#9 bug to match attribute value with a '>' inside

[Anonymous]

below html code with comments describing bug:

----------------------------------------------
<html>
<head>
<title>
a title
</title>
</head>
<body>

<!-- bug in matching next attribute value
actually match:
'a string with <another string'
instead of:
'a string with <another string>'

first occurence of '>' is considered as ending tagelement
and rest 'etc" >' is considered as text
-->
<tagelement attribute="a string with <another string>
etc" >
</body>
</html>

[Nobody/Anonymous]

Logged In: NO

SIMPLE FIX: Replace readValueInTag() and skipToInTag() with
the following code:

function readValueInTag() {
// Corrected for Attributes including a
tag's closing brace
$ch = $this->iCurrentChar;
$value = "";
if ($ch == "\"") {
$this->skipMaxInTag ("\"", 1);
$value = $this->skipToInTag ("\"",true);
$this->skipMaxInTag ("\"", 1);
}
else if ($ch == "'") {
$this->skipMaxInTag ("'", 1);
$value = $this->skipToInTag ("'",true);
$this->skipMaxInTag ("'", 1);
}
else {
$value = $this->skipToBlanksInTag();
}
return $value;
}

function skipToInTag ($chars,$ignore_endtag=false) {
$sb = "";
while (($ch = $this->iCurrentChar) !== -1) {
$match = ($ch == ">" AND !$ignore_endtag); //
closing tag brace may be ignored (if part of attribute
value)
if (!$match) {
for ($idx = 0; $idx < count($chars);
$idx++) {
if ($ch == $chars[$idx]) {
$match = true;
break;
}
}
}
if ($match) {
return $sb;
}
$sb .= $ch;
$this->moveNext();
}
return $sb;
}

[Anonymous]

Logged In: YES
user_id=1148016
Originator: NO

Doesn't matter, this is not a bug.

HTML CANNOT have tags inside tags and you are just doing something stupid in the above code, it is ILLEGAL HTML. You are meant to use the HTML representations of those tags which is &lt; (for less than <) and &gt; (for greater than >). This applies every time you want these INSIDE any attribute/tag and don't want them to be interpreted as HTML-tags by the browser.