Commit 72c4591
authored
Normalize NUL bytes to U+FFFD at parse entry (#248)
A raw NUL (U+0000) must never reach rendered output. Replace it with the
U+FFFD replacement character at the parse entry (WHATWG-style, decided
cross-impl behavior), so a control byte cannot survive into HTML.
SafeMode now also strips U+FFFD from a URL scheme, so a `java\x00script:`
evasion - which arrives as `java\u{FFFD}script:` after normalization - is
still detected and blocked (empty href).
Ported from carve-php commit ff40264.1 parent 306e362 commit 72c4591
3 files changed
Lines changed: 41 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
496 | 496 | | |
497 | 497 | | |
498 | 498 | | |
| 499 | + | |
| 500 | + | |
| 501 | + | |
| 502 | + | |
| 503 | + | |
| 504 | + | |
| 505 | + | |
| 506 | + | |
499 | 507 | | |
500 | 508 | | |
501 | 509 | | |
| |||
561 | 569 | | |
562 | 570 | | |
563 | 571 | | |
564 | | - | |
| 572 | + | |
565 | 573 | | |
566 | 574 | | |
567 | 575 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
228 | 228 | | |
229 | 229 | | |
230 | 230 | | |
231 | | - | |
232 | | - | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
233 | 236 | | |
234 | 237 | | |
235 | 238 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
703 | 703 | | |
704 | 704 | | |
705 | 705 | | |
| 706 | + | |
| 707 | + | |
| 708 | + | |
| 709 | + | |
| 710 | + | |
| 711 | + | |
| 712 | + | |
| 713 | + | |
| 714 | + | |
| 715 | + | |
| 716 | + | |
| 717 | + | |
| 718 | + | |
| 719 | + | |
| 720 | + | |
| 721 | + | |
| 722 | + | |
| 723 | + | |
| 724 | + | |
| 725 | + | |
| 726 | + | |
| 727 | + | |
| 728 | + | |
| 729 | + | |
| 730 | + | |
| 731 | + | |
| 732 | + | |
706 | 733 | | |
0 commit comments