mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-01 20:30:39 +02:00
Code Issues Releases Wiki Activity

Issue #4102 Parsing of < or >

Browse Source
This commit is contained in:
Cameron
2020-02-17 13:13:06 -08:00
parent 15c97cf73a
commit df764389a8
2 changed files with 27 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
e107_handlers/e_parse_class.php
View File

@@ -539,8 +539,11 @@ class e_parse extends e_parser
} }
else // caused double-encoding of '&' else // caused double-encoding of '&'
{ {
//$data = str_replace('<','&lt;',$data); // $data = str_replace('&amp;','&',$data);
//$data = str_replace('>','&gt;',$data); // $data = str_replace('<','&lt;',$data);
// $data = str_replace('>','&gt;',$data);
// $data = str_replace('&','&amp;',$data);
} }
@@ -5323,11 +5326,20 @@ return;
{ {
if(empty($html)){ return ''; } if(empty($html)){ return ''; }
if($this->isHtml($html) === false)
{
$html = str_replace('<','&lt;',$html);
$html = str_replace('>','&gt;',$html);
}
$html = str_replace('&nbsp;', '{E_PARSER_CLEAN_HTML_NON_BREAKING_SPACE}', $html); // prevent replacement of &nbsp; with spaces. $html = str_replace('&nbsp;', '{E_PARSER_CLEAN_HTML_NON_BREAKING_SPACE}', $html); // prevent replacement of &nbsp; with spaces.
// Workaround for https://bugs.php.net/bug.php?id=76285 // Workaround for https://bugs.php.net/bug.php?id=76285
// Part 1 of 2 // Part 1 of 2
$html = str_replace("\n", "{E_PARSER_CLEAN_HTML_LINE_BREAK}", $html); $html = str_replace("\n", "{E_PARSER_CLEAN_HTML_LINE_BREAK}", $html);
if(strpos($html, "<body")===false) // HTML Fragment if(strpos($html, "<body")===false) // HTML Fragment
{ {
$html = '<body>'.$html.'</body>'; $html = '<body>'.$html.'</body>';

18
e107_tests/tests/unit/e_parseTest.php
View File

@@ -247,7 +247,7 @@ TMP;
$tests = array( $tests = array(
0 => array( 0 => array(
'input' => "<svg/onload=prompt(1)//", 'input' => "<svg/onload=prompt(1)//",
'expected' => '' 'expected' => '&lt;svg/onload=prompt(1)//'
), ),
1 => array( 1 => array(
'input' => "some plain text with a\nline break", 'input' => "some plain text with a\nline break",
@@ -337,6 +337,10 @@ TMP;
'expected' => '&lt;a href=&quot;&quot;&gt;Hello&lt;/a&gt;', 'expected' => '&lt;a href=&quot;&quot;&gt;Hello&lt;/a&gt;',
'mode' => 'no_html', 'mode' => 'no_html',
), ),
22 => array(
'input' => '< 200',
'expected' => '&lt; 200',
),
); );
@@ -811,7 +815,9 @@ TMP;
3 => array("<div class='something'>[code]something[/code]</div>", true), 3 => array("<div class='something'>[code]something[/code]</div>", true),
4 => array("[code]&lt;b&gt;someting&lt;/b&gt;[/code]", false), 4 => array("[code]&lt;b&gt;someting&lt;/b&gt;[/code]", false),
5 => array("[html]something[/html]", true), 5 => array("[html]something[/html]", true),
6 => array("http://something.com/index.php?what=ever", false) 6 => array("http://something.com/index.php?what=ever", false),
7 => array("< 200", false),
8 => array("<200>", true),
); );
@@ -958,15 +964,17 @@ TMP;
public function testCleanHtml() public function testCleanHtml()
{ {
$tests = array( $tests = array(
0 => array('html' => "<svg/onload=prompt(1)//", 'expected' => ''), 0 => array('html' => "<svg/onload=prompt(1)//", 'expected' => '&lt;svg/onload=prompt(1)//'),
1 => array('html' => '<script>alert(123)</script>', 'expected'=>''), // 1 => array('html' => '<script>alert(123)</script>', 'expected'=>''),
2 => array('html' => '"><script>alert(123)</script>', 'expected'=>'"&gt;'), // 2 => array('html' => '"><script>alert(123)</script>', 'expected'=>'"&gt;'),
3 => array('html' => '< 200', 'expected'=>'&lt; 200'),
); );
foreach($tests as $var) foreach($tests as $var)
{ {
$result = $this->tp->cleanHtml($var['html']); $result = $this->tp->cleanHtml($var['html']);
$this->assertEquals($var['expected'], $result);
// FIXME: This test doesn't do anything? // FIXME: This test doesn't do anything?
} }