Skip to content

Commit

Permalink
MDL-74853 various: add second parameter to htmlentities functions
Browse files Browse the repository at this point in the history
Default value of the $flag argument changed in PHP 8.1 from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE
To ensure consistent behavior across different PHP version the second parameter is now required for the functions:
htmlspecialchars(), htmlentities(), htmlspecialchars_decode(), html_entity_decode() and get_html_translation_table()
  • Loading branch information
marinaglancy committed Nov 28, 2022
1 parent 57c1e97 commit a800e7e
Show file tree
Hide file tree
Showing 55 changed files with 109 additions and 109 deletions.
2 changes: 1 addition & 1 deletion admin/roles/classes/define_role_table_advanced.php
Original file line number Diff line number Diff line change
Expand Up @@ -533,7 +533,7 @@ protected function get_shortname_field($id) {

protected function get_description_field($id) {
return '<textarea class="form-textarea form-control" id="'. s($id) .'" name="description" rows="10" cols="50">' .
htmlspecialchars($this->role->description) .
htmlspecialchars($this->role->description, ENT_COMPAT) .
'</textarea>';
}

Expand Down
2 changes: 1 addition & 1 deletion admin/settings/plugins.php
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
new lang_string('limitconcurrentlogins', 'core_auth'),
new lang_string('limitconcurrentlogins_desc', 'core_auth'), 0, $options));
$temp->add(new admin_setting_configtext('alternateloginurl', new lang_string('alternateloginurl', 'auth'),
new lang_string('alternatelogin', 'auth', htmlspecialchars(get_login_url())), ''));
new lang_string('alternatelogin', 'auth', htmlspecialchars(get_login_url(), ENT_COMPAT)), ''));
$temp->add(new admin_setting_configtext('forgottenpasswordurl', new lang_string('forgottenpasswordurl', 'auth'),
new lang_string('forgottenpassword', 'auth'), '', PARAM_URL));
$temp->add(new admin_setting_confightmleditor('auth_instructions', new lang_string('instructions', 'auth'),
Expand Down
4 changes: 2 additions & 2 deletions admin/tool/brickfield/classes/accessibility.php
Original file line number Diff line number Diff line change
Expand Up @@ -388,13 +388,13 @@ public static function run_one_check(
// Confirm if error is reported separately.
if ($DB->record_exists_select(manager::DB_ERRORS,
'resultid = ? AND ' . $DB->sql_compare_text('htmlcode', 255) . ' = ' . $DB->sql_compare_text('?', 255),
[$resultid, html_entity_decode($tmp->html)])) {
[$resultid, html_entity_decode($tmp->html, ENT_COMPAT)])) {
continue;
}
$error = new stdClass();
$error->resultid = $resultid;
$error->linenumber = $tmp->line;
$error->htmlcode = html_entity_decode($tmp->html);
$error->htmlcode = html_entity_decode($tmp->html, ENT_COMPAT);
$errors[] = $error;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ public function get_report() {
$output[$testname]['body'] = $translation['description'];
foreach ($test as $k => $problem) {
if (is_object($problem)) {
$output[$testname]['problems'][$k]['element'] = htmlentities($problem->get_html());
$output[$testname]['problems'][$k]['element'] = htmlentities($problem->get_html(), ENT_COMPAT);
$output[$testname]['problems'][$k]['line'] = $problem->get_line();
if ($problem->message) {
$output[$testname]['problems']['message'] = $problem->message;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public function get_report(): string {
}
}
$this->dom->formatOutput = true;
$html = htmlspecialchars($this->dom->saveHTML());
$html = htmlspecialchars($this->dom->saveHTML(), ENT_COMPAT);
$html = str_replace('&quot;', '"', $html);
foreach ($this->classnames as $name) {
$html = preg_replace('/&lt;'. $name .'([^&]+)+\&gt;/', '<span \\1>', $html);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ public function get_report() {
$output .= "\n\t<htmlchecker:problems>";
foreach ($test as $problem) {
if (is_object($problem)) {
$output .= "\n\t<htmlchecker:entities><![CDATA[" . htmlentities($problem->get_html()) .
$output .= "\n\t<htmlchecker:entities><![CDATA[" . htmlentities($problem->get_html(), ENT_COMPAT) .
"]]></htmlchecker:entities>";
$output .= "\n\t<htmlchecker:line>". $problem->get_line() ."</htmlchecker:line>";
if ($problem->message) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -180,7 +180,7 @@ public function display(\stdClass $data, filter $filter): string {
];
$data->errordata = !empty($data->errordata) ? $data->errordata : [];
foreach ($data->errordata as $err) {
$err->htmlcode = htmlentities($err->htmlcode);
$err->htmlcode = htmlentities($err->htmlcode, ENT_COMPAT);
$row = [$data->tarlabels[$err->component], $err->shortname, $err->errline, $err->htmlcode];
$table->data[] = $row;
}
Expand Down
2 changes: 1 addition & 1 deletion backup/cc/cc_lib/gral_lib/functions.php
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ function array_remove_by_key($arr,$key) {


