[ticket/15163] Escape curly braces in smilies HTML attributes

PHPBB3-15163
2025-03-20 23:51:28 +01:00 · 2017-04-07 08:49:56 +02:00 · 2017-04-07 08:49:56 +02:00 · ddcd0f2437
commit ddcd0f2437
parent d4f0c79b56
4 changed files with 40 additions and 1 deletions
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@ -311,7 +311,7 @@ class factory implements \phpbb\textformatter\cache_interface
 		{
 			$configurator->Emoticons->set(
 				$row['code'],
-				'<img class="smilies" src="{$T_SMILIES_PATH}/' . htmlspecialchars($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . htmlspecialchars($row['emotion']) . '"/>'
+				'<img class="smilies" src="{$T_SMILIES_PATH}/' . $this->escape_html_attribute($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . $this->escape_html_attribute($row['emotion']) . '"/>'
 			);
 		}

@ -441,6 +441,20 @@ class factory implements \phpbb\textformatter\cache_interface
 			->addParameterByName('parser');
 	}

+	/**
+	* Escape a literal to be used in an HTML attribute in an XSL template
+	*
+	* Escapes "HTML special chars" for obvious reasons and curly braces to avoid them
+	* being interpreted as an attribute value template
+	*
+	* @param  string $value Original string
+	* @return string        Escaped string
+	*/
+	protected function escape_html_attribute($value)
+	{
+		return htmlspecialchars(strtr($value, ['{' => '{{', '}' => '}}']), ENT_COMPAT | ENT_XML1, 'UTF-8');
+	}
+
 	/**
 	* Return the default BBCodes configuration
 	*
--- a/tests/text_processing/tickets_data/PHPBB3-15163.html
+++ b/tests/text_processing/tickets_data/PHPBB3-15163.html
@ -0,0 +1 @@
+<img class="smilies" src="phpBB/images/smilies/icon_lol.gif" width="15" height="17" alt="--{E" title="--{E">
--- a/tests/text_processing/tickets_data/PHPBB3-15163.txt
+++ b/tests/text_processing/tickets_data/PHPBB3-15163.txt
@ -0,0 +1 @@
+--{E
--- a/tests/text_processing/tickets_data/PHPBB3-15163.xml
+++ b/tests/text_processing/tickets_data/PHPBB3-15163.xml
@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_smilies">
+		<column>smiley_id</column>
+		<column>code</column>
+		<column>emotion</column>
+		<column>smiley_url</column>
+		<column>smiley_width</column>
+		<column>smiley_height</column>
+		<column>smiley_order</column>
+		<column>display_on_posting</column>
+		<row>
+			<value>1</value>
+			<value>--{E</value>
+			<value>--{E</value>
+			<value>icon_lol.gif</value>
+			<value>15</value>
+			<value>17</value>
+			<value>22</value>
+			<value>1</value>
+		</row>
+	</table>
+</dataset>
				`@ -0,0 +1 @@`
				`<img class="smilies" src="phpBB/images/smilies/icon_lol.gif" width="15" height="17" alt="--{E" title="--{E">`