Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

- Patch #359276 by Freso, Heine, lyricnz: avoid double encoding/decoding of HTML entities.

merge-requests/26/head
Dries Buytaert 2009-07-03 18:26:35 +00:00
parent bea411e114
commit c90e16721a
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
includes/common.inc
View File

@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
// Named entities
$string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
// Decimal numeric entities
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
// Named entities
$string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
return preg_replace_callback('%
(

9
modules/filter/filter.test
View File

@ -399,6 +399,15 @@ class FilterTestCase extends DrupalWebTestCase {
$f = filter_xss("\xc0aaa");
$this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.'));
$f = filter_xss("Who's Online");
$this->assertNormalized($f, "who's online", t('HTML filter -- html entity number'));
$f = filter_xss("Who's Online");
$this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number'));
$f = filter_xss("Who' Online");
$this->assertNormalized($f, "who' online", t('HTML filter -- double encoded html entity number'));
}
/**