From 324701c9fd31beb4f070f1b7ef78b115fbdfec34 Mon Sep 17 00:00:00 2001 From: Paul Bissonnette Date: Thu, 20 Nov 2014 16:50:22 -0800 Subject: [PATCH] HTMLEncode strings in wddx_serialize_value() Summary: Strings returned through wddx_serialize_value should be HTMLEncode()'d during serialization. Fixes #4283 {sync, type="child", parent="internal", parentrevid="1691695", parentrevfbid="1537976659780590", parentdiffid="5726084"} Reviewed By: @JoelMarcey Differential Revision: D1691695 Signature: t1:1691695:1416530595:722bfcdaf7c0dbee379bea886cd4c43d997ca7dd --- hphp/runtime/ext/wddx/ext_wddx.cpp | 6 +++++- hphp/test/slow/ext_wddx/htmlent.php | 5 +++++ hphp/test/slow/ext_wddx/htmlent.php.expect | 2 ++ 3 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 hphp/test/slow/ext_wddx/htmlent.php create mode 100644 hphp/test/slow/ext_wddx/htmlent.php.expect diff --git a/hphp/runtime/ext/wddx/ext_wddx.cpp b/hphp/runtime/ext/wddx/ext_wddx.cpp index be49b776f187e..9d249de0d7be1 100644 --- a/hphp/runtime/ext/wddx/ext_wddx.cpp +++ b/hphp/runtime/ext/wddx/ext_wddx.cpp @@ -126,9 +126,13 @@ bool WddxPacket::recursiveAddVar(const String& varName, std::string varType = getDataTypeString(varVariant.getType()).data(); if (!getWddxEncoded(varType, "", varName, false).empty()) { - std::string varValue = varVariant.toString().data(); + std::string varValue; if (varType.compare("boolean") == 0) { varValue = varVariant.toBoolean() ? "true" : "false"; + } else { + varValue = StringUtil::HtmlEncode(varVariant.toString(), + StringUtil::QuoteStyle::Double, + "UTF-8", false, false).toCppString(); } m_packetString += getWddxEncoded(varType, varValue, varName, hasVarTag); return true; diff --git a/hphp/test/slow/ext_wddx/htmlent.php b/hphp/test/slow/ext_wddx/htmlent.php new file mode 100644 index 0000000000000..c87d13db3dfa9 --- /dev/null +++ b/hphp/test/slow/ext_wddx/htmlent.php @@ -0,0 +1,5 @@ +
Test for &" +string(10) "Test for &"