"Malformed" Word 2000 sequence may cause Tidy to skip document content

[ralfjunker]

The following "malformed" Word 2000 sequence causes Tidy to skip document content (notice the extra characters):

<![endif]extra>

Reason is that when Tidy sees <![ not followed by CDATA[, it expects a Word 2000 sequence like this:

<![endif]>

In particular, Tidy expects the above sequence to terminate in ]> or ]-->, which neither HTML specification nor modern browser does.

As a result, Tidy skips content because as it looks for ]>, possible until the end of the document.

Without testing, code in lexer.c suggest that similar "malformed" ASP, JSTE, and PHP sequences might likewise throw Tidy off track.

AFAIK, none of the four sequences have ever been covered by any of the HTML specs. I strongly recommend options to disable parsing them. Suggestions:

• TidyParseWord2000
• TidyParseASP
• TidyParseJSTE
• TidyParsePHP

[geoffmcl]

@ralfjunker, thanks for the report...

Dealing with Word 2000 was a very specific set of clutter to remove, and I think could easily be encouraged to skip any chars between <![endif] and >, if desired...

If possible, please give a minimal sample html, tidy version, config, etc...

Not sure why you include other Tidy parser's, like ASP, JSTE, PHP, ... advise more...

But more specific information would also be helpful, like where, how, was this Word 2000 html document generated... thanks...

[ralfjunker]

Here is a minimal HTML document example:

<!-- Silence warnings. Doctype and title do not matter to the problem.  -->
<!DOCTYPE html>
<title>Word 2000 Problem</title>

<![endif] EXTRA >

<p>Content</p>

I run Tidy 5.2.0 on Windows without options, but GIT trunk behaves the same:

tidy.exe file.htm

This is the output I receive:

Info: Document content looks like HTML5
No warnings or errors were found.

<!-- Silence warnings. Doctype and title do not matter to the problem.  -->
<!DOCTYPE html>
<html>
<head>
<meta name="generator" content="HTML Tidy for HTML5 for Windows version 5.2.0">
<title>Word 2000 Problem</title>
</head>
<body>
</body>
</html>

Notice that the <p>Content</p> block is completely removed in spite of explicitly reporting no warnings nor errors. Size or state of the content block do not matter, Tidy removes it regardless.

The actual problem is in lexer.c here:

tidy-html5/src/lexer.c

Lines 3196 to 3236 in fd0ccb2

	if (c != ']')
	continue;
	/* now look for '>' */
	c = TY_(ReadChar)(doc->docIn);
	lexdump = 1;
	if (c != '>')
	{
	/* Issue #153 - can also be ]'-->' */
	if (c == '-')
	{
	c = TY_(ReadChar)(doc->docIn);
	if (c == '-')
	{
	c = TY_(ReadChar)(doc->docIn);
	if (c != '>')
	{
	TY_(UngetChar)(c, doc->docIn);
	TY_(UngetChar)('-', doc->docIn);
	TY_(UngetChar)('-', doc->docIn);
	continue;
	}
	/* this failed!
	TY_(AddCharToLexer)(lexer, '-'); TY_(AddCharToLexer)(lexer, '-'); lexdump = 0;
	got output <![endif]--]> - needs furhter fix in pprint section output
	*/
	}
	else
	{
	TY_(UngetChar)(c, doc->docIn);
	TY_(UngetChar)('-', doc->docIn);
	continue;
	}
	}
	else
	{
	TY_(UngetChar)(c, doc->docIn);
	continue;
	}
	}

I was able to work around the problem by introducing the previously mentioned new TidyParseWord2000 option. If disabled, it causes the lexer to interpret Word 2000 sequences as processing instructions instead. Note that the TidyXmlPIs option still differentiates between ?> and > as terminator. Here are my changes to lexer.c:

@@ -3195,6 +3195,11 @@
                     }
                 }

+                if (!cfgBool(doc, TidyParseWord2000)) {
+                    lexer->lexsize--;
+                    TY_(AddCharToLexer)(lexer, '<');
+                    TY_(AddCharToLexer)(lexer, '!');
+                    TY_(AddCharToLexer)(lexer, '[');
+                    TY_(AddCharToLexer)(lexer, c);
+                    lexer->state = LEX_CONTENT;
+                    continue;
+                }
+
                 if (c != ']')
                     continue;

Changes to include/tidyenum.h and src/config.c are obvious so excluded here for brevity.

