mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-31 22:10:45 +02:00
Code Issues Releases Wiki Activity

[ticket/15163] Escape curly braces in smilies HTML attributes

Browse Source 
PHPBB3-15163
This commit is contained in:
JoshyPHP
2017-04-07 08:49:56 +02:00
committed by Tristan Darricau
parent d4f0c79b56
commit ddcd0f2437
4 changed files with 40 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
phpBB/phpbb/textformatter/s9e/factory.php
View File

@@ -311,7 +311,7 @@ class factory implements \phpbb\textformatter\cache_interface
{
$configurator->Emoticons->set(
$row['code'],
'<img class="smilies" src="{$T_SMILIES_PATH}/' . htmlspecialchars($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . htmlspecialchars($row['emotion']) . '"/>'
'<img class="smilies" src="{$T_SMILIES_PATH}/' . $this->escape_html_attribute($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . $this->escape_html_attribute($row['emotion']) . '"/>'
);
}
@@ -441,6 +441,20 @@ class factory implements \phpbb\textformatter\cache_interface
->addParameterByName('parser');
}
/**
* Escape a literal to be used in an HTML attribute in an XSL template
*
* Escapes "HTML special chars" for obvious reasons and curly braces to avoid them
* being interpreted as an attribute value template
*
* @param string $value Original string
* @return string Escaped string
*/
protected function escape_html_attribute($value)
{
return htmlspecialchars(strtr($value, ['{' => '{{', '}' => '}}']), ENT_COMPAT | ENT_XML1, 'UTF-8');
}
/**
* Return the default BBCodes configuration
*