WordPress.org

Make WordPress Core

Ticket #8767: filters.patch

File filters.patch, 9.3 KB (added by sambauers, 9 years ago)
  • wp-includes/compat.php

     
    9696        return implode( '', $chars );
    9797}
    9898
    99 // from php.net
    100 if ( !function_exists('htmlspecialchars_decode') ) {
    101         function htmlspecialchars_decode( $str, $quote_style = ENT_COMPAT ) {
    102         return strtr( $str, array_flip( get_html_translation_table(HTML_SPECIALCHARS, $quote_style) ) );
    103     }
     99if ( !function_exists( 'htmlspecialchars_decode' ) ) {
     100        // Added in PHP 5.1.0
     101        // Error checks from PEAR::PHP_Compat
     102        function htmlspecialchars_decode( $str, $quote_style = ENT_COMPAT )
     103        {
     104                if ( !is_scalar( $string ) ) {
     105                        trigger_error( 'htmlspecialchars_decode() expects parameter 1 to be string, ' . gettype( $string ) . ' given', E_USER_WARNING );
     106                        return;
     107                }
     108
     109                if ( !is_int( $quote_style ) && $quote_style !== null ) {
     110                        trigger_error( 'htmlspecialchars_decode() expects parameter 2 to be integer, ' . gettype( $quote_style ) . ' given', E_USER_WARNING );
     111                        return;
     112                }
     113
     114                return wp_specialchars_decode( $str, $quote_style );
     115        }
    104116}
    105117
    106118?>
  • wp-includes/formatting.php

