WordPress.org

Make WordPress Core

Changeset 18485


Ignore:
Timestamp:
07/29/11 20:43:45 (3 years ago)
Author:
ryan
Message:

Better double encoding handling in _wp_special_chars(). Props miqrogroove.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r18469 r18485  
    295295    $string = (string) $string; 
    296296 
    297     if ( 0 === strlen( $string ) ) { 
     297    if ( 0 === strlen( $string ) ) 
    298298        return ''; 
    299     } 
    300299 
    301300    // Don't bother if there are no specialchars - saves some processing 
    302     if ( !preg_match( '/[&<>"\']/', $string ) ) { 
     301    if ( ! preg_match( '/[&<>"\']/', $string ) ) 
    303302        return $string; 
    304     } 
    305303 
    306304    // Account for the previous behaviour of the function when the $quote_style is not an accepted value 
    307     if ( empty( $quote_style ) ) { 
     305    if ( empty( $quote_style ) ) 
    308306        $quote_style = ENT_NOQUOTES; 
    309     } elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) { 
     307    elseif ( ! in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) 
    310308        $quote_style = ENT_QUOTES; 
    311     } 
    312309 
    313310    // Store the site charset as a static to avoid multiple calls to wp_load_alloptions() 
    314     if ( !$charset ) { 
     311    if ( ! $charset ) { 
    315312        static $_charset; 
    316         if ( !isset( $_charset ) ) { 
     313        if ( ! isset( $_charset ) ) { 
    317314            $alloptions = wp_load_alloptions(); 
    318315            $_charset = isset( $alloptions['blog_charset'] ) ? $alloptions['blog_charset'] : ''; 
     
    320317        $charset = $_charset; 
    321318    } 
    322     if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) ) { 
     319 
     320    if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) ) 
    323321        $charset = 'UTF-8'; 
    324     } 
    325322 
    326323    $_quote_style = $quote_style; 
     
    334331 
    335332    // Handle double encoding ourselves 
    336     if ( !$double_encode ) { 
     333    if ( $double_encode ) { 
     334        $string = @htmlspecialchars( $string, $quote_style, $charset ); 
     335    } else { 
     336        // Decode &amp; into & 
    337337        $string = wp_specialchars_decode( $string, $_quote_style ); 
    338338 
    339         /* Critical */ 
    340         // The previous line decodes &amp;phrase; into &phrase;  We must guarantee that &phrase; is valid before proceeding. 
    341         $string = wp_kses_normalize_entities($string); 
    342  
    343         // Now proceed with custom double-encoding silliness 
    344         $string = preg_replace( '/&(#?x?[0-9a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string ); 
    345     } 
    346  
    347     $string = @htmlspecialchars( $string, $quote_style, $charset ); 
    348  
    349     // Handle double encoding ourselves 
    350     if ( !$double_encode ) { 
    351         $string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string ); 
     339        // Guarantee every &entity; is valid or re-encode the & 
     340        $string = wp_kses_normalize_entities( $string ); 
     341 
     342        // Now re-encode everything except &entity; 
     343        $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE ); 
     344 
     345        for ( $i = 0; $i < count( $string ); $i += 2 ) 
     346            $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset ); 
     347 
     348        $string = implode( '', $string ); 
    352349    } 
    353350 
    354351    // Backwards compatibility 
    355     if ( 'single' === $_quote_style ) { 
     352    if ( 'single' === $_quote_style ) 
    356353        $string = str_replace( "'", '&#039;', $string ); 
    357     } 
    358354 
    359355    return $string; 
Note: See TracChangeset for help on using the changeset viewer.