Fix escaping for custom tag attribute values (ezsystems#1289)

ezpublishlegacy · Jul 25, 2017 · 57bf1d5 · 57bf1d5
1 parent 1441e20
commit 57bf1d5
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 8 deletions.
diff --git a/extension/ezoe/ezxmltext/handlers/input/ezoeinputparser.php b/extension/ezoe/ezxmltext/handlers/input/ezoeinputparser.php
@@ -262,7 +262,7 @@ function setAttributes( $element, $attributes )
                     if ( isset( $this->Namespaces[$prefix] ) )
                     {
                         $URI = $this->Namespaces[$prefix];
-                        $element->setAttributeNS( $URI, $qualifiedName, $value );
+                        $element->setAttributeNS( $URI, $qualifiedName, htmlspecialchars_decode( $value ) );
                     }
                     else
                     {
@@ -271,7 +271,7 @@ function setAttributes( $element, $attributes )
                 }
                 else
                 {
-                    $element->setAttribute( $qualifiedName, $value );
+                    $element->setAttribute( $qualifiedName, htmlspecialchars_decode( $value ) );
                 }
             }
         }

diff --git a/extension/ezoe/ezxmltext/handlers/input/ezoexmlinput.php b/extension/ezoe/ezxmltext/handlers/input/ezoexmlinput.php
@@ -1744,12 +1744,12 @@ public static function getCustomAttrPart( $tag, &$styleString )
                 if ( $customAttributePart === '' )
                 {
                     $customAttributePart = ' customattributes="';
-                    $customAttributePart .= $attribute->name . '|' . $attribute->value;
+                    $customAttributePart .= $attribute->name . '|' . htmlspecialchars( $attribute->value );
                 }
                 else
                 {
                    $customAttributePart .= 'attribute_separation' . $attribute->name . '|' .
-                                           $attribute->value;
+                       htmlspecialchars( $attribute->value );
                 }
                 if ( isset( self::$customAttributeStyleMap[$attribute->name] ) )
                 {

diff --git a/extension/ezoe/tests/ezoexmltext_regression.php b/extension/ezoe/tests/ezoexmltext_regression.php
@@ -34,16 +34,37 @@ public function providerParsingGreaterThanAttribute()
             array(
                 '<div type="custom" class="ezoeItemCustomTag factbox" customattributes="title|<a href=&quot;#test&quot;>Test</a>attribute_separationalign|right"><p>This is a fact</p></div>',
                 '<?xml version="1.0" encoding="utf-8"?>
-<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&amp;quot;#test&amp;quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
+<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&quot;#test&quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
             ),
             array(
                 '<div type="custom" class="ezoeItemCustomTag factbox" customattributes="title|<a href=&quot;#test&quot;>Test</a>attribute_separationalign|right"><p>This is a fact</p></div><p>Text between</p><div type="custom" class="ezoeItemCustomTag factbox" customattributes="title|<a href=&quot;#test&quot;>Test</a>attribute_separationalign|right"><p>This is a fact</p></div>',
                 '<?xml version="1.0" encoding="utf-8"?>
-<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&amp;quot;#test&amp;quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph><paragraph>Text between</paragraph><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&amp;quot;#test&amp;quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
+<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&quot;#test&quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph><paragraph>Text between</paragraph><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&quot;#test&quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
             ),
         );
     }
 
+    /**
+     * Test for proper escaping for custom tag attribute values
+     */
+    public function testEscapeAttributeValue()
+    {
+        $xmlData = '<?xml version="1.0" encoding="utf-8"?>';
+        $xmlData .= '<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/">';
+        $xmlData .= "<paragraph>";
+        $xmlData .= '<custom name="factbox" custom:title="&quot;fipsfuchs&quot;" custom:align="&amp;quot;fipsfuchs&amp;quot;"></custom>';
+        $xmlData .= "</paragraph>";
+        $xmlData .= "</section>";
+
+        $folder = new ezpObject( 'folder', 2 );
+        $folder->name = 'Escape Attribute Value';
+        $folder->short_description = '';
+
+        $oeHandler = new eZOEXMLInput( $xmlData, false,  $folder->short_description );
+        $xhtml = $oeHandler->attribute( 'input_xml' );
+        self::assertEquals( '&lt;div class=&quot;ezoeItemCustomTag factbox&quot; type=&quot;custom&quot; customattributes=&quot;title|&amp;quot;fipsfuchs&amp;quot;attribute_separationalign|&amp;amp;quot;fipsfuchs&amp;amp;quot;&quot;&gt;&lt;p&gt;factbox&lt;/p&gt;&lt;/div&gt;&lt;p&gt;&lt;br /&gt;&lt;/p&gt;', $xhtml );
+    }
+
     /**
      * Test for issue #16605: Online Editor adds a lot of Non Breaking spaces (nbsp)
      * 

diff --git a/kernel/classes/datatypes/ezxmltext/ezxmlinputparser.php b/kernel/classes/datatypes/ezxmltext/ezxmlinputparser.php
@@ -708,7 +708,7 @@ function setAttributes( $element, $attributes )
                     if ( isset( $this->Namespaces[$prefix] ) )
                     {
                         $URI = $this->Namespaces[$prefix];
-                        $element->setAttributeNS( $URI, $qualifiedName, $value );
+                        $element->setAttributeNS( $URI, $qualifiedName, htmlspecialchars_decode( $value ) );
                     }
                     else
                     {
@@ -717,7 +717,7 @@ function setAttributes( $element, $attributes )
                 }
                 else
                 {
-                    $element->setAttribute( $qualifiedName, $value );
+                    $element->setAttribute( $qualifiedName,  htmlspecialchars_decode( $value ) );
                 }
             }
         }