From edde218c179b6503d153035b3801f14a9ada542b Mon Sep 17 00:00:00 2001 From: Colin O'Dell Date: Thu, 21 Mar 2019 18:20:24 -0400 Subject: [PATCH] Deprecated the `$preserveEntites` argument of `Xml::escape()` for removal in the next release (#353) --- CHANGELOG.md | 4 ++++ src/Util/Xml.php | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9d85e9189..9d495d3094 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,10 @@ Updates should follow the [Keep a CHANGELOG](http://keepachangelog.com/) princip - Fix XSS vulnerability caused by improper preservation of entities when rendering (#353) +### Deprecated + + - Deprecated the `$preserveEntites` argument of `Xml::escape()` for removal in the next release (#353) + ## [0.18.2] - 2019-03-16 ### Fixed diff --git a/src/Util/Xml.php b/src/Util/Xml.php index 7407d9ca31..db1d460b45 100644 --- a/src/Util/Xml.php +++ b/src/Util/Xml.php @@ -25,10 +25,14 @@ final class Xml * * @return string */ - public static function escape($string, $preserveEntities = false) + public static function escape($string, $preserveEntities = null) { - if ($preserveEntities) { + if ($preserveEntities === true) { + @trigger_error('Preserving entities in Xml::escape() has been deprecated and will be removed in the next release', E_USER_DEPRECATED); $string = preg_replace('/[&](?![#](x[a-f0-9]{1,8}|[0-9]{1,8});|[a-z][a-z0-9]{1,31};)/i', '&', $string); + } elseif ($preserveEntities === false) { + @trigger_error('The $preserveEntities argument of Xml::escape() has been deprecated and will be removed in the next release', E_USER_DEPRECATED); + $string = str_replace('&', '&', $string); } else { $string = str_replace('&', '&', $string); }