aboutsummaryrefslogtreecommitdiff
path: root/engine/lib/output.php
diff options
context:
space:
mode:
authorSem <sembrestels@riseup.net>2012-11-18 16:07:31 +0100
committerSem <sembrestels@riseup.net>2012-11-18 16:07:31 +0100
commit7f4f57ef1ebd8b97370094da2518dd39e183a43d (patch)
treee0a8518ee22c334ce5741c9247403cf09d179ec4 /engine/lib/output.php
parent47aa87219deb97da16eabe03dee9179999faf2d7 (diff)
parent6623571b615fc5c9d1b82e2607de4cdaee8a818b (diff)
downloadelgg-7f4f57ef1ebd8b97370094da2518dd39e183a43d.tar.gz
elgg-7f4f57ef1ebd8b97370094da2518dd39e183a43d.tar.bz2
Merge tag '1.8.9' of git://github.com/Elgg/Elgg into lorea-preprod
Elgg 1.8.9 release
Diffstat (limited to 'engine/lib/output.php')
-rw-r--r--engine/lib/output.php46
1 files changed, 44 insertions, 2 deletions
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 7bfc4be6e..352de863b 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -271,8 +271,8 @@ function elgg_normalize_url($url) {
// '?query=test', #target
return $url;
- } elseif (stripos($url, 'javascript:') === 0) {
- // 'javascript:'
+ } elseif (stripos($url, 'javascript:') === 0 || stripos($url, 'mailto:') === 0) {
+ // 'javascript:' and 'mailto:'
// Not covered in FILTER_VALIDATE_URL
return $url;
@@ -398,3 +398,45 @@ function elgg_strip_tags($string) {
return $string;
}
+
+/**
+ * Apply html_entity_decode() to a string while re-entitising HTML
+ * special char entities to prevent them from being decoded back to their
+ * unsafe original forms.
+ *
+ * This relies on html_entity_decode() not translating entities when
+ * doing so leaves behind another entity, e.g. &amp;gt; if decoded would
+ * create &gt; which is another entity itself. This seems to escape the
+ * usual behaviour where any two paired entities creating a HTML tag are
+ * usually decoded, i.e. a lone &gt; is not decoded, but &lt;foo&gt; would
+ * be decoded to <foo> since it creates a full tag.
+ *
+ * Note: This function is poorly explained in the manual - which is really
+ * bad given its potential for misuse on user input already escaped elsewhere.
+ * Stackoverflow is littered with advice to use this function in the precise
+ * way that would lead to user input being capable of injecting arbitrary HTML.
+ *
+ * @param string $string
+ *
+ * @return string
+ *
+ * @author Pádraic Brady
+ * @copyright Copyright (c) 2010 Pádraic Brady (http://blog.astrumfutura.com)
+ * @license Released under dual-license GPL2/MIT by explicit permission of Pádraic Brady
+ *
+ * @access private
+ */
+function _elgg_html_decode($string) {
+ $string = str_replace(
+ array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
+ array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
+ $string
+ );
+ $string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
+ $string = str_replace(
+ array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
+ array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
+ $string
+ );
+ return $string;
+}