fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add option to escape() to keep user lang codes intact #1976

Browse source
This commit is contained in:
Kijin Sung 2022-08-15 18:06:23 +09:00
parent 170f7f95b9
commit 8abe1b1d7d
2 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

14
common/functions.php
View file

@ -180,12 +180,20 @@ function clean_path($path)
*
* @param string $str The string to escape
* @param bool $double_escape Set this to false to skip symbols that are already escaped (default: true)
* @param bool $except_lang_code Set this to true to skip user lang codes (default: false)
* @return string
*/
function escape($str, $double_escape = true)
function escape($str, $double_escape = true, $except_lang_code = false)
{
$flags = ENT_QUOTES | ENT_SUBSTITUTE;
return htmlspecialchars($str, $flags, 'UTF-8', $double_escape);
if ($except_lang_code && preg_match('/^\$user_lang->userLang[0-9]+$/', $str))
{
return $str;
}
else
{
$flags = ENT_QUOTES | ENT_SUBSTITUTE;
return htmlspecialchars($str, $flags, 'UTF-8', $double_escape);
}
}
/**

3
tests/unit/functions/FunctionsTest.php
View file

@ -39,6 +39,9 @@ class FunctionsTest extends \Codeception\TestCase\Test
$this->assertEquals('&lt;foo&gt;invalid'. "\xEF\xBF\xBD" . 'unicode&lt;/foo&gt;', escape('<foo>invalid' . "\xE4\xA8" . 'unicode</foo>'));
$this->assertEquals('&lt;foo&gt;invalid'. "\xEF\xBF\xBD" . 'unicode&lt;/foo&gt;', escape('<foo>invalid' . "\xE4\xA8" . 'unicode&lt;/foo&gt;', false));
$this->assertEquals('$user_lang-&gt;userLang1234567890', escape('$user_lang->userLang1234567890', true, false));
$this->assertEquals('$user_lang->userLang1234567890', escape('$user_lang->userLang1234567890', true, true));
$this->assertEquals('expressionalertXSS', escape_css('expression:alert("XSS")'));
$this->assertEquals('#123456', escape_css('#123456'));