Files
httrack/fuzz/corpus/htsparse/script-inscript.html
Xavier Roche 08481464bd Fuzz the real HTML parser (htsparse) with a mocked engine (#586)
Adds fuzz-htsparse, a libFuzzer harness driving the real htsparse() over a
mocked engine: the tag/attribute/JS-inscript scanner, the link rewriter, and
the accept -> url_savename -> hts_record_link path that runs on every crawled
page, previously reached only by slow full-crawl tests. The parser's coupling
is state, not network, so the harness builds the minimal crawl state
httpmirror() sets up (opt, cache, hash, filters, robots, backing, a seeded
link heap with ptr=1) and walks a NUL-terminated page through the parser, then
discards it. Four seeds cover links, srcset, base/meta/usemap, a
document.write body, and malformed tags. Clean under ASan+UBSan+LeakSanitizer.

Bundles the src/coucal bump to ab59c6a (coucal#13): this harness is the first
fuzzer to hash keys through coucal under UBSan, which tripped a pre-existing
getblock32 pointer-overflow.

Merged past a transient arm64 apt-mirror outage; every code-exercising check
(fuzz, sanitize, msan, distcheck, all non-arm64 builds) passed.

Signed-off-by: Xavier Roche <roche@httrack.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 19:18:59 +02:00

14 lines
459 B
HTML

<html><body>
<script type="text/javascript">
var a = "http://x/1.html", b = 'q\'uote', c = "/*not*/comment";
// line "with" quotes and http://y/2.html
/* block 'with' <a href="notparsed"> */
var re = /a\/b\//g;
document.write('<img src="w1.png">');
document.writeln("<a href='w2.html'>k</a>");
element.onclick = "location='onh.html'";
</script>
<a href="after.html" onmouseover="go('ev.html')">x</a>
<div style="background:url(bg.png)">z</div>
</body></html>