Ticket #17780: miqro-17780.patch

src/wp-includes/formatting.php

@@ -665 +665 @@
                 $quote_style = ENT_NOQUOTES;
         }
 
-        // Handle double encoding ourselves
-        if ( $double_encode ) {
-                $string = @htmlspecialchars( $string, $quote_style, $charset );
-        } else {
-                // Decode & into &
-                $string = wp_specialchars_decode( $string, $_quote_style );
+        $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
 
-                // Guarantee every &entity; is valid or re-encode the &
-                $string = wp_kses_normalize_entities( $string );
-
-                // Now re-encode everything except &entity;
-                $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
-
-                for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
-                        $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
-                }
-                $string = implode( '', $string );
-        }
-
         // Backwards compatibility
         if ( 'single' === $_quote_style )
                 $string = str_replace( "'", '&#039;', $string );

tests/phpunit/tests/formatting/WPSpecialchars.php

@@ -39 +39 @@
                 $this->assertEquals( '"'hello!'"', _wp_specialchars($source, true) );
                 $this->assertEquals( $source, _wp_specialchars($source) );
         }
+
+        /**
+         * Check some of the double-encoding features for entity references.
+         *
+         * @ticket 17780
+         * @dataProvider data_double_encoding
+         */
+        function test_double_encoding( $input, $output ) {
+                return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, true ) );
+        }
+
+        function data_double_encoding() {
+                return array(
+                        array(
+                                'This & that, this & that, — " " Ú   " " " " " $ ×',
+                                'This & that, this & that, — " " Ú   " " " " " $ ×',
+                        ),
+                        array(
+                                '&& && && &;',
+                                '&& && && &;',
+                        ),
+                        array(
+                                '&garbage; &***; &aaaa; &0000; &####; &;;',
+                                '&garbage; &***; &aaaa; &0000; &####; &;;',
+                        ),
+                );
+        }
+
+        /**
+         * Check some of the double-encoding features for entity references.
+         *
+         * @ticket 17780
+         * @dataProvider data_no_double_encoding
+         */
+        function test_no_double_encoding( $input, $output ) {
+                return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, false ) );
+        }
+
+        function data_no_double_encoding() {
+                return array(
+                        array(
+                                'This & that, this & that, — " " Ú   " " " " " $ ×',
+                                'This & that, this & that, — " " Ú   " " " " " $ ×',
+                        ),
+                        array(
+                                '&& && && &;',
+                                '&& && && &;',
+                        ),
+                        array(
+                                '&garbage; &***; &aaaa; &0000; &####; &;;',
+                                '&garbage; &***; &aaaa; &0000; &####; &;;',
+                        ),
+                );
+        }
 }