PS: The problem was presented to me by a customer as part of a larger document. I have no idea how it was generated. However, the document origin should not matter as such documents do (or will, eventually) exist in the wild so we should be prepared to handle them well.

[geoffmcl]

@ralfjunker just noted that this topic has more or less been raised again in #487...

As suggested there one or the other should be closed while we seek a suitable solution for this extra data between the closing ]> endif.

And note maybe there can also be extra data in the opening <!xxx[...

Seek ideas, comments, patches or PR... thanks...

[geoffmcl]

As we are about to release 5.4, moving this out to next 5.5... and as stated, maybe we should close one of these two issues which refer to the same problem..

[geoffmcl]

Although no further comments in a long time, appears still open, although also seems duplicate of #487, so moving out the milestone again...

[geoffmcl]

@ralfjunker took another look at this... and have another idea...

Now do not think there is any need for a Feature to be added...

I was stuck by the comment, in the code, after receiving <! from the stream, suggesting there may be more to do here, and the if tree that follows - code omitted, some code relined for clarity -

    /*
       look out for comments, doctype or marked sections
       this isn't quite right, but its getting there ...
    */
    if (c == '!') {
        c = TY_(ReadChar)(doc->docIn);
        if (c == '-') {
            // deal with a `<!-` comment
            lexer->state = LEX_COMMENT;  /* comment */
        } else if (c == 'd' || c == 'D') {
            /* todo: check for complete "<!DOCTYPE" not just <!D */
            lexer->state = LEX_DOCTYPE; /* doctype */
        } else if (c == '[') {
            /* Word 2000 embeds <![if ...]> ... <![endif]> sequences */
            lexer->state = LEX_SECTION;
        }
        /* else swallow characters up to and including next '>' */
        while ((c = TY_(ReadChar)(doc->docIn)) != '>') {
            // or eof
        }
        lexer->state = LEX_CONTENT;
    }

Now the issue here is a malformed word 2000 embeded LEX_SECTION, like <![endif] EXTRA >, which gets locked in searching for another ] character, until EOF, if need be... as happens with the given example code...

In the process can pass over multiple > chars, and <, and in fact, everything that is NOT a ]!

So on re-reading the this isn't quite right comment, decided maybe this is a BUG, and looked a fix...

Came up with a patch for the lexer.c -

diff --git a/src/lexer.c b/src/lexer.c
index ef70e13..61c28eb 100644
--- a/src/lexer.c
+++ b/src/lexer.c
@@ -3340,7 +3340,11 @@ static Node* GetTokenFromStream( TidyDocImpl* doc, GetTokenMode mode )
                     }
                 }
 
-                if (c != ']')
+                if (c == '>')
+                {
+                    /* Is. #462 - reached '>' before ']' */
+                    TY_(UngetChar)(c, doc->docIn);
+                } else if (c != ']')
                     continue;
 
                 /* now look for '>' */

Simply, if we reach a >, let that close this section, store the section, and back to lexer->state = LEX_CONTENT, and continue to complete the document...

With that patch, now the output changes, and, as can be seen, the trailing content of the example is not lost...

<!-- Silence warnings. Doctype and title do not matter to the problem.  -->
<!DOCTYPE html>
<html>
<head>
<meta name="generator" content=
"HTML Tidy for HTML5 for Windows version 5.7.35.I896">
<title>Word 2000 Problem</title>
<![endif] EXTRA ]>
</head>
<body>
<p>Content</p>
</body>
</html>

Please ignore the tidy version number. I piggy backed this patch onto the issue-896 branch...

So, I am removing the Feature Request label, replacing it with Bug, which I now think it is...

After some more testing, will try to get around to setting up a PR for this, to get it in to next... unless someone beats me to it...

Meantime, look forward to further feedback, comments, patches, PR, testing, regressions, etc, etc... thanks...