Merge bd109f3 into 5384d03

CHANGELOG.md

@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
 ## [Unreleased](https://github.com/youthweb/bbcode-parser/compare/1.7.0...master)
 
+### Fixed
+
+- Don't escape HTML that is setted through a Visitor
+
 ## [1.7.0](https://github.com/youthweb/bbcode-parser/compare/1.6.0...1.7.0) - 2021-11-23
 
 ### Added

src/Manager.php

@@ -204,6 +204,9 @@ protected function addParagraphs($text)
     protected function addExplanations($text)
     {
         $text = str_ireplace(' yw ', ' <acronym title="Youthweb">YW</acronym> ', $text);
+        $text = str_ireplace('{{{lt}}}', '<', $text);
+        $text = str_ireplace('{{{gt}}}', '>', $text);
+        $text = str_ireplace('{{{quot}}}', '"', $text);
 
         return $text;
     }

src/Visitor/VisitorSmiley.php

@@ -97,7 +97,7 @@ private function getSmileyRules()
             $url = 'https://youthweb.net/vendor/smilies/' . $filename;
 
             $codes[] = $code;
-            $html[] = '<img src="' . $url . '" alt="' . $code . '" title="' . $code . '" />';
+            $html[] = '{{{lt}}}img src={{{quot}}}' . $url . '{{{quot}}} alt={{{quot}}}' . $code . '{{{quot}}} title={{{quot}}}' . $code . '{{{quot}}} /{{{gt}}}';
         }
 
         $rules = [$codes, $html];

tests/Integration/ParsingTest.php

@@ -26,9 +26,6 @@ class ParsingTest extends TestCase
 {
     private $parser;
 
-    /**
-     * @dataProvider providerParseBBCode
-     */
     public function setUp(): void
     {
         $this->parser = new Manager();
@@ -48,6 +45,16 @@ public function testParseBBCode($text, array $config, $expected)
     public function providerParseBBCode()
     {
         return [
+            [
+                'Hello World!',
+                [],
+                '<p>Hello World!</p>',
+            ],
+            [
+                'Hello World! </div>',
+                [],
+                '<p>Hello World! &lt;/div&gt;</p>',
+            ],
             [
                 '[b]Hello World! <img src="javascript:alert(\'XSS\')">[/b]',
                 [],
@@ -207,19 +214,19 @@ public function providerParseBBCode()
                 '<p>Mehr Infos gibt es auf <a target="_blank" href="http://example.org/pfad?query=string">http://example.org/pfad?query=string</a></p>',
             ],
             [
-                'Jemand hat dich eingeladen, am Event [url=http://example.org/events/6]"E. "><img src=javascript:alert(\'XSS\')>"[/url] teilzunehmen.',
+                'Jemand hat dich eingeladen, am Event [url=http://example.org/events/6]"E. "><img src="javascript:alert(\'XSS\')">"[/url] teilzunehmen.',
                 [],
-                '<p>Jemand hat dich eingeladen, am Event <a target="_blank" href="http://example.org/events/6">&quot;E. &quot;&gt;&lt;img src=javascript:alert(\'XSS\')&gt;&quot;</a> teilzunehmen.</p>',
+                '<p>Jemand hat dich eingeladen, am Event <a target="_blank" href="http://example.org/events/6">&quot;E. &quot;&gt;&lt;img src=&quot;javascript:alert(\'XSS\')&quot;&gt;&quot;</a> teilzunehmen.</p>',
             ],
             [
-                'B1: Jemand hat dich eingeladen, am Event [url=http://example.org/events/6][b]"E. "><img src=javascript:alert(\'XSS\')>"[/b][/url] teilzunehmen.',
+                'B1: Jemand hat dich eingeladen, am Event [url=http://example.org/events/6][b]"E. "><img src="javascript:alert(\'XSS\')">"[/b][/url] teilzunehmen.',
                 [],
-                '<p>B1: Jemand hat dich eingeladen, am Event <a target="_blank" href="http://example.org/events/6"><b>&quot;E. &quot;&gt;&lt;img src=javascript:alert(\'XSS\')&gt;&quot;</b></a> teilzunehmen.</p>',
+                '<p>B1: Jemand hat dich eingeladen, am Event <a target="_blank" href="http://example.org/events/6"><b>&quot;E. &quot;&gt;&lt;img src=&quot;javascript:alert(\'XSS\')&quot;&gt;&quot;</b></a> teilzunehmen.</p>',
             ],
             [
-                'B2: Jemand hat dich eingeladen, am Event [url=http://example.org/events/6][F]"E. "><img src=javascript:alert(\'XSS\')>"[/F][/url] teilzunehmen.',
+                'B2: Jemand hat dich eingeladen, am Event [url=http://example.org/events/6][F]"E. "><img src="javascript:alert(\'XSS\')">"[/F][/url] teilzunehmen.',
                 [],
-                '<p>B2: Jemand hat dich eingeladen, am Event <a target="_blank" href="http://example.org/events/6"><b>&quot;E. &quot;&gt;&lt;img src=javascript:alert(\'XSS\')&gt;&quot;</b></a> teilzunehmen.</p>',
+                '<p>B2: Jemand hat dich eingeladen, am Event <a target="_blank" href="http://example.org/events/6"><b>&quot;E. &quot;&gt;&lt;img src=&quot;javascript:alert(\'XSS\')&quot;&gt;&quot;</b></a> teilzunehmen.</p>',
             ],
             [
                 'I1: Jemand hat dich eingeladen, am Event [url=http://example.org/events/6][i]"E. "><img src="javascript:alert(\'XSS\')">"[/i][/url] teilzunehmen.',

