From 5cb9a4b0194caeb6e08eb53a57850ca9036b8620 Mon Sep 17 00:00:00 2001 From: Andrew Ozz Date: Fri, 19 Jun 2015 01:52:48 +0000 Subject: [PATCH] Fix using `htmlspecialchars()` whit the `$double_encode` parameter. PHP < 5.4 doesn't validate the entities. Props miqrogroove. Fixes #17780. git-svn-id: https://develop.svn.wordpress.org/trunk@32851 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/formatting.php | 6 ++++++ tests/phpunit/tests/formatting/EscHtml.php | 2 +- tests/phpunit/tests/formatting/WPSpecialchars.php | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index 6dd8faf440..d224ab7ccc 100644 --- a/src/wp-includes/formatting.php +++ b/src/wp-includes/formatting.php @@ -688,6 +688,12 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals $quote_style = ENT_NOQUOTES; } + if ( ! $double_encode ) { + // Guarantee every &entity; is valid, convert &garbage; into &garbage; + // This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable. + $string = wp_kses_normalize_entities( $string ); + } + $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode ); // Backwards compatibility diff --git a/tests/phpunit/tests/formatting/EscHtml.php b/tests/phpunit/tests/formatting/EscHtml.php index 291d8b0885..14f17dfa8c 100644 --- a/tests/phpunit/tests/formatting/EscHtml.php +++ b/tests/phpunit/tests/formatting/EscHtml.php @@ -34,7 +34,7 @@ class Tests_Formatting_EscHtml extends WP_UnitTestCase { function test_ignores_existing_entities() { $source = '& £ " &'; - $res = '& £ " &'; + $res = '& £ " &'; $this->assertEquals( $res, esc_html($source) ); } } diff --git a/tests/phpunit/tests/formatting/WPSpecialchars.php b/tests/phpunit/tests/formatting/WPSpecialchars.php index 2844a1e220..ddae7fdefa 100644 --- a/tests/phpunit/tests/formatting/WPSpecialchars.php +++ b/tests/phpunit/tests/formatting/WPSpecialchars.php @@ -85,7 +85,7 @@ class Tests_Formatting_WPSpecialchars extends WP_UnitTestCase { return array( array( 'This & that, this & that, — " " Ú   " " " " " $ ×', - 'This & that, this & that, — " &QUOT; Ú   " " " " " &dollar; ×', + 'This & that, this & that, — " &QUOT; Ú   " " " " " &dollar; ×', ), array( '&& && && &;',