makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-07 20:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #62 from phpbb/ticket/security-264

Browse source 
[ticket/security-264] Ensure HTML entity state after removing formatting
This commit is contained in:
Marc Alexander 2020-11-04 16:35:05 +01:00
commit 556f7adab1
No known key found for this signature in database
GPG key ID: 50E0D2423696F995
2 changed files with 15 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
phpBB/phpbb/textformatter/s9e/utils.php
View file

@ -31,7 +31,7 @@ class utils implements \phpbb\textformatter\utils_interface
// Insert a space before <s> and <e> then remove formatting
$xml = preg_replace('#<[es]>#', ' $0', $xml);
return \s9e\TextFormatter\Utils::removeFormatting($xml);
return utf8_htmlspecialchars(\s9e\TextFormatter\Utils::removeFormatting($xml));
}
/**

29
tests/text_processing/strip_bbcode_test.php
View file

@ -13,27 +13,26 @@
class phpbb_text_processing_strip_bbcode_test extends phpbb_test_case
{
public function test_legacy()
public function data_strip_bbcode()
{
$original = '[b:20m4ill1]bold[/b:20m4ill1]';
$expected = ' bold ';
$actual = $original;
strip_bbcode($actual);
$this->assertSame($expected, $actual, '20m4ill1');
return [
['[b:20m4ill1]bold[/b:20m4ill1]', ' bold '],
['<r><B><s>[b]</s>bold<e>[/b]</e></B></r>', ' bold '],
['[b:20m4ill1]bo &amp; ld[/b:20m4ill1]', ' bo &amp; ld '],
['<r><B><s>[b]</s>bo &amp; ld<e>[/b]</e></B></r>', ' bo &amp; ld ']
];
}
public function test_s9e()
/**
* @dataProvider data_strip_bbcode
*/
public function test_strip_bbcode($input, $expected)
{
$phpbb_container = $this->get_test_case_helpers()->set_s9e_services();
$original = '<r><B><s>[b]</s>bold<e>[/b]</e></B></r>';
$expected = ' bold ';
strip_bbcode($input);
$actual = $original;
strip_bbcode($actual);
$this->assertSame($expected, $actual);
$this->assertSame($expected, $input);
}
}