Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
project
drupal
Commits
c90e1672
Commit
c90e1672
authored
Jul 03, 2009
by
Dries Buytaert
Browse files
- Patch
#359276
by Freso, Heine, lyricnz: avoid double encoding/decoding of HTML entities.
parent
bea411e1
Changes
2
Hide whitespace changes
Inline
Side-by-side
includes/common.inc
View file @
c90e1672
...
...
@@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
// Defuse all HTML entities
$string
=
str_replace
(
'&'
,
'&'
,
$string
);
// Change back only well-formed entities in our whitelist
// Named entities
$string
=
preg_replace
(
'/&([A-Za-z][A-Za-z0-9]*;)/'
,
'&\1'
,
$string
);
// Decimal numeric entities
$string
=
preg_replace
(
'/&#([0-9]+;)/'
,
'&#\1'
,
$string
);
// Hexadecimal numeric entities
$string
=
preg_replace
(
'/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/'
,
'&#x\1'
,
$string
);
// Named entities
$string
=
preg_replace
(
'/&([A-Za-z][A-Za-z0-9]*;)/'
,
'&\1'
,
$string
);
return
preg_replace_callback
(
'%
(
...
...
modules/filter/filter.test
View file @
c90e1672
...
...
@@ -399,6 +399,15 @@ class FilterTestCase extends DrupalWebTestCase {
$f
=
filter_xss
(
"
\xc0
aaa"
);
$this
->
assertEqual
(
$f
,
''
,
t
(
'HTML filter -- overlong UTF-8 sequences.'
));
$f
=
filter_xss
(
"Who's Online"
);
$this
->
assertNormalized
(
$f
,
"who's online"
,
t
(
'HTML filter -- html entity number'
));
$f
=
filter_xss
(
"Who's Online"
);
$this
->
assertNormalized
(
$f
,
"who's online"
,
t
(
'HTML filter -- encoded html entity number'
));
$f
=
filter_xss
(
"Who' Online"
);
$this
->
assertNormalized
(
$f
,
"who' online"
,
t
(
'HTML filter -- double encoded html entity number'
));
}
/**
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment