Merge pull request #4631 from JoshyPHP/ticket/14985

[ticket/14985] Decode HTML special chars in plain text columns

* JoshyPHP/ticket/14985:
  [ticket/14985] Added functional tests for BBCodes and smilies
  [ticket/14985] Decode HTML special chars in plain text columns

phpBB/phpbb/textformatter/data_access.php

@@ -81,11 +81,8 @@ class data_access
 	public function get_bbcodes()
 	{
 		$sql = 'SELECT bbcode_match, bbcode_tpl FROM ' . $this->bbcodes_table;
-		$result = $this->db->sql_query($sql);
-		$rows = $this->db->sql_fetchrowset($result);
-		$this->db->sql_freeresult($result);
 
-		return $rows;
+		return $this->fetch_decoded_rowset($sql, ['bbcode_match']);
 	}
 
 	/**
@@ -101,11 +98,8 @@ class data_access
 		$sql = 'SELECT code, emotion, smiley_url, smiley_width, smiley_height
 			FROM ' . $this->smilies_table . '
 			ORDER BY display_on_posting DESC';
-		$result = $this->db->sql_query($sql);
-		$rows = $this->db->sql_fetchrowset($result);
-		$this->db->sql_freeresult($result);
 
-		return $rows;
+		return $this->fetch_decoded_rowset($sql, ['code', 'emotion', 'smiley_url']);
 	}
 
 	/**
@@ -116,11 +110,8 @@ class data_access
 	protected function get_styles()
 	{
 		$sql = 'SELECT style_id, style_path, style_parent_id, bbcode_bitfield FROM ' . $this->styles_table;
-		$result = $this->db->sql_query($sql);
-		$rows = $this->db->sql_fetchrowset($result);
-		$this->db->sql_freeresult($result);
 
-		return $rows;
+		return $this->fetch_decoded_rowset($sql);
 	}
 
 	/**
@@ -219,10 +210,43 @@ class data_access
 	public function get_censored_words()
 	{
 		$sql = 'SELECT word, replacement FROM ' . $this->words_table;
+
+		return $this->fetch_decoded_rowset($sql, ['word', 'replacement']);
+	}
+
+	/**
+	* Decode HTML special chars in given rowset
+	*
+	* @param  array $rows    Original rowset
+	* @param  array $columns List of columns to decode
+	* @return array          Decoded rowset
+	*/
+	protected function decode_rowset(array $rows, array $columns)
+	{
+		foreach ($rows as &$row)
+		{
+			foreach ($columns as $column)
+			{
+				$row[$column] = htmlspecialchars_decode($row[$column]);
+			}
+		}
+
+		return $rows;
+	}
+
+	/**
+	* Fetch all rows for given query and decode plain text columns
+	*
+	* @param  string $sql     SELECT query
+	* @param  array  $columns List of columns to decode
+	* @return array
+	*/
+	protected function fetch_decoded_rowset($sql, array $columns = [])
+	{
 		$result = $this->db->sql_query($sql);
 		$rows = $this->db->sql_fetchrowset($result);
 		$this->db->sql_freeresult($result);
 
-		return $rows;
+		return $this->decode_rowset($rows, $columns);
 	}
 }

phpBB/phpbb/textformatter/s9e/factory.php

@@ -333,8 +333,7 @@ class factory implements \phpbb\textformatter\cache_interface
 			$configurator->plugins->load('Censor', array('tagName' => 'censor:tag'));
 			foreach ($censor as $row)
 			{
-				// NOTE: words are stored as HTML, we need to decode them to plain text
-				$configurator->Censor->add(htmlspecialchars_decode($row['word']),  htmlspecialchars_decode($row['replacement']));
+				$configurator->Censor->add($row['word'], $row['replacement']);
 			}
 		}
 

tests/functional/acp_bbcodes_test.php

@@ -0,0 +1,46 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+/**
+ * @group functional
+ */
+class phpbb_functional_acp_bbcodes_test extends phpbb_functional_test_case
+{
+	public function test_htmlspecialchars()
+	{
+		$this->login();
+		$this->admin_login();
+
+		// Create the BBCode
+		$crawler = self::request('GET', 'adm/index.php?i=acp_bbcodes&sid=' . $this->sid . '&mode=bbcodes&action=add');
+		$form = $crawler->selectButton('Submit')->form(array(
+			'bbcode_match' => '[mod="{TEXT1}"]{TEXT2}[/mod]',
+			'bbcode_tpl'   => '<div>{TEXT1}</div><div>{TEXT2}</div>'
+		));
+		self::submit($form);
+
+		// Test it in the "new topic" preview
+		$crawler = self::request('GET', 'posting.php?mode=post&f=2&sid=' . $this->sid);
+		$form = $crawler->selectButton('Preview')->form(array(
+			'subject' => 'subject',
+			'message' => '[mod=a]b[/mod][mod="c"]d[/mod]'
+		));
+		$crawler = self::submit($form);
+
+		$html = $crawler->filter('#preview')->html();
+		$this->assertContains('<div>a</div>', $html);
+		$this->assertContains('<div>b</div>', $html);
+		$this->assertContains('<div>c</div>', $html);
+		$this->assertContains('<div>d</div>', $html);
+	}
+}

tests/functional/acp_smilies_test.php

@@ -0,0 +1,43 @@
+<?php
+/**
+ *
+ * This file is part of the phpBB Forum Software package.
+ *
+ * @copyright (c) phpBB Limited <https://www.phpbb.com>
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+/**
+ * @group functional
+ */
+class phpbb_functional_acp_smilies_test extends phpbb_functional_test_case
+{
+	public function test_htmlspecialchars()
+	{
+		$this->login();
+		$this->admin_login();
+
+		// Create the BBCode
+		$crawler = self::request('GET', 'adm/index.php?i=acp_icons&sid=' . $this->sid . '&mode=smilies&action=edit&id=1');
+		$form = $crawler->selectButton('Submit')->form(array(
+			'code[icon_e_biggrin.gif]'    => '>:D',
+			'emotion[icon_e_biggrin.gif]' => '>:D'
+		));
+		self::submit($form);
+
+		// Test it in the "new topic" preview
+		$crawler = self::request('GET', 'posting.php?mode=post&f=2&sid=' . $this->sid);
+		$form = $crawler->selectButton('Preview')->form(array(
+			'subject' => 'subject',
+			'message' => '>:D'
+		));
+		$crawler = self::submit($form);
+
+		$html = $crawler->filter('#preview')->html();
+		$this->assertRegexp('(<img [^>]+ alt="&gt;:D" title="&gt;:D"[^>]*>)', $html);
+	}
+}