From 236fe8c7fa7910709c10b9d470133cceddd2620e Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@rspamd.com>
Date: Tue, 14 Oct 2025 11:07:35 +0100
Subject: [PATCH] [Fix] Correct HTML attribute value offset calculation

Fix two issues in HTML parser attribute value span calculation:
1. Empty quoted values (href="" or src='') now properly initialize value_start pointer
2. Unquoted attribute values no longer incorrectly lowercase the first character
---
 src/libserver/html/html.cxx | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/libserver/html/html.cxx b/src/libserver/html/html.cxx
index 8a1439fb43..1e982236d1 100644
--- a/src/libserver/html/html.cxx
+++ b/src/libserver/html/html.cxx
@@ -1113,7 +1113,7 @@ html_parse_tag_content(rspamd_mempool_t *pool,
 			if (parser_env.value_start == nullptr) {
 				parser_env.value_start = in;
 			}
-			store_value_character(true);
+			store_value_character(false);
 			state = parse_value;
 		}
 		break;
@@ -1133,13 +1133,17 @@ html_parse_tag_content(rspamd_mempool_t *pool,
 			if (parser_env.value_start == nullptr) {
 				parser_env.value_start = in;
 			}
-			store_value_character(true);
+			store_value_character(false);
 			state = parse_value;
 		}
 		break;
 
 	case parse_start_dquote:
 		if (*in == '"') {
+			// Empty quoted value - set value_start to point to the closing quote
+			if (parser_env.value_start == nullptr) {
+				parser_env.value_start = in;
+			}
 			store_component_value();
 			state = spaces_after_param;
 		}
@@ -1155,6 +1159,10 @@ html_parse_tag_content(rspamd_mempool_t *pool,
 
 	case parse_start_squote:
 		if (*in == '\'') {
+			// Empty quoted value - set value_start to point to the closing quote
+			if (parser_env.value_start == nullptr) {
+				parser_env.value_start = in;
+			}
 			store_component_value();
 			state = spaces_after_param;
 		}
-- 
2.47.3