diff options
author | Steve Clay <steve@mrclay.org> | 2012-11-11 19:37:40 -0500 |
---|---|---|
committer | Steve Clay <steve@mrclay.org> | 2012-11-11 19:37:40 -0500 |
commit | a73df942c5e863996358cb28f31eddaea7f0bdb8 (patch) | |
tree | 59366971c4abe2249b90fdf7e29d726d8b513c76 /engine/lib/output.php | |
parent | cf78b4d7b4b9a8a3c57cea779aeca9cbe7ace7ed (diff) | |
parent | 6648304aa71067a05b0d4166396f5f93c0f66628 (diff) | |
download | elgg-a73df942c5e863996358cb28f31eddaea7f0bdb8.tar.gz elgg-a73df942c5e863996358cb28f31eddaea7f0bdb8.tar.bz2 |
Merge branch '4593-18' into 1.8
Diffstat (limited to 'engine/lib/output.php')
-rw-r--r-- | engine/lib/output.php | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php index 0069360f0..352de863b 100644 --- a/engine/lib/output.php +++ b/engine/lib/output.php @@ -398,3 +398,45 @@ function elgg_strip_tags($string) { return $string; } + +/** + * Apply html_entity_decode() to a string while re-entitising HTML + * special char entities to prevent them from being decoded back to their + * unsafe original forms. + * + * This relies on html_entity_decode() not translating entities when + * doing so leaves behind another entity, e.g. &gt; if decoded would + * create > which is another entity itself. This seems to escape the + * usual behaviour where any two paired entities creating a HTML tag are + * usually decoded, i.e. a lone > is not decoded, but <foo> would + * be decoded to <foo> since it creates a full tag. + * + * Note: This function is poorly explained in the manual - which is really + * bad given its potential for misuse on user input already escaped elsewhere. + * Stackoverflow is littered with advice to use this function in the precise + * way that would lead to user input being capable of injecting arbitrary HTML. + * + * @param string $string + * + * @return string + * + * @author Pádraic Brady + * @copyright Copyright (c) 2010 Pádraic Brady (http://blog.astrumfutura.com) + * @license Released under dual-license GPL2/MIT by explicit permission of Pádraic Brady + * + * @access private + */ +function _elgg_html_decode($string) { + $string = str_replace( + array('>', '<', '&', '"', '''), + array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'), + $string + ); + $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8'); + $string = str_replace( + array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'), + array('>', '<', '&', '"', '''), + $string + ); + return $string; +} |