- Patch #359276 by Freso, Heine, lyricnz: avoid double encoding/decoding of HTML entities.

c90e1672 · Dries · bea411e1 · c90e1672 · c90e1672
Commit c90e1672 authored Jul 03, 2009 by Dries
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

includes/common.inc includes/common.inc +2 -2

modules/filter/filter.test modules/filter/filter.test +9 -0

No files found.
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
  // Defuse all HTML entities
  $string = str_replace('&', '&amp;', $string);
  // Change back only well-formed entities in our whitelist
-  // Named entities
-  $string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
  // Decimal numeric entities
  $string = preg_replace('/&amp;#([0-9]+;)/', '&#\1', $string);
  // Hexadecimal numeric entities
  $string = preg_replace('/&amp;#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
+  // Named entities
+  $string = preg_replace('/&amp;([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);

  return preg_replace_callback('%
    (

--- a/modules/filter/filter.test
+++ b/modules/filter/filter.test
@@ -399,6 +399,15 @@ class FilterTestCase extends DrupalWebTestCase {

    $f = filter_xss("\xc0aaa");
    $this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.'));
+
+    $f = filter_xss("Who&#039;s Online");
+    $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number'));
+
+    $f = filter_xss("Who&amp;#039;s Online");
+    $this->assertNormalized($f, "who&#039;s online", t('HTML filter -- encoded html entity number'));
+
+    $f = filter_xss("Who&amp;amp;#039; Online");
+    $this->assertNormalized($f, "who&amp;#039; online", t('HTML filter -- double encoded html entity number'));
  }

  /**