Skip to content
This repository

Better HTML decoding and output/email encoding #430

Closed
wants to merge 1 commit into from

1 participant

Steve Clay
Steve Clay
Owner

No description provided.

Steve Clay mrclay closed this November 11, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Nov 07, 2012
Steve Clay Better HTML decoding and output/email encoding 6648304
This page is out of date. Refresh to see the latest.
4  actions/profile/edit.php
@@ -25,7 +25,7 @@
25 25
  * wrapper for recursive array walk decoding
26 26
  */
27 27
 function profile_array_decoder(&$v) {
28  
-	$v = html_entity_decode($v, ENT_COMPAT, 'UTF-8');
  28
+	$v = _elgg_html_decode($v);
29 29
 }
30 30
 
31 31
 $profile_fields = elgg_get_config('profile_fields');
@@ -37,7 +37,7 @@ function profile_array_decoder(&$v) {
37 37
 	if (is_array($value)) {
38 38
 		array_walk_recursive($value, 'profile_array_decoder');
39 39
 	} else {
40  
-		$value = html_entity_decode($value, ENT_COMPAT, 'UTF-8');
  40
+		$value = _elgg_html_decode($value);
41 41
 	}
42 42
 
43 43
 	// limit to reasonable sizes
42  engine/lib/output.php
@@ -398,3 +398,45 @@ function elgg_strip_tags($string) {
398 398
 
399 399
 	return $string;
400 400
 }
  401
+
  402
+/**
  403
+ * Apply html_entity_decode() to a string while re-entitising HTML
  404
+ * special char entities to prevent them from being decoded back to their
  405
+ * unsafe original forms.
  406
+ *
  407
+ * This relies on html_entity_decode() not translating entities when
  408
+ * doing so leaves behind another entity, e.g. > if decoded would
  409
+ * create > which is another entity itself. This seems to escape the
  410
+ * usual behaviour where any two paired entities creating a HTML tag are
  411
+ * usually decoded, i.e. a lone > is not decoded, but <foo> would
  412
+ * be decoded to <foo> since it creates a full tag.
  413
+ *
  414
+ * Note: This function is poorly explained in the manual - which is really
  415
+ * bad given its potential for misuse on user input already escaped elsewhere.
  416
+ * Stackoverflow is littered with advice to use this function in the precise
  417
+ * way that would lead to user input being capable of injecting arbitrary HTML.
  418
+ *
  419
+ * @param string $string
  420
+ *
  421
+ * @return string
  422
+ *
  423
+ * @author Pádraic Brady
  424
+ * @copyright Copyright (c) 2010 Pádraic Brady (http://blog.astrumfutura.com)
  425
+ * @license Released under dual-license GPL2/MIT by explicit permission of Pádraic Brady
  426
+ *
  427
+ * @access private
  428
+ */
  429
+function _elgg_html_decode($string) {
  430
+	$string = str_replace(
  431
+		array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
  432
+		array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
  433
+		$string
  434
+	);
  435
+	$string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
  436
+	$string = str_replace(
  437
+		array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
  438
+		array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
  439
+		$string
  440
+	);
  441
+	return $string;
  442
+}
12  engine/lib/upgrades/2010052601.php
@@ -9,14 +9,14 @@
9 9
 $groups = elgg_get_entities($params);
10 10
 if ($groups) {
11 11
 	foreach ($groups as $group) {
12  
-		$group->name = html_entity_decode($group->name, ENT_COMPAT, 'UTF-8');
13  
-		$group->description = html_entity_decode($group->description, ENT_COMPAT, 'UTF-8');
14  
-		$group->briefdescription = html_entity_decode($group->briefdescription, ENT_COMPAT, 'UTF-8');
15  
-		$group->website = html_entity_decode($group->website, ENT_COMPAT, 'UTF-8');
  12
+		$group->name = _elgg_html_decode($group->name);
  13
+		$group->description = _elgg_html_decode($group->description);
  14
+		$group->briefdescription = _elgg_html_decode($group->briefdescription);
  15
+		$group->website = _elgg_html_decode($group->website);
16 16
 		if ($group->interests) {
17 17
 			$tags = $group->interests;
18  
-			foreach ($tags as $index=>$tag) {
19  
-				$tags[$index] = html_entity_decode($tag, ENT_COMPAT, 'UTF-8');
  18
+			foreach ($tags as $index => $tag) {
  19
+				$tags[$index] = _elgg_html_decode($tag);
20 20
 			}
21 21
 			$group->interests = $tags;
22 22
 		}
2  mod/blog/views/default/forms/blog/save.php
@@ -53,7 +53,7 @@
53 53
 $excerpt_input = elgg_view('input/text', array(
54 54
 	'name' => 'excerpt',
55 55
 	'id' => 'blog_excerpt',
56  
-	'value' => html_entity_decode($vars['excerpt'], ENT_COMPAT, 'UTF-8')
  56
+	'value' => _elgg_html_decode($vars['excerpt'])
57 57
 ));
58 58
 
59 59
 $body_label = elgg_echo('blog:body');
8  mod/groups/actions/groups/edit.php
@@ -8,15 +8,15 @@
8 8
 // Load configuration
9 9
 global $CONFIG;
10 10
 
  11
+elgg_make_sticky_form('groups');
  12
+
11 13
 /**
12 14
  * wrapper for recursive array walk decoding
13 15
  */
14 16
 function profile_array_decoder(&$v) {
15  
-	$v = html_entity_decode($v, ENT_COMPAT, 'UTF-8');
  17
+	$v = _elgg_html_decode($v);
16 18
 }
17 19
 
18  
-elgg_make_sticky_form('groups');
19  
-
20 20
 // Get group fields
21 21
 $input = array();
22 22
 foreach ($CONFIG->group as $shortname => $valuetype) {
@@ -25,7 +25,7 @@ function profile_array_decoder(&$v) {
25 25
 	if (is_array($input[$shortname])) {
26 26
 		array_walk_recursive($input[$shortname], 'profile_array_decoder');
27 27
 	} else {
28  
-		$input[$shortname] = html_entity_decode($input[$shortname], ENT_COMPAT, 'UTF-8');
  28
+		$input[$shortname] = _elgg_html_decode($input[$shortname]);
29 29
 	}
30 30
 
31 31
 	if ($valuetype == 'tags') {
4  views/default/output/email.php
@@ -10,6 +10,8 @@
10 10
  *
11 11
  */
12 12
 
  13
+$encoded_value = htmlspecialchars($vars['value'], ENT_QUOTES, 'UTF-8');
  14
+
13 15
 if (!empty($vars['value'])) {
14  
-	echo "<a href=\"mailto:" . $vars['value'] . "\">". htmlspecialchars($vars['value'], ENT_QUOTES, 'UTF-8', false) ."</a>";
  16
+	echo "<a href=\"mailto:$encoded_value\">$encoded_value</a>";
15 17
 }
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.