1 files changed, 64 insertions, 22 deletions

diff --git a/engine/lib/output.php b/engine/lib/output.php
index d50576b44..cce1c7cba 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -373,31 +373,73 @@ function elgg_strip_tags($string) {
 	return $string;
 }
 
-/**

- * Unit tests for Output

- *

- * @param sting  $hook   unit_test

- * @param string $type   system

- * @param mixed  $value  Array of tests

- * @param mixed  $params Params

- *

- * @return array

- * @access private

- */

-function output_unit_test($hook, $type, $value, $params) {

-	global $CONFIG;

-	$value[] = $CONFIG->path . 'engine/tests/api/output.php';

-	return $value;

+/**
+ * Apply html_entity_decode() to a string while re-entitising HTML
+ * special char entities to prevent them from being decoded back to their
+ * unsafe original forms.
+ *
+ * This relies on html_entity_decode() not translating entities when
+ * doing so leaves behind another entity, e.g. > if decoded would
+ * create > which is another entity itself. This seems to escape the
+ * usual behaviour where any two paired entities creating a HTML tag are
+ * usually decoded, i.e. a lone > is not decoded, but <foo> would
+ * be decoded to <foo> since it creates a full tag.
+ *
+ * Note: This function is poorly explained in the manual - which is really
+ * bad given its potential for misuse on user input already escaped elsewhere.
+ * Stackoverflow is littered with advice to use this function in the precise
+ * way that would lead to user input being capable of injecting arbitrary HTML.
+ *
+ * @param string $string
+ *
+ * @return string
+ *
+ * @author Pádraic Brady
+ * @copyright Copyright (c) 2010 Pádraic Brady (http://blog.astrumfutura.com)
+ * @license Released under dual-license GPL2/MIT by explicit permission of Pádraic Brady
+ *
+ * @access private
+ */
+function _elgg_html_decode($string) {
+	$string = str_replace(
+		array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
+		array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
+		$string
+	);
+	$string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
+	$string = str_replace(
+		array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
+		array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
+		$string
+	);
+	return $string;
 }
 
-/**

- * Initialise the Output subsystem.

- *

- * @return void

- * @access private

- */

+/**
+ * Unit tests for Output
+ *
+ * @param sting  $hook   unit_test
+ * @param string $type   system
+ * @param mixed  $value  Array of tests
+ * @param mixed  $params Params
+ *
+ * @return array
+ * @access private
+ */
+function output_unit_test($hook, $type, $value, $params) {
+	global $CONFIG;
+	$value[] = $CONFIG->path . 'engine/tests/api/output.php';
+	return $value;
+}
+
+/**
+ * Initialise the Output subsystem.
+ *
+ * @return void
+ * @access private
+ */
 function output_init() {
 	elgg_register_plugin_hook_handler('unit_test', 'system', 'output_unit_test');
-}

+}
 
 elgg_register_event_handler('init', 'system', 'output_init');