Skip to content

Commit

Permalink
Deprecated the $preserveEntites argument of Xml::escape() for rem…
Browse files Browse the repository at this point in the history 
…oval in the next release (#353)
  • Loading branch information
@colinodell
colinodell committed Mar 21, 2019
1 parent 6f16c6e commit edde218
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Expand Up @@ -12,6 +12,10 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip

- Fix XSS vulnerability caused by improper preservation of entities when rendering (#353)

### Deprecated

- Deprecated the `$preserveEntites` argument of `Xml::escape()` for removal in the next release (#353)

## [0.18.2] - 2019-03-16

### Fixed
Expand Down
8 changes: 6 additions & 2 deletions src/Util/Xml.php
View file
Expand Up @@ -25,10 +25,14 @@ final class Xml
*
* @return string
*/
public static function escape($string, $preserveEntities = false)
public static function escape($string, $preserveEntities = null)
{
if ($preserveEntities) {
if ($preserveEntities === true) {
@trigger_error('Preserving entities in Xml::escape() has been deprecated and will be removed in the next release', E_USER_DEPRECATED);
$string = preg_replace('/[&](?![#](x[a-f0-9]{1,8}|[0-9]{1,8});|[a-z][a-z0-9]{1,31};)/i', '&', $string);
} elseif ($preserveEntities === false) {
@trigger_error('The $preserveEntities argument of Xml::escape() has been deprecated and will be removed in the next release', E_USER_DEPRECATED);
$string = str_replace('&', '&', $string);
} else {
$string = str_replace('&', '&', $string);
}
Expand Down

0 comments on commit edde218

Please sign in to comment.