Commit 233180 by dries
- Patch #359276 by Freso, Heine, lyricnz: avoid double encoding/decoding of HTML entities.
--- includes/common.inc 2009/07/02 04:27:22 1.926
+++ includes/common.inc 2009/07/03 18:26:34 1.927
@@ -1359,12 +1359,12 @@
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
- // Named entities
- $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
// Decimal numeric entities
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
+ // Named entities
+ $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
return preg_replace_callback('%
(
--- modules/filter/filter.test 2009/06/28 18:03:56 1.25
+++ modules/filter/filter.test 2009/07/03 18:26:35 1.26
@@ -399,6 +399,15 @@
$f = filter_xss("\xc0aaa");
$this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.'));
+
+ $f = filter_xss("Who's Online");
+ $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number'));
+
+ $f = filter_xss("Who's Online");
+ $this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number'));
+
+ $f = filter_xss("Who' Online");
+ $this->assertNormalized($f, "who' online", t('HTML filter -- double encoded html entity number'));
}
/**
+++ includes/common.inc 2009/07/03 18:26:34 1.927
@@ -1359,12 +1359,12 @@
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
- // Named entities
- $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
// Decimal numeric entities
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
+ // Named entities
+ $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
return preg_replace_callback('%
(
--- modules/filter/filter.test 2009/06/28 18:03:56 1.25
+++ modules/filter/filter.test 2009/07/03 18:26:35 1.26
@@ -399,6 +399,15 @@
$f = filter_xss("\xc0aaa");
$this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.'));
+
+ $f = filter_xss("Who's Online");
+ $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number'));
+
+ $f = filter_xss("Who's Online");
+ $this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number'));
+
+ $f = filter_xss("Who' Online");
+ $this->assertNormalized($f, "who' online", t('HTML filter -- double encoded html entity number'));
}
/**