     
    186186/**
    187187 * Converts a number of special characters into their HTML entities.
    188188 *
    189  * Differs from htmlspecialchars as existing HTML entities will not be encoded.
    190  * Specifically changes: & to &#038;, < to &lt; and > to &gt;.
     189 * Specifically deals with: &, <, >, ", and '.
    191190 *
    192  * $quotes can be set to 'single' to encode ' to &#039;, 'double' to encode " to
    193  * &quot;, or '1' to do both. Default is 0 where no quotes are encoded.
     191 * $quote_style can be set to ENT_COMPAT to encode " to
     192 * &quot;, or ENT_QUOTES to do both. Default is ENT_NOQUOTES where no quotes are encoded.
    194193 *
    195194 * @since 1.2.2
    196195 *
    197  * @param string $text The text which is to be encoded.
    198  * @param mixed $quotes Optional. Converts single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default 0.
     196 * @param string $string The text which is to be encoded.
     197 * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
     198 * @param string $charset Optional. The character encoding of the string. Default is false.
     199 * @param boolean $double_encode Optional. Whether or not to encode existing html entities. Default is false.
    199200 * @return string The encoded text with HTML entities.
    200201 */
    201 function wp_specialchars( $text, $quotes = 0 ) {
    202         // Like htmlspecialchars except don't double-encode HTML entities
    203         $text = str_replace('&&', '&#038;&', $text);
    204         $text = str_replace('&&', '&#038;&', $text);
    205         $text = preg_replace('/&(?:$|([^#])(?![a-z1-4]{1,8};))/', '&#038;$1', $text);
    206         $text = str_replace('<', '&lt;', $text);
    207         $text = str_replace('>', '&gt;', $text);
    208         if ( 'double' === $quotes ) {
    209                 $text = str_replace('"', '&quot;', $text);
    210         } elseif ( 'single' === $quotes ) {
    211                 $text = str_replace("'", '&#039;', $text);
    212         } elseif ( $quotes ) {
    213                 $text = str_replace('"', '&quot;', $text);
    214                 $text = str_replace("'", '&#039;', $text);
     202function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false )
     203{
     204        $string = (string) $string;
     205
     206        if ( 0 === strlen( $string ) ) {
     207                return '';
    215208        }
    216         return $text;
     209
     210        if ( !$charset ) {
     211                $charset = get_option( 'blog_charset' );
     212        }
     213        if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) ) {
     214                $charset = 'UTF-8';
     215        }
     216
     217        switch ( $quote_style ) {
     218                case ENT_QUOTES:
     219                default:
     220                        $quote_style = ENT_QUOTES;
     221                        $_quote_style = ENT_QUOTES;
     222                        break;
     223                case ENT_COMPAT:
     224                case 'double':
     225                        $quote_style = ENT_COMPAT;
     226                        $_quote_style = ENT_COMPAT;
     227                        break;
     228                case 'single':
     229                        $quote_style = ENT_NOQUOTES;
     230                        $_quote_style = 'single';
     231                        break;
     232                case ENT_NOQUOTES:
     233                case false:
     234                case 0:
     235                case '':
     236                case null:
     237                        $quote_style = ENT_NOQUOTES;
     238                        $_quote_style = ENT_NOQUOTES;
     239                        break;
     240        }
     241
     242        // Handle double encoding ourselves
     243        if ( !$double_encode ) {
     244                $string = wp_specialchars_decode( $string, $_quote_style );
     245                $string = preg_replace( '/&(#?x?[0-9]+|[a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string );
     246        }
     247
     248        $string = htmlspecialchars( $string, $quote_style, $charset );
     249
     250        // Handle double encoding ourselves
     251        if ( !$double_encode ) {
     252                $string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );
     253        }
     254
     255        // Backwards compatibility
     256        if ( 'single' === $_quote_style ) {
     257                $string = str_replace( "'", '&#039;', $string );
     258        }
     259
     260        return $string;
    217261}
    218262
    219263/**
     264 * Converts a number of HTML entities into their special characters.
     265 *
     266 * Specifically deals with: &, <, >, ", and '.
     267 *
     268 * $quote_style can be set to ENT_COMPAT to decode " entities,
     269 * or ENT_QUOTES to do both " and '. Default is ENT_NOQUOTES where no quotes are decoded.
     270 *
     271 * @since 2.8
     272 *
     273 * @param string $string The text which is to be decoded.
     274 * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
     275 * @return string The decoded text without HTML entities.
     276 */
     277function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES )
     278{
     279        $string = (string) $string;
     280
     281        if ( 0 === strlen( $string ) ) {
     282                return '';
     283        }
     284
     285        // More complete than get_html_translation_table( HTML_SPECIALCHARS )
     286        $single = array( '&#039;'  => '\'', '&#x27;' => '\'' );
     287        $single_preg = array( '/&#0*39;/'  => '&#039;', '/&#x0*27;/i' => '&#x27;' );
     288        $double = array( '&quot;' => '"', '&#034;'  => '"', '&#x22;' => '"' );
     289        $double_preg = array( '/&#0*34;/'  => '&#034;', '/&#x0*22;/i' => '&#x22;' );
     290        $others = array( '&lt;'   => '<', '&#060;'  => '<', '&gt;'   => '>', '&#062;'  => '>', '&amp;'  => '&', '&#038;'  => '&', '&#x26;' => '&' );
     291        $others_preg = array( '/&#0*60;/'  => '&#060;', '/&#0*62;/'  => '&#062;', '/&#0*38;/'  => '&#038;', '/&#x0*26;/i' => '&#x26;' );
     292
     293        switch ( $quote_style ) {
     294                case ENT_QUOTES:
     295                default:
     296                        $translation = array_merge( $single, $double, $others );
     297                        $translation_preg = array_merge( $single_preg, $double_preg, $others_preg );
     298                        break;
     299                case ENT_COMPAT:
     300                case 'double':
     301                        $translation = array_merge( $double, $others );
     302                        $translation_preg = array_merge( $double_preg, $others_preg );
     303                        break;
     304                case 'single':
     305                        $translation = array_merge( $single, $others );
     306                        $translation_preg = array_merge( $single_preg, $others_preg );
     307                        break;
     308                case ENT_NOQUOTES:
     309                case false:
     310                case 0:
     311                case '':
     312                case null:
     313                        $translation = $others;
     314                        $translation_preg = $others_preg;
     315                        break;
     316        }
     317
     318        // Remove zero padding on numeric entities
     319        $string = preg_replace( array_keys( $translation_preg ), array_values( $translation_preg ), $string );
     320
     321        // Replace characters according to translation table
     322        return strtr( $string, $translation );
     323}
     324
     325/**
     326 * Checks for invalid UTF8 in a string.
     327 *
     328 * @since 2.8
     329 *
     330 * @param string $string The text which is to be checked.
     331 * @param boolean $strip Optional. Whether to attempt to strip out invalid UTF8. Default is false.
     332 * @return string The checked text.
     333 */
     334function wp_check_invalid_utf8( $string, $strip = false )
     335{
     336        $string = (string) $string;
     337
     338        if ( 0 === strlen( $string ) ) {
     339                return '';
     340        }
     341
     342        if ( !in_array( get_option( 'blog_charset' ), array( 'utf8', 'utf-8', 'UTF8', 'UTF-8' ) ) ) {
     343                return $string;
     344        }
     345
     346        // preg_match fails when it encounters invalid UTF8 in $string
     347        if ( 1 === @preg_match( '@^.@us', $string ) ) {
     348                return $string;
     349        }
     350
     351        if ( $strip && function_exists( 'iconv' ) ) {
     352                return iconv( 'utf-8', 'utf-8', $string );
     353        } else {
     354                return '';
     355        }
     356}
     357
     358/**
    220359 * Encode the Unicode values to be used in the URI.
    221360 *
    222361 * @since 1.5.0
     
    17421881 * @return string Escaped text.
    17431882 */
    17441883function js_escape($text) {
    1745         $safe_text = wp_specialchars($text, 'double');
    1746         $safe_text = preg_replace('/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes($safe_text));
    1747         $safe_text = preg_replace("/\r?\n/", "\\n", addslashes($safe_text));
    1748         return apply_filters('js_escape', $safe_text, $text);
     1884        $safe_text = wp_check_invalid_utf8( $text );
     1885        $safe_text = wp_specialchars( $safe_text, ENT_COMPAT );
     1886        $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
     1887        $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) );
     1888        return apply_filters( 'js_escape', $safe_text, $text );
    17491889}
    17501890
    17511891/**
     
    17561896 * @param string $text
    17571897 * @return string
    17581898 */
    1759 function attribute_escape($text) {
    1760         $safe_text = wp_specialchars($text, true);
    1761         return apply_filters('attribute_escape', $safe_text, $text);
     1899function attribute_escape( $text ) {
     1900        $safe_text = wp_check_invalid_utf8( $text );
     1901        $safe_text = wp_specialchars( $safe_text, ENT_QUOTES );
     1902        return apply_filters( 'attribute_escape', $safe_text, $text );
    17621903}
    17631904
    17641905/**