PHP 1.2.1 lib: bugs for ParseHTML.php in Yadis and detect.php in OpenID's examples

[Jonathan Daugherty]

# I don't think these four tests are sensible. The original parser
# falls far short of actually ensuring validity (e.g. allows the
# omission of opening <html> and doesn't check Content-Type header).

On the contrary, the point of those four tests (and others) is to
prevent the parser from letting me post a comment to someone's blog
with a META tag in it.  We don't want or need to enforce validity, but
we do need to be able to behave sanely in the presence of a
seriously-malformed document.  If the blog author's code generates a
document that looks like the four aforementioned cases and I post that
comment, the URL suddenly has one or more Yadis location
instructions.  Indeed, we'd love to get more test cases in there that
prevent the same kind of exploit.

-- 
  Jonathan Daugherty
  JanRain, Inc.
  irc.freenode.net: cygnus in #openid
  cygnus.myopenid.com