[ticket/16496] Fix html special chars in custom BBcode help line

[3D-I]

PHPBB3-16496

Checklist:

• Correct branch: master for new features; 3.3.x & 3.2.x for fixes
• Tests pass
• Code follows coding guidelines: master, 3.3.x and 3.2.x
• Commit follows commit message format

Tracker ticket (set the ticket ID to your ticket ID):

https://tracker.phpbb.com/browse/PHPBB3-16496

[3D-I]

[marc1706]

Somehow your example does not work as displayed above:

[3D-I]

What commit are you using?

[marc1706]

Latest in this PR. :)

[3D-I]

I guess I was right then, wait pls.

[3D-I]

Data's stored as in

In the database, thus we need to decode it.

[kasimi]

1. BBCode help text entered in the ACP: Same effect as > or < "HTML tags"
2. The value stored in the database (htmlspecialchars() applied by the type_cast_helper): Same effect as > or < "HTML tags"
3. htmlspecialchars_decode() applied, as currently proposed in this PR: Same effect as > or < "HTML tags". This is the value of the BBCODE_HELPLINE template variable.
4. Twig filter e('html_attr') applied in both posting_buttons.html and acp_posting_buttons.html: Same effect as > or < "HTML tags"

While this works, I see two problems:

• There is unescaped data in the template, while usually all data assigned to the template (usernames, post text etc) has their HTML entities encoded. This means that the BBCODE_HELPLINE variable should not be used as is, but needs to be encoded when rendering, not just by the core but also by extension that use it. Again, this is not the default behavior.
• Why decode the entities in step 3 only to encode them again in step 4? It's perfectly fine to use the value in step 2 in an HTML attribute value without further escaping.

Unless I'm missing something, I'd suggest to remove the code from steps 3 and 4.

@marc1706 can you please test again?

[3D-I]

Unless I'm missing something, I'd suggest to remove the code from steps 3 and 4.

Unless I am missing something I recall I have already tried it all, I am on phpBB 3.3.x testing here, if that matters. 🤔

Same effect as > or < "HTML tags"

Where do you see this?

[kasimi]

It's the final output.

[3D-I]

Never seen here.
I should get some spare time later on tonight to re-test everything though, not an issue.

[kasimi]

Example in the core of a user-controlled title attribute:

• Value is assigned to the template without decoding: https://github.com/phpbb/phpbb/blob/release-3.2.9/phpBB/includes/functions_display.php#L624
• Value is rendered without escaping: https://github.com/phpbb/phpbb/blob/release-3.2.9/phpBB/styles/prosilver/template/forumlist_body.html#L96

[3D-I]

Wrong okay. Let me push.

[marc1706]

Looks good now.