Normalize NUL bytes to U+FFFD at parse entry (#248)

A raw NUL (U+0000) must never reach rendered output. Replace it with the
U+FFFD replacement character at the parse entry (WHATWG-style, decided
cross-impl behavior), so a control byte cannot survive into HTML.

SafeMode now also strips U+FFFD from a URL scheme, so a `java\x00script:`
evasion - which arrives as `java\u{FFFD}script:` after normalization - is
still detected and blocked (empty href).

Ported from carve-php commit ff40264.

Author: dereuromark

src/Parser/BlockParser.php

@@ -496,6 +496,14 @@ public function parse(string $input): Document
         $this->headingReferenceLabels = [];
         $this->lineOffset = 0;
         $document = new Document();
+
+        // Replace any NUL (U+0000) with the U+FFFD replacement character so a
+        // control byte never reaches output (decided cross-impl behavior;
+        // WHATWG-style). A raw NUL must never reach rendered output.
+        if (str_contains($input, "\0")) {
+            $input = str_replace("\0", "\u{FFFD}", $input);
+        }
+
         $lines = $this->splitLines($input);
 
         // First pass: extract reference definitions, footnotes, abbreviations, and heading references
@@ -561,7 +569,7 @@ protected function extractReferences(array $lines): void
             //   `"Title"` makes the line not a reference definition (matches djot.js)
             if (preg_match('/^\[([^\]]+)\]:(?:[ \t]+(\S*))?[ \t]*$/', $line, $matches)) {
                 // Normalize label: collapse whitespace, trim
-                $label = preg_replace('/\s+/', ' ', trim($matches[1]));
+                $label = preg_replace('/\s+/', ' ', trim($matches[1])) ?? '';
                 $url = trim($matches[2] ?? '');
 
                 // Collect continuation lines (URL can start on continuation line)

src/SafeMode.php

@@ -228,8 +228,11 @@ public function isUrlSafe(string $url): bool
             $scheme = substr($url, 0, $colonPos);
 
             // Normalize scheme: strip ASCII whitespace and control characters (0x00-0x20)
-            // This prevents bypass attempts like "java\tscript:", "java\x0bscript:", etc.
-            $scheme = preg_replace('/[\x00-\x20]+/', '', $scheme) ?? $scheme;
+            // plus the U+FFFD replacement character (a NUL becomes U+FFFD at the
+            // parse entry, so a `java\x00script:` evasion arrives as
+            // `java\u{FFFD}script:`). This prevents bypass attempts like
+            // "java\tscript:", "java\x0bscript:", "java\x00script:", etc.
+            $scheme = preg_replace('/[\x00-\x20]+|\x{FFFD}+/u', '', $scheme) ?? $scheme;
             $scheme = strtolower($scheme);
 
             // Check against dangerous schemes

tests/TestCase/Parser/BlockParserTest.php

@@ -703,4 +703,31 @@ public function testRawBlockTrimsLeadingAndTrailingBlankLines(): void
         $this->assertCount(1, $children);
         $this->assertSame('<b>bold</b>', $children[0]->getContent());
     }
+
+    public function testNulByteIsReplacedWithReplacementCharacter(): void
+    {
+        // A raw NUL (U+0000) must never reach rendered output: it is normalized
+        // to the U+FFFD replacement character at the parse entry (WHATWG-style,
+        // decided cross-impl behavior).
+        $converter = new DjotConverter();
+        $html = $converter->convert("a\0b");
+
+        $this->assertStringNotContainsString("\0", $html, 'A raw NUL byte must not reach output');
+        $this->assertStringContainsString("\u{FFFD}", $html, 'NUL must be normalized to U+FFFD');
+        $this->assertStringContainsString("a\u{FFFD}b", $html);
+    }
+
+    public function testNulByteInLinkSchemeDoesNotProduceExecutableHref(): void
+    {
+        // A `java\x00script:` evasion arrives as `java\u{FFFD}script:` after NUL
+        // normalization. SafeMode also strips U+FFFD from a scheme, so the
+        // evasion is still detected and blocked (empty href), and no raw NUL or
+        // executable javascript: scheme may reach output.
+        $converter = new DjotConverter(safeMode: true);
+        $html = $converter->convert("[x](java\0script:alert(1))");
+
+        $this->assertStringNotContainsString("\0", $html, 'A raw NUL byte must not reach output');
+        $this->assertStringNotContainsString('javascript:', $html, 'No executable javascript: scheme');
+        $this->assertStringContainsString('href=""', $html, 'NUL-evasion javascript: scheme is blocked');
+    }
 }