Use ENT_QUOTES when converting UTF-8 to HTML (#448)

Closes #448.
2025-01-19 01:24:05 +01:00 · 2022-09-15 14:42:00 -04:00 · 2022-09-15 14:42:00 -04:00 · 4c6a695a6f
commit 4c6a695a6f
parent e42a1b04b1
2 changed files with 20 additions and 1 deletions
--- a/inc/config.php
+++ b/inc/config.php
@ -1159,6 +1159,8 @@
 	$config['error']['mime_exploit']	= _('MIME type detection XSS exploit (IE) detected; post discarded.');
 	$config['error']['invalid_embed']	= _('Couldn\'t make sense of the URL of the video you tried to embed.');
 	$config['error']['captcha']		= _('You seem to have mistyped the verification.');
+	$config['error']['flag_undefined']	= _('The flag %s is undefined, your PHP version is too old!');
+	$config['error']['flag_wrongtype']	= _('defined_flags_accumulate(): The flag %s is of the wrong type!');


 	// Moderator errors
--- a/inc/functions.php
+++ b/inc/functions.php
@ -2286,8 +2286,25 @@ function escape_markup_modifiers($string) {
 	return preg_replace('@<(tinyboard) ([\w\s]+)>@mi', '<$1 escape $2>', $string);
 }

+function defined_flags_accumulate($desired_flags) {
+	$output_flags = 0x0;
+	foreach ($desired_flags as $flagname) {
+		if (defined($flagname)) {
+			$flag = constant($flagname);
+			if (gettype($flag) != 'integer')
+				error(sprintf($config['error']['flag_wrongtype'], $flagname));
+			$output_flags |= $flag;
+		} else {
+			if ($config['deprecation_errors'])
+				error(sprintf($config['error']['flag_undefined'], $flagname));
+		}
+	}
+	return $output_flags;
+}
+
 function utf8tohtml($utf8) {
-	return htmlspecialchars($utf8, ENT_NOQUOTES, 'UTF-8');
+	$flags = defined_flags_accumulate(['ENT_QUOTES', 'ENT_SUBSTITUTE', 'ENT_DISALLOWED']);
+	return htmlspecialchars($utf8, $flags, 'UTF-8');
 }

 function ordutf8($string, &$offset) {