From 288def143cb8f594fd5c58d6a6dab07263a6c60e Mon Sep 17 00:00:00 2001
From: JoshyPHP <s9e.dev@gmail.com>
Date: Tue, 7 Nov 2017 10:34:11 +0100
Subject: [PATCH] [ticket/15442] Allow unsafe HTML in bbcode.html

PHPBB3-15442
---
 phpBB/phpbb/textformatter/s9e/factory.php     |  2 +-
 tests/text_formatter/s9e/factory_test.php     | 16 ++++++++
 .../styles/unsafe/template/bbcode.html        | 40 +++++++++++++++++++
 .../s9e/fixtures/unsafe_default_bbcodes.xml   | 24 +++++++++++
 4 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
 create mode 100644 tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml

diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php
index d5ad8283d9..3a6c6ef43f 100644
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@@ -271,7 +271,7 @@ class factory implements \phpbb\textformatter\cache_interface
 		// Add default BBCodes
 		foreach ($this->get_default_bbcodes($configurator) as $bbcode)
 		{
-			$configurator->BBCodes->addCustom($bbcode['usage'], $bbcode['template']);
+			$configurator->BBCodes->addCustom($bbcode['usage'], new UnsafeTemplate($bbcode['template']));
 		}
 		if (isset($configurator->tags['QUOTE']))
 		{
diff --git a/tests/text_formatter/s9e/factory_test.php b/tests/text_formatter/s9e/factory_test.php
index fd9b4e4c09..d35330a975 100644
--- a/tests/text_formatter/s9e/factory_test.php
+++ b/tests/text_formatter/s9e/factory_test.php
@@ -247,6 +247,22 @@ class phpbb_textformatter_s9e_factory_test extends phpbb_database_test_case
 		$this->assertSame($expected, $renderer->render($parser->parse($original)));
 	}
 
+	/**
+	* @testdox Accepts unsafe default BBCodes
+	*/
+	public function test_unsafe_default_bbcodes()
+	{
+		$fixture   = __DIR__ . '/fixtures/unsafe_default_bbcodes.xml';
+		$style_dir = __DIR__ . '/fixtures/styles/';
+		$container = $this->get_test_case_helpers()->set_s9e_services(null, $fixture, $style_dir);
+		$parser    = $container->get('text_formatter.parser');
+		$renderer  = $container->get('text_formatter.renderer');
+
+		$original = '[b]alert(1)[/b]';
+		$expected = '<script>alert(1)</script>';
+		$this->assertSame($expected, $renderer->render($parser->parse($original)));
+	}
+
 	/**
 	* @testdox get_configurator() triggers events before and after configuration
 	*/
diff --git a/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html b/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
new file mode 100644
index 0000000000..f3932f9b78
--- /dev/null
+++ b/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
@@ -0,0 +1,40 @@
+<!-- BEGIN ulist_open --><ul style="list-style-type: {LIST_TYPE}"><!-- END ulist_open -->
+<!-- BEGIN ulist_open_default --><ul><!-- END ulist_open_default -->
+<!-- BEGIN ulist_close --></ul><!-- END ulist_close -->
+
+<!-- BEGIN olist_open --><ol style="list-style-type: {LIST_TYPE}"><!-- END olist_open -->
+<!-- BEGIN olist_close --></ol><!-- END olist_close -->
+
+<!-- BEGIN listitem --><li><!-- END listitem -->
+<!-- BEGIN listitem_close --></li><!-- END listitem_close -->
+
+<!-- BEGIN quote_username_open --><blockquote><div><cite>{USERNAME} {L_WROTE}{L_COLON}</cite><!-- END quote_username_open -->
+<!-- BEGIN quote_open --><blockquote class="uncited"><div><!-- END quote_open -->
+<!-- BEGIN quote_close --></div></blockquote><!-- END quote_close -->
+
+<!-- BEGIN code_open --><div class="codebox"><p>{L_CODE}{L_COLON} <a href="#" onclick="selectCode(this); return false;">{L_SELECT_ALL_CODE}</a></p><code><!-- END code_open -->
+<!-- BEGIN code_close --></code></div><!-- END code_close -->
+
+<!-- BEGIN inline_attachment_open --><div class="inline-attachment"><!-- END inline_attachment_open -->
+<!-- BEGIN inline_attachment_close --></div><!-- END inline_attachment_close -->
+
+<!-- BEGIN b_open --><script><!-- END b_open -->
+<!-- BEGIN b_close --></script><!-- END b_close -->
+
+<!-- BEGIN u_open --><span style="text-decoration: underline"><!-- END u_open -->
+<!-- BEGIN u_close --></span><!-- END u_close -->
+
+<!-- BEGIN i_open --><em><!-- END i_open -->
+<!-- BEGIN i_close --></em><!-- END i_close -->
+
+<!-- BEGIN color --><span style="color: {COLOR}">{TEXT}</span><!-- END color -->
+
+<!-- BEGIN size --><span style="font-size: {SIZE}%; line-height: 116%;">{TEXT}</span><!-- END size -->
+
+<!-- BEGIN img --><img src="{URL}" class="postimage" alt="{L_IMAGE}" /><!-- END img -->
+
+<!-- BEGIN url --><a href="{URL}" class="postlink">{DESCRIPTION}</a><!-- END url -->
+
+<!-- BEGIN email --><a href="mailto:{EMAIL}">{DESCRIPTION}</a><!-- END email -->
+
+<!-- BEGIN flash --><object classid="clsid:D27CDB6E-AE6D-11CF-96B8-444553540000" codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=5,0,0,0" width="{WIDTH}" height="{HEIGHT}"><param name="movie" value="{URL}" /><param name="play" value="false" /><param name="loop" value="false" /><param name="quality" value="high" /><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><embed src="{URL}" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" width="{WIDTH}" height="{HEIGHT}" play="false" loop="false" quality="high" allowscriptaccess="never" allownetworking="internal"></embed></object><!-- END flash -->
diff --git a/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml b/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml
new file mode 100644
index 0000000000..06524a13cc
--- /dev/null
+++ b/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_styles">
+		<column>style_id</column>
+		<column>style_name</column>
+		<column>style_copyright</column>
+		<column>style_active</column>
+		<column>style_path</column>
+		<column>bbcode_bitfield</column>
+		<column>style_parent_id</column>
+		<column>style_parent_tree</column>
+
+		<row>
+			<value>1</value>
+			<value>unsafe</value>
+			<value></value>
+			<value>1</value>
+			<value>unsafe</value>
+			<value>QA==</value>
+			<value>0</value>
+			<value></value>
+		</row>
+	</table>
+</dataset>