[SECURITY] Correctly handle comment end bang state (#86)

Upgrade to https://github.com/Masterminds/html5-php/releases/tag/2.7.6 Security-References: CVE-2022-36020
TYPO3 · Sep 13, 2022 · 60bfdc7 · 60bfdc7
1 parent aac22d2
commit 60bfdc7
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/composer.json b/composer.json
@@ -16,7 +16,7 @@
 	},
 	"require": {
 		"ext-dom": "*",
-		"masterminds/html5": "^2.7",
+		"masterminds/html5": "^2.7.6",
 		"php": "^7.2 || ^8.0",
 		"psr/log": "^1.0 || ^2.0 || ^3.0"
 	},

diff --git a/tests/ScenarioTest.php b/tests/ScenarioTest.php
@@ -21,6 +21,28 @@
 
 class ScenarioTest extends TestCase
 {
+    public static function allTagsAreRemovedOnMissingDeclarationDataProvider(): array
+    {
+        return [
+            ['<div class="content">value</div><span class="content">value</span>', ''],
+            ['<!--any--><div class="content">value</div>', '<!--any-->'],
+            ['<!--any--!><div class="content">value</div>', '<!--any-->'],
+        ];
+    }
+
+    /**
+     * @test
+     * @dataProvider allTagsAreRemovedOnMissingDeclarationDataProvider
+     */
+    public function allTagsAreRemovedOnMissingDeclaration(string $payload, string $expectation): void
+    {
+        $behavior = new Behavior();
+        $sanitizer = new Sanitizer(
+            new CommonVisitor($behavior)
+        );
+        self::assertSame($expectation, $sanitizer->sanitize($payload));
+    }
+
     public static function tagFlagsAreProcessedDataProvider(): array
     {
         return [