Skip to content

gh-135661: Fix abrupt closing of empty comment in HTMLParser#153007

Merged
serhiy-storchaka merged 1 commit into
python:mainfrom
serhiy-storchaka:gh-135661-abrupt-comment
Jul 4, 2026
Merged

gh-135661: Fix abrupt closing of empty comment in HTMLParser#153007
serhiy-storchaka merged 1 commit into
python:mainfrom
serhiy-storchaka:gh-135661-abrupt-comment

Conversation

@serhiy-storchaka

Copy link
Copy Markdown
Member

An abruptly closed empty comment (<!--> or <!--->) no longer extends up to a later --> in the same feed() call.

commentabruptclose is now matched before searching for the normal -->/--!> close, so the empty comment does not swallow the following markup.
This only showed up when the whole construct arrived in a single feed() call, so test_htmlparser now also feeds each string source as a single chunk, in addition to one character at a time.

An abruptly closed empty comment ("<!-->" or "<!--->") no longer extends
up to a later "-->" in the same feed() call.

test_htmlparser now also feeds each string source as a single chunk, in
addition to one character at a time, to exercise different input buffering.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@serhiy-storchaka serhiy-storchaka added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes type-security A security issue labels Jul 4, 2026
@serhiy-storchaka serhiy-storchaka removed needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Jul 4, 2026
@serhiy-storchaka serhiy-storchaka merged commit ed370d3 into python:main Jul 4, 2026
76 checks passed
@miss-islington-app

Copy link
Copy Markdown

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15.
🐍🍒⛏🤖

@serhiy-storchaka serhiy-storchaka deleted the gh-135661-abrupt-comment branch July 4, 2026 12:05
@bedevere-app

bedevere-app Bot commented Jul 4, 2026

Copy link
Copy Markdown

GH-153024 is a backport of this pull request to the 3.15 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label Jul 4, 2026
@bedevere-app

bedevere-app Bot commented Jul 4, 2026

Copy link
Copy Markdown

GH-153025 is a backport of this pull request to the 3.14 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.14 bugs and security fixes label Jul 4, 2026
@bedevere-app

bedevere-app Bot commented Jul 4, 2026

Copy link
Copy Markdown

GH-153026 is a backport of this pull request to the 3.13 branch.

@bedevere-app bedevere-app Bot removed the needs backport to 3.13 bugs and security fixes label Jul 4, 2026
serhiy-storchaka added a commit that referenced this pull request Jul 4, 2026
…H-153007) (GH-153026)

An abruptly closed empty comment ("<!-->" or "<!--->") no longer extends
up to a later "-->" in the same feed() call.

test_htmlparser now also feeds each string source as a single chunk, in
addition to one character at a time, to exercise different input buffering.
(cherry picked from commit ed370d3)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
serhiy-storchaka added a commit that referenced this pull request Jul 4, 2026
…H-153007) (GH-153025)

An abruptly closed empty comment ("<!-->" or "<!--->") no longer extends
up to a later "-->" in the same feed() call.

test_htmlparser now also feeds each string source as a single chunk, in
addition to one character at a time, to exercise different input buffering.
(cherry picked from commit ed370d3)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
serhiy-storchaka added a commit that referenced this pull request Jul 4, 2026
…H-153007) (GH-153024)

An abruptly closed empty comment ("<!-->" or "<!--->") no longer extends
up to a later "-->" in the same feed() call.

test_htmlparser now also feeds each string source as a single chunk, in
addition to one character at a time, to exercise different input buffering.
(cherry picked from commit ed370d3)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type-security A security issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant