' => 10),
+            ),
+            array(
+                array('max' => 0),
+                array(),
+            ),
+        );
     }
 
-    public function testTransform()
+    /**
+     * @param array $input
+     * @param array $expected
+     * @dataProvider transformInput
+     */
+    public function testTransform($input, $expected)
     {
-        $this->assertTransform(array(), array());
-        $this->assertTransform(array('value' => 0), array('value' => 0));
-        $this->assertTransform(array('value' => 1), array('value' => 1));
-        $this->assertTransform(array(), array('value' => 10));
-        $this->assertTransform(array(), array('value' => -1));
-
-        $this->assertTransform(array('value' => 10, 'max' => 10), array('value' => 10, 'max' => 10));
-        $this->assertTransform(array('max' => 10), array('value' => 100, 'max' => 10));
+        $this->assertEquals($expected, $this->progress->transform($input, $this->config, $this->context));
     }
 }
diff --git a/tests/HTMLPurifier/HTML5DefinitionTest.php b/tests/HTMLPurifier/HTML5DefinitionTest.php
@@ -330,6 +330,18 @@ public function progressInput()
                 // The value of the 'value' attribute must be less than or
                 // equal to one when the max attribute is absent.
                 '<progress value="10"></progress>',
+                '<progress value="1"></progress>',
+            ),
+            array(
+                '<progress value="-1"></progress>',
+                '<progress></progress>',
+            ),
+            array(
+                '<progress value=".5" max=".25"></progress>',
+                '<progress value=".25" max=".25"></progress>',
+            ),
+            array(
+                '<progress max="0"></progress>',
                 '<progress></progress>',
             ),
             array(