tests/Integration/SmileyTest.php

@@ -46,12 +46,10 @@ public function testParseSmileyCode()
 
     /**
      * @test
+     * @dataProvider provideSmileyExamples
      */
-    public function parseSmileyWithCustomVisitor()
+    public function parseSmileyWithCustomVisitor(string $text, string $expected)
     {
-        $text     = 'My mistake :-[';
-        $expected = '<p>My mistake <img src="https://youthweb.net/vendor/smilies/49_2.gif" alt=":-[" title=":-[" /></p>';
-
         $visitor = new VisitorSmiley();
 
         $collection = new VisitorCollection();
@@ -66,4 +64,22 @@ public function parseSmileyWithCustomVisitor()
 
         $this->assertSame($expected, $parser->parse($text, $config));
     }
+
+    public function provideSmileyExamples()
+    {
+        return [
+            [
+                'My mistake :-[',
+                '<p>My mistake <img src="https://youthweb.net/vendor/smilies/49_2.gif" alt=":-[" title=":-[" /></p>',
+            ],
+            [
+                'My mistake <span> :-[',
+                '<p>My mistake <span> <img src="https://youthweb.net/vendor/smilies/49_2.gif" alt=":-[" title=":-[" /></p>',
+            ],
+            [
+                '[b]My mistake :-[[/b]',
+                '<p><b>My mistake <img src="https://youthweb.net/vendor/smilies/49_2.gif" alt=":-[" title=":-[" /></b></p>',
+            ],
+        ];
+    }
 }

tests/Unit/Visitor/VisitorSmileyTest.php

@@ -148,11 +148,11 @@ public function SmileyDataProvider()
         return [
             [
                 'Hi :-)',
-                'Hi <img src="https://youthweb.net/vendor/smilies/smile0001.gif" alt=":-)" title=":-)" />',
+                'Hi {{{lt}}}img src={{{quot}}}https://youthweb.net/vendor/smilies/smile0001.gif{{{quot}}} alt={{{quot}}}:-){{{quot}}} title={{{quot}}}:-){{{quot}}} /{{{gt}}}',
             ],
             [
                 'Hey :super: Das war sehr gut.',
-                'Hey <img src="https://youthweb.net/vendor/smilies/489.gif" alt=":super:" title=":super:" /> Das war sehr gut.',
+                'Hey {{{lt}}}img src={{{quot}}}https://youthweb.net/vendor/smilies/489.gif{{{quot}}} alt={{{quot}}}:super:{{{quot}}} title={{{quot}}}:super:{{{quot}}} /{{{gt}}} Das war sehr gut.',
             ],
         ];
     }