function cc_print_object($object) {
echo '<pre>' . htmlspecialchars(print_r($object,true)) . '</pre>';
echo '<pre>' . htmlspecialchars(print_r($object,true), ENT_COMPAT) . '</pre>';
}


Expand Down
2 changes: 1 addition & 1 deletion course/switchrole.php
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
foreach ($roles as $key => $role) {
$url = new moodle_url('/course/switchrole.php', array('id' => $id, 'switchrole' => $key, 'returnurl' => $returnurl));
// Button encodes special characters, apply htmlspecialchars_decode() to avoid double escaping.
echo $OUTPUT->container($OUTPUT->single_button($url, htmlspecialchars_decode($role)), 'mx-3 mb-1');
echo $OUTPUT->container($OUTPUT->single_button($url, htmlspecialchars_decode($role, ENT_COMPAT)), 'mx-3 mb-1');
}

$url = new moodle_url($returnurl);
Expand Down
2 changes: 1 addition & 1 deletion filter/tex/texdebug.php
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ function TexOutput($expression, $graphic=false) {
chdir($latex->temp_dir);

// put the expression as a file into the temp area
$expression = html_entity_decode($expression);
$expression = html_entity_decode($expression, ENT_COMPAT);
$output .= "<p>Processing TeX expression:</p><pre>$expression</pre>\n";
$doc = $latex->construct_latex_document($expression);
$fh = fopen($tex, 'w');
Expand Down
10 changes: 5 additions & 5 deletions lib/behat/classes/behat_session_trait.php
Original file line number Diff line number Diff line change
Expand Up @@ -941,7 +941,7 @@ public function look_for_exceptions() {
$msgs[] = $errnostring . ": " .$error['message'] . " at " . $error['file'] . ": " . $error['line'];
}
$msg = "PHP errors found:\n" . implode("\n", $msgs);
throw new \Exception(htmlentities($msg));
throw new \Exception(htmlentities($msg, ENT_COMPAT));
}

return;
Expand Down Expand Up @@ -979,7 +979,7 @@ public function look_for_exceptions() {
}

$msg = "Moodle exception: " . $errormsg->getText() . "\n" . $errorinfo;
throw new \Exception(html_entity_decode($msg));
throw new \Exception(html_entity_decode($msg, ENT_COMPAT));
}

// Debugging messages.
Expand All @@ -989,7 +989,7 @@ public function look_for_exceptions() {
$msgs[] = $this->get_debug_text($debuggingmessage->getHtml());
}
$msg = "debugging() message/s found:\n" . implode("\n", $msgs);
throw new \Exception(html_entity_decode($msg));
throw new \Exception(html_entity_decode($msg, ENT_COMPAT));
}

// PHP debug messages.
Expand All @@ -1000,7 +1000,7 @@ public function look_for_exceptions() {
$msgs[] = $this->get_debug_text($phpmessage->getHtml());
}
$msg = "PHP debug message/s found:\n" . implode("\n", $msgs);
throw new \Exception(html_entity_decode($msg));
throw new \Exception(html_entity_decode($msg, ENT_COMPAT));
}

// Any other backtrace.
Expand All @@ -1014,7 +1014,7 @@ public function look_for_exceptions() {
$msgs[] = $backtrace . '()';
}
$msg = "Other backtraces found:\n" . implode("\n", $msgs);
throw new \Exception(htmlentities($msg));
throw new \Exception(htmlentities($msg, ENT_COMPAT));
}
}

Expand Down
2 changes: 1 addition & 1 deletion lib/classes/output/mustache_pix_helper.php
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ public function pix($text, Mustache_LambdaHelper $helper) {
// chars have been escaped. However, render_pix_icon
// assumes the alt arrives with no escaping. So we need
// ot un-escape here.
$text = htmlspecialchars_decode($text);
$text = htmlspecialchars_decode($text, ENT_COMPAT);

return trim($this->renderer->pix_icon($key, $text, $component));
}
Expand Down
8 changes: 4 additions & 4 deletions lib/classes/text.php
Original file line number Diff line number Diff line change
Expand Up @@ -452,7 +452,7 @@ protected static function get_entities_table() {
if (!isset($trans_tbl)) {
if (version_compare(phpversion(), '5.3.4') < 0) {
$trans_tbl = array();
foreach (get_html_translation_table(HTML_ENTITIES) as $val=>$key) {
foreach (get_html_translation_table(HTML_ENTITIES, ENT_COMPAT) as $val=>$key) {
$trans_tbl[$key] = self::convert($val, 'ISO-8859-1', 'utf-8');
}

