From 3c3e510c2eca8ae6dd0283ffdeb0de2ce645714b Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 9 Sep 2025 15:24:54 +0900
Subject: [PATCH] Fix double escaping of document and comment summary

---
 modules/comment/comment.item.php   | 15 ++++++++++-----
 modules/document/document.item.php | 31 +++++++++++++++++++-----------
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/modules/comment/comment.item.php b/modules/comment/comment.item.php
index a372bc029..30508fc69 100644
--- a/modules/comment/comment.item.php
+++ b/modules/comment/comment.item.php
@@ -466,10 +466,12 @@ class CommentItem extends BaseObject
 		$content = trim(utf8_normalize_spaces(html_entity_decode(strip_tags($content))));
 		if($strlen)
 		{
-			$content = cut_str($content, $strlen, '...');
+			$content = escape(cut_str($content, $strlen, '...'), false);
+		}
+		else
+		{
+			$content = escape($content);
 		}
-
-		$content = escape($content);
 
 		if ($content === '')
 		{
@@ -511,9 +513,12 @@ class CommentItem extends BaseObject
 		$content = trim(utf8_normalize_spaces(html_entity_decode(strip_tags($content))));
 		if($strlen)
 		{
-			$content = cut_str($content, $strlen, '...');
+			return escape(cut_str($content, $strlen, '...'), false);
+		}
+		else
+		{
+			return escape($content);
 		}
-		return escape($content);
 	}
 
 	/**
diff --git a/modules/document/document.item.php b/modules/document/document.item.php
index dcf90e8d7..b183c43a2 100644
--- a/modules/document/document.item.php
+++ b/modules/document/document.item.php
@@ -634,10 +634,12 @@ class DocumentItem extends BaseObject
 		$content = trim(utf8_normalize_spaces(html_entity_decode(strip_tags($content))));
 		if($strlen)
 		{
-			$content = cut_str($content, $strlen, '...');
+			return escape(cut_str($content, $strlen, '...'), false);
+		}
+		else
+		{
+			return escape($content);
 		}
-
-		return escape($content);
 	}
 
 	function getContentText($strlen = 0)
@@ -653,17 +655,22 @@ class DocumentItem extends BaseObject
 		}
 
 		$content = preg_replace('!(</p>|</div>|<br)!i', ' $1', $this->get('content'));
-		$content = preg_replace_callback('/<(object|param|embed)[^>]*/is', array($this, '_checkAllowScriptAccess'), $content);
-		$content = preg_replace_callback('/<object[^>]*>/is', array($this, '_addAllowScriptAccess'), $content);
+		//$content = preg_replace_callback('/<(object|param|embed)[^>]*/is', array($this, '_checkAllowScriptAccess'), $content);
+		//$content = preg_replace_callback('/<object[^>]*>/is', array($this, '_addAllowScriptAccess'), $content);
+		$content = trim(utf8_normalize_spaces(html_entity_decode(strip_tags($content))));
 		if($strlen)
 		{
-			$content = trim(utf8_normalize_spaces(html_entity_decode(strip_tags($content))));
-			$content = cut_str($content, $strlen, '...');
+			return escape(cut_str($content, $strlen, '...'), false);
+		}
+		else
+		{
+			return escape($content);
 		}
-
-		return escape($content);
 	}
 
+	/**
+	 * @deprecated
+	 */
 	function _addAllowScriptAccess($m)
 	{
 		if($this->allowscriptaccessList[$this->allowscriptaccessKey] == 1)
@@ -674,6 +681,9 @@ class DocumentItem extends BaseObject
 		return $m[0];
 	}
 
+	/**
+	 * @deprecated
+	 */
 	function _checkAllowScriptAccess($m)
 	{
 		if($m[1] == 'object')
@@ -806,8 +816,7 @@ class DocumentItem extends BaseObject
 
 		// Truncate string
 		$content = cut_str($content, $str_size, $tail);
-
-		return escape($content);
+		return escape($content, false);
 	}
 
 	function getRegdate($format = 'Y.m.d H:i:s', $conversion = true)