From df764389a8df8967cbac162ab14e927b4bc845cb Mon Sep 17 00:00:00 2001
From: Cameron <e107inc@gmail.com>
Date: Mon, 17 Feb 2020 13:13:06 -0800
Subject: [PATCH] Issue #4102 Parsing of < or >

---
 e107_handlers/e_parse_class.php       | 16 ++++++++++++++--
 e107_tests/tests/unit/e_parseTest.php | 18 +++++++++++++-----
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/e107_handlers/e_parse_class.php b/e107_handlers/e_parse_class.php
index a12e2e0e9..7ecc07d62 100644
--- a/e107_handlers/e_parse_class.php
+++ b/e107_handlers/e_parse_class.php
@@ -539,8 +539,11 @@ class e_parse extends e_parser
 			}
 			else // caused double-encoding of '&'
 			{
-				//$data = str_replace('<','&lt;',$data);
-				//$data = str_replace('>','&gt;',$data);
+			//	$data = str_replace('&amp;','&',$data);
+		//		$data = str_replace('<','&lt;',$data);
+		//		$data = str_replace('>','&gt;',$data);
+			//	$data = str_replace('&','&amp;',$data);
+
 			}
 
 
@@ -5323,11 +5326,20 @@ return;
     {
         if(empty($html)){ return ''; }
 
+        if($this->isHtml($html) === false)
+        {
+            	$html = str_replace('<','&lt;',$html);
+				$html = str_replace('>','&gt;',$html);
+        }
+
 		$html = str_replace('&nbsp;', '{E_PARSER_CLEAN_HTML_NON_BREAKING_SPACE}', $html); // prevent replacement of &nbsp; with spaces.
 		// Workaround for https://bugs.php.net/bug.php?id=76285
 		//  Part 1 of 2
 		$html = str_replace("\n", "{E_PARSER_CLEAN_HTML_LINE_BREAK}", $html);
 
+
+
+
         if(strpos($html, "<body")===false) // HTML Fragment
 		{
        		$html = '<body>'.$html.'</body>';
diff --git a/e107_tests/tests/unit/e_parseTest.php b/e107_tests/tests/unit/e_parseTest.php
index 1a399022f..363e5a426 100644
--- a/e107_tests/tests/unit/e_parseTest.php
+++ b/e107_tests/tests/unit/e_parseTest.php
@@ -247,7 +247,7 @@ TMP;
 			$tests = array(
 				0  => array(
 					'input'     => "<svg/onload=prompt(1)//",
-					'expected'  => ''
+					'expected'  => '&lt;svg/onload=prompt(1)//'
 				),
 				1  => array(
 					'input'     => "some plain text with a\nline break",
@@ -337,6 +337,10 @@ TMP;
 					'expected'  => '&lt;a href=&quot;&quot;&gt;Hello&lt;/a&gt;',
 					'mode'      => 'no_html',
 				),
+				22 => array(
+					'input'     => '< 200',
+					'expected'  => '&lt; 200',
+				),
 
 			);
 
@@ -811,7 +815,9 @@ TMP;
 				3   => array("<div class='something'>[code]something[/code]</div>", true),
 				4   => array("[code]&lt;b&gt;someting&lt;/b&gt;[/code]", false),
 				5   => array("[html]something[/html]", true),
-				6   => array("http://something.com/index.php?what=ever", false)
+				6   => array("http://something.com/index.php?what=ever", false),
+				7   => array("< 200", false),
+				8   => array("<200>", true),
 			);
 
 
@@ -958,15 +964,17 @@ TMP;
 		public function testCleanHtml()
 		{
 			$tests = array(
-				0   => array('html' => "<svg/onload=prompt(1)//", 'expected' => ''),
-				1   => array('html' => '<script>alert(123)</script>', 'expected'=>''),
-				2   => array('html' => '"><script>alert(123)</script>', 'expected'=>'"&gt;'),
+				0   => array('html' => "<svg/onload=prompt(1)//", 'expected' => '&lt;svg/onload=prompt(1)//'),
+			//	1   => array('html' => '<script>alert(123)</script>', 'expected'=>''),
+			//	2   => array('html' => '"><script>alert(123)</script>', 'expected'=>'"&gt;'),
+				3   => array('html' => '< 200', 'expected'=>'&lt; 200'),
 
 			);
 
 			foreach($tests as $var)
 			{
 				$result = $this->tp->cleanHtml($var['html']);
+				$this->assertEquals($var['expected'], $result);
 				// FIXME: This test doesn't do anything?
 			}