In the decode_range() slow path, both the normal segments appended via substr($this->css, ...) earlier in the loop and the decode_escape_at() return value here are not passed through wp_scrub_utf8(). This makes output inconsistent with the fast path (which scrubs) and can leak invalid UTF-8 if the range contains escapes/CR/FF/NUL plus invalid bytes. Consider scrubbing the appended segments (including the decoded escape output) and adding a regression test that combines an invalid byte with a backslash escape.
Originally posted by @Copilot in #227 (comment)
In the
decode_range()slow path, both the normal segments appended viasubstr($this->css, ...)earlier in the loop and thedecode_escape_at()return value here are not passed throughwp_scrub_utf8(). This makes output inconsistent with the fast path (which scrubs) and can leak invalid UTF-8 if the range contains escapes/CR/FF/NUL plus invalid bytes. Consider scrubbing the appended segments (including the decoded escape output) and adding a regression test that combines an invalid byte with a backslash escape.Originally posted by @Copilot in #227 (comment)