MDL-47371 weblib: Add option to disable escaping

fladi · Jul 12, 2016 · 6fb1a71 · 6fb1a71
1 parent 5a1728d
commit 6fb1a71
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 4 deletions.
diff --git a/lib/tests/externallib_test.php b/lib/tests/externallib_test.php
@@ -196,6 +196,7 @@ public function test_external_format_string() {
         $correct = 'ENFR hi there%';
         $this->assertSame($correct, external_format_string($test, $context->id, false, ['filter' => false]));
 
+        $this->assertSame("& < > \" '", format_string("& < > \" '", true, ['escape' => false]));
 
         $settings->set_raw($currentraw);
         $settings->set_filter($currentfilter);

diff --git a/lib/tests/weblib_test.php b/lib/tests/weblib_test.php
@@ -37,6 +37,7 @@ public function test_format_string() {
         $this->assertSame("ANother &amp; &amp;&amp;&amp;&amp;&amp; Category", format_string("ANother & &&&&& Category"));
         $this->assertSame("ANother &amp; &amp;&amp;&amp;&amp;&amp; Category", format_string("ANother & &&&&& Category", true));
         $this->assertSame("Nick's Test Site &amp; Other things", format_string("Nick's Test Site & Other things", true));
+        $this->assertSame("& < > \" '", format_string("& < > \" '", true, ['escape' => false]));
 
         // String entities.
         $this->assertSame("&quot;", format_string("&quot;"));

diff --git a/lib/upgrade.txt b/lib/upgrade.txt
@@ -13,6 +13,7 @@ information provided here is intended especially for developers.
   - get_user_max_upload_file_size()
 * The following functions have been removed and should not be used any more:
     - file_modify_html_header() - See MDL-29738 for more information.
+* New option 'escape' added to format_string. When true (default), escapes HTML entities from the string
 
 === 3.1 ===
 

diff --git a/lib/weblib.php b/lib/weblib.php
@@ -1425,13 +1425,15 @@ function format_string($string, $striplinks = true, $options = null) {
         $options['filter'] = true;
     }
 
+    $options['escape'] = !isset($options['escape']) || $options['escape'];
+
     if (!$options['context']) {
         // We did not find any context? weird.
         return $string = strip_tags($string);
     }
 
     // Calculate md5.
-    $md5 = md5($string.'<+>'.$striplinks.'<+>'.$options['context']->id.'<+>'.current_language());
+    $md5 = md5($string.'<+>'.$striplinks.'<+>'.$options['context']->id.'<+>'.$options['escape'].'<+>'.current_language());
 
     // Fetch from cache if possible.
     if (isset($strcache[$md5])) {
@@ -1440,7 +1442,7 @@ function format_string($string, $striplinks = true, $options = null) {
 
     // First replace all ampersands not followed by html entity code
     // Regular expression moved to its own method for easier unit testing.
-    $string = replace_ampersands_not_followed_by_entity($string);
+    $string = $options['escape'] ? replace_ampersands_not_followed_by_entity($string) : $string;
 
     if (!empty($CFG->filterall) && $options['filter']) {
         $filtermanager = filter_manager::instance();
@@ -1450,8 +1452,11 @@ function format_string($string, $striplinks = true, $options = null) {
 
     // If the site requires it, strip ALL tags from this string.
     if (!empty($CFG->formatstringstriptags)) {
-        $string = str_replace(array('<', '>'), array('&lt;', '&gt;'), strip_tags($string));
-
+        if ($options['escape']) {
+            $string = str_replace(array('<', '>'), array('&lt;', '&gt;'), strip_tags($string));
+        } else {
+            $string = strip_tags($string);
+        }
     } else {
         // Otherwise strip just links if that is required (default).
         if ($striplinks) {