From ddcd0f243791ea64373b53f077689df0c46c713a Mon Sep 17 00:00:00 2001
From: JoshyPHP <s9e.dev@gmail.com>
Date: Fri, 7 Apr 2017 08:49:56 +0200
Subject: [PATCH] [ticket/15163] Escape curly braces in smilies HTML attributes

PHPBB3-15163
---
 phpBB/phpbb/textformatter/s9e/factory.php     | 16 ++++++++++++-
 .../tickets_data/PHPBB3-15163.html            |  1 +
 .../tickets_data/PHPBB3-15163.txt             |  1 +
 .../tickets_data/PHPBB3-15163.xml             | 23 +++++++++++++++++++
 4 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 tests/text_processing/tickets_data/PHPBB3-15163.html
 create mode 100644 tests/text_processing/tickets_data/PHPBB3-15163.txt
 create mode 100644 tests/text_processing/tickets_data/PHPBB3-15163.xml

diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php
index 5cbf2712f7..7719ce5afa 100644
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@@ -311,7 +311,7 @@ class factory implements \phpbb\textformatter\cache_interface
 		{
 			$configurator->Emoticons->set(
 				$row['code'],
-				'<img class="smilies" src="{$T_SMILIES_PATH}/' . htmlspecialchars($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . htmlspecialchars($row['emotion']) . '"/>'
+				'<img class="smilies" src="{$T_SMILIES_PATH}/' . $this->escape_html_attribute($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . $this->escape_html_attribute($row['emotion']) . '"/>'
 			);
 		}
 
@@ -441,6 +441,20 @@ class factory implements \phpbb\textformatter\cache_interface
 			->addParameterByName('parser');
 	}
 
+	/**
+	* Escape a literal to be used in an HTML attribute in an XSL template
+	*
+	* Escapes "HTML special chars" for obvious reasons and curly braces to avoid them
+	* being interpreted as an attribute value template
+	*
+	* @param  string $value Original string
+	* @return string        Escaped string
+	*/
+	protected function escape_html_attribute($value)
+	{
+		return htmlspecialchars(strtr($value, ['{' => '{{', '}' => '}}']), ENT_COMPAT | ENT_XML1, 'UTF-8');
+	}
+
 	/**
 	* Return the default BBCodes configuration
 	*
diff --git a/tests/text_processing/tickets_data/PHPBB3-15163.html b/tests/text_processing/tickets_data/PHPBB3-15163.html
new file mode 100644
index 0000000000..a1af10187c
--- /dev/null
+++ b/tests/text_processing/tickets_data/PHPBB3-15163.html
@@ -0,0 +1 @@
+<img class="smilies" src="phpBB/images/smilies/icon_lol.gif" width="15" height="17" alt="--{E" title="--{E">
\ No newline at end of file
diff --git a/tests/text_processing/tickets_data/PHPBB3-15163.txt b/tests/text_processing/tickets_data/PHPBB3-15163.txt
new file mode 100644
index 0000000000..126402d66a
--- /dev/null
+++ b/tests/text_processing/tickets_data/PHPBB3-15163.txt
@@ -0,0 +1 @@
+--{E
\ No newline at end of file
diff --git a/tests/text_processing/tickets_data/PHPBB3-15163.xml b/tests/text_processing/tickets_data/PHPBB3-15163.xml
new file mode 100644
index 0000000000..f3e04c230f
--- /dev/null
+++ b/tests/text_processing/tickets_data/PHPBB3-15163.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_smilies">
+		<column>smiley_id</column>
+		<column>code</column>
+		<column>emotion</column>
+		<column>smiley_url</column>
+		<column>smiley_width</column>
+		<column>smiley_height</column>
+		<column>smiley_order</column>
+		<column>display_on_posting</column>
+		<row>
+			<value>1</value>
+			<value>--{E</value>
+			<value>--{E</value>
+			<value>icon_lol.gif</value>
+			<value>15</value>
+			<value>17</value>
+			<value>22</value>
+			<value>1</value>
+		</row>
+	</table>
+</dataset>