From c90e16721a0660dc2dedbd31a9df428e03b7ff13 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Fri, 3 Jul 2009 18:26:35 +0000
Subject: [PATCH] - Patch #359276 by Freso, Heine, lyricnz: avoid double
encoding/decoding of HTML entities.
---
includes/common.inc | 4 ++--
modules/filter/filter.test | 9 +++++++++
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/includes/common.inc b/includes/common.inc
index fb4aff11ddfb..0d95442a8000 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite',
// Defuse all HTML entities
$string = str_replace('&', '&', $string);
// Change back only well-formed entities in our whitelist
- // Named entities
- $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
// Decimal numeric entities
$string = preg_replace('/&#([0-9]+;)/', '&#\1', $string);
// Hexadecimal numeric entities
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string);
+ // Named entities
+ $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string);
return preg_replace_callback('%
(
diff --git a/modules/filter/filter.test b/modules/filter/filter.test
index a9738a97ac61..cf06b6da30c3 100644
--- a/modules/filter/filter.test
+++ b/modules/filter/filter.test
@@ -399,6 +399,15 @@ class FilterTestCase extends DrupalWebTestCase {
$f = filter_xss("\xc0aaa");
$this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.'));
+
+ $f = filter_xss("Who's Online");
+ $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number'));
+
+ $f = filter_xss("Who&#039;s Online");
+ $this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number'));
+
+ $f = filter_xss("Who&amp;#039; Online");
+ $this->assertNormalized($f, "who&#039; online", t('HTML filter -- double encoded html entity number'));
}
/**
--
GitLab