From: Brett Profitt <brett.profitt@gmail.com>
Date: Thu, 6 Dec 2012 19:02:18 +0000 (-0500)
Subject: Merge branch 'pr-420' into 1.8
X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=a60a58a6e884af4ab89b118bf2f23132335381fe;p=lorea%2Felgg.git

Merge branch 'pr-420' into 1.8
---

a60a58a6e884af4ab89b118bf2f23132335381fe
diff --cc engine/lib/output.php
index 352de863b,d50576b44..cce1c7cba
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@@ -399,44 -373,31 +373,73 @@@ function elgg_strip_tags($string) 
  	return $string;
  }
  
 -/**
 - * Unit tests for Output
 - *
 - * @param sting  $hook   unit_test
 - * @param string $type   system
 - * @param mixed  $value  Array of tests
 - * @param mixed  $params Params
 - *
 - * @return array
 - * @access private
 - */
 -function output_unit_test($hook, $type, $value, $params) {
 -	global $CONFIG;
 -	$value[] = $CONFIG->path . 'engine/tests/api/output.php';
 -	return $value;
 +/**
 + * Apply html_entity_decode() to a string while re-entitising HTML
 + * special char entities to prevent them from being decoded back to their
 + * unsafe original forms.
 + *
 + * This relies on html_entity_decode() not translating entities when
 + * doing so leaves behind another entity, e.g. &amp;gt; if decoded would
 + * create &gt; which is another entity itself. This seems to escape the
 + * usual behaviour where any two paired entities creating a HTML tag are
 + * usually decoded, i.e. a lone &gt; is not decoded, but &lt;foo&gt; would
 + * be decoded to <foo> since it creates a full tag.
 + *
 + * Note: This function is poorly explained in the manual - which is really
 + * bad given its potential for misuse on user input already escaped elsewhere.
 + * Stackoverflow is littered with advice to use this function in the precise
 + * way that would lead to user input being capable of injecting arbitrary HTML.
 + *
 + * @param string $string
 + *
 + * @return string
 + *
 + * @author Pádraic Brady
 + * @copyright Copyright (c) 2010 Pádraic Brady (http://blog.astrumfutura.com)
 + * @license Released under dual-license GPL2/MIT by explicit permission of Pádraic Brady
 + *
 + * @access private
 + */
 +function _elgg_html_decode($string) {
 +	$string = str_replace(
 +		array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
 +		array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
 +		$string
 +	);
 +	$string = html_entity_decode($string, ENT_NOQUOTES, 'UTF-8');
 +	$string = str_replace(
 +		array('&amp;gt;', '&amp;lt;', '&amp;amp;', '&amp;quot;', '&amp;#039;'),
 +		array('&gt;', '&lt;', '&amp;', '&quot;', '&#039;'),
 +		$string
 +	);
 +	return $string;
  }
+ 
 -/**
 - * Initialise the Output subsystem.
 - *
 - * @return void
 - * @access private
 - */
++/**
++ * Unit tests for Output
++ *
++ * @param sting  $hook   unit_test
++ * @param string $type   system
++ * @param mixed  $value  Array of tests
++ * @param mixed  $params Params
++ *
++ * @return array
++ * @access private
++ */
++function output_unit_test($hook, $type, $value, $params) {
++	global $CONFIG;
++	$value[] = $CONFIG->path . 'engine/tests/api/output.php';
++	return $value;
++}
++
++/**
++ * Initialise the Output subsystem.
++ *
++ * @return void
++ * @access private
++ */
+ function output_init() {
+ 	elgg_register_plugin_hook_handler('unit_test', 'system', 'output_unit_test');
 -}
++}
+ 
+ elgg_register_event_handler('init', 'system', 'output_init');