diff --git a/phpBB/phpbb/textformatter/data_access.php b/phpBB/phpbb/textformatter/data_access.php
index 2103bf8e60..0d37e62c87 100644
--- a/phpBB/phpbb/textformatter/data_access.php
+++ b/phpBB/phpbb/textformatter/data_access.php
@@ -81,11 +81,8 @@ class data_access
public function get_bbcodes()
{
$sql = 'SELECT bbcode_match, bbcode_tpl FROM ' . $this->bbcodes_table;
- $result = $this->db->sql_query($sql);
- $rows = $this->db->sql_fetchrowset($result);
- $this->db->sql_freeresult($result);
- return $rows;
+ return $this->fetch_decoded_rowset($sql, ['bbcode_match']);
}
/**
@@ -101,11 +98,8 @@ class data_access
$sql = 'SELECT code, emotion, smiley_url, smiley_width, smiley_height
FROM ' . $this->smilies_table . '
ORDER BY display_on_posting DESC';
- $result = $this->db->sql_query($sql);
- $rows = $this->db->sql_fetchrowset($result);
- $this->db->sql_freeresult($result);
- return $rows;
+ return $this->fetch_decoded_rowset($sql, ['code', 'emotion', 'smiley_url']);
}
/**
@@ -116,11 +110,8 @@ class data_access
protected function get_styles()
{
$sql = 'SELECT style_id, style_path, style_parent_id, bbcode_bitfield FROM ' . $this->styles_table;
- $result = $this->db->sql_query($sql);
- $rows = $this->db->sql_fetchrowset($result);
- $this->db->sql_freeresult($result);
- return $rows;
+ return $this->fetch_decoded_rowset($sql);
}
/**
@@ -219,10 +210,43 @@ class data_access
public function get_censored_words()
{
$sql = 'SELECT word, replacement FROM ' . $this->words_table;
+
+ return $this->fetch_decoded_rowset($sql, ['word', 'replacement']);
+ }
+
+ /**
+ * Decode HTML special chars in given rowset
+ *
+ * @param array $rows Original rowset
+ * @param array $columns List of columns to decode
+ * @return array Decoded rowset
+ */
+ protected function decode_rowset(array $rows, array $columns)
+ {
+ foreach ($rows as &$row)
+ {
+ foreach ($columns as $column)
+ {
+ $row[$column] = htmlspecialchars_decode($row[$column]);
+ }
+ }
+
+ return $rows;
+ }
+
+ /**
+ * Fetch all rows for given query and decode plain text columns
+ *
+ * @param string $sql SELECT query
+ * @param array $columns List of columns to decode
+ * @return array
+ */
+ protected function fetch_decoded_rowset($sql, array $columns = [])
+ {
$result = $this->db->sql_query($sql);
$rows = $this->db->sql_fetchrowset($result);
$this->db->sql_freeresult($result);
- return $rows;
+ return $this->decode_rowset($rows, $columns);
}
}
diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php
index 55149b8e63..5cbf2712f7 100644
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@@ -333,8 +333,7 @@ class factory implements \phpbb\textformatter\cache_interface
$configurator->plugins->load('Censor', array('tagName' => 'censor:tag'));
foreach ($censor as $row)
{
- // NOTE: words are stored as HTML, we need to decode them to plain text
- $configurator->Censor->add(htmlspecialchars_decode($row['word']), htmlspecialchars_decode($row['replacement']));
+ $configurator->Censor->add($row['word'], $row['replacement']);
}
}
diff --git a/tests/functional/acp_bbcodes_test.php b/tests/functional/acp_bbcodes_test.php
new file mode 100644
index 0000000000..58681dfa07
--- /dev/null
+++ b/tests/functional/acp_bbcodes_test.php
@@ -0,0 +1,46 @@
+
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+/**
+ * @group functional
+ */
+class phpbb_functional_acp_bbcodes_test extends phpbb_functional_test_case
+{
+ public function test_htmlspecialchars()
+ {
+ $this->login();
+ $this->admin_login();
+
+ // Create the BBCode
+ $crawler = self::request('GET', 'adm/index.php?i=acp_bbcodes&sid=' . $this->sid . '&mode=bbcodes&action=add');
+ $form = $crawler->selectButton('Submit')->form(array(
+ 'bbcode_match' => '[mod="{TEXT1}"]{TEXT2}[/mod]',
+ 'bbcode_tpl' => '{TEXT1}
{TEXT2}
'
+ ));
+ self::submit($form);
+
+ // Test it in the "new topic" preview
+ $crawler = self::request('GET', 'posting.php?mode=post&f=2&sid=' . $this->sid);
+ $form = $crawler->selectButton('Preview')->form(array(
+ 'subject' => 'subject',
+ 'message' => '[mod=a]b[/mod][mod="c"]d[/mod]'
+ ));
+ $crawler = self::submit($form);
+
+ $html = $crawler->filter('#preview')->html();
+ $this->assertContains('a
', $html);
+ $this->assertContains('b
', $html);
+ $this->assertContains('c
', $html);
+ $this->assertContains('d
', $html);
+ }
+}
diff --git a/tests/functional/acp_smilies_test.php b/tests/functional/acp_smilies_test.php
new file mode 100644
index 0000000000..ebe8717fa7
--- /dev/null
+++ b/tests/functional/acp_smilies_test.php
@@ -0,0 +1,43 @@
+
+ * @license GNU General Public License, version 2 (GPL-2.0)
+ *
+ * For full copyright and license information, please see
+ * the docs/CREDITS.txt file.
+ *
+ */
+
+/**
+ * @group functional
+ */
+class phpbb_functional_acp_smilies_test extends phpbb_functional_test_case
+{
+ public function test_htmlspecialchars()
+ {
+ $this->login();
+ $this->admin_login();
+
+ // Create the BBCode
+ $crawler = self::request('GET', 'adm/index.php?i=acp_icons&sid=' . $this->sid . '&mode=smilies&action=edit&id=1');
+ $form = $crawler->selectButton('Submit')->form(array(
+ 'code[icon_e_biggrin.gif]' => '>:D',
+ 'emotion[icon_e_biggrin.gif]' => '>:D'
+ ));
+ self::submit($form);
+
+ // Test it in the "new topic" preview
+ $crawler = self::request('GET', 'posting.php?mode=post&f=2&sid=' . $this->sid);
+ $form = $crawler->selectButton('Preview')->form(array(
+ 'subject' => 'subject',
+ 'message' => '>:D'
+ ));
+ $crawler = self::submit($form);
+
+ $html = $crawler->filter('#preview')->html();
+ $this->assertRegexp('(![]()
]+ alt=">:D" title=">:D"[^>]*>)', $html);
+ }
+}