Expand Down Expand Up @@ -574,12 +574,12 @@ public static function remove_unicode_non_characters($value) {
// characters of each code planes 0-16 inclusive...
for ($plane = 0; $plane <= 16; $plane++) {
$base = ($plane === 0 ? '' : dechex($plane));
self::$noncharacters[] = html_entity_decode('&#x' . $base . 'fffe;');
self::$noncharacters[] = html_entity_decode('&#x' . $base . 'ffff;');
self::$noncharacters[] = html_entity_decode('&#x' . $base . 'fffe;', ENT_COMPAT);
self::$noncharacters[] = html_entity_decode('&#x' . $base . 'ffff;', ENT_COMPAT);
}
// ...And the character range U+FDD0 to U+FDEF.
for ($char = 0xfdd0; $char <= 0xfdef; $char++) {
self::$noncharacters[] = html_entity_decode('&#x' . dechex($char) . ';');
self::$noncharacters[] = html_entity_decode('&#x' . dechex($char) . ';', ENT_COMPAT);
}
}

Expand Down
2 changes: 1 addition & 1 deletion lib/form/autocomplete.php
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ function toHtml(){
// version of this code in the new template version (see export_for_template).
if ($this->valuehtmlcallback) {
$html = preg_replace_callback('~value="([^"]+)"~', function($matches) {
$value = html_entity_decode($matches[1]);
$value = html_entity_decode($matches[1], ENT_COMPAT);
$htmlvalue = call_user_func($this->valuehtmlcallback, $value);
if ($htmlvalue !== false) {
return $matches[0] . ' data-html="' . s($htmlvalue) . '"';
Expand Down
2 changes: 1 addition & 1 deletion lib/form/tags.php
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ public function exportValue(&$submitValues, $assoc = false) {
// Submitted tag data will be encoded, we want original text.
if (array_key_exists($this->getName(), $submitValues)) {
array_walk($submitValues[$this->getName()], static function(string &$tag): void {
$tag = html_entity_decode($tag);
$tag = html_entity_decode($tag, ENT_COMPAT);
});
}

Expand Down
4 changes: 2 additions & 2 deletions lib/moodlelib.php
Original file line number Diff line number Diff line change
Expand Up @@ -8413,7 +8413,7 @@ function count_words($string) {
// Now remove HTML tags.
$string = strip_tags($string);
// Decode HTML entities.
$string = html_entity_decode($string);
$string = html_entity_decode($string, ENT_COMPAT);

// Now, the word count is the number of blocks of characters separated
// by any sort of space. That seems to be the definition used by all other systems.
Expand All @@ -8435,7 +8435,7 @@ function count_words($string) {
*/
function count_letters($string) {
$string = strip_tags($string); // Tags are out now.
$string = html_entity_decode($string);
$string = html_entity_decode($string, ENT_COMPAT);
$string = preg_replace('/[[:space:]]*/', '', $string); // Whitespace are out now.

return core_text::strlen($string);
Expand Down
4 changes: 2 additions & 2 deletions lib/pear/PEAR/Exception.php
Original file line number Diff line number Diff line change
Expand Up @@ -329,7 +329,7 @@ public function toHtml()
foreach ($causes as $i => $cause) {
$html .= '<tr><td colspan="3" style="background: #ff9999">'
. str_repeat('-', $i) . ' <b>' . $cause['class'] . '</b>: '
. htmlspecialchars($cause['message']) . ' in <b>' . $cause['file'] . '</b> '
. htmlspecialchars($cause['message'], ENT_COMPAT) . ' in <b>' . $cause['file'] . '</b> '
. 'on line <b>' . $cause['line'] . '</b>'
. "</td></tr>\n";
}
Expand All @@ -355,7 +355,7 @@ public function toHtml()
elseif (is_int($arg) || is_double($arg)) $args[] = $arg;
else {
$arg = (string)$arg;
$str = htmlspecialchars(substr($arg, 0, 16));
$str = htmlspecialchars(substr($arg, 0, 16), ENT_COMPAT);
if (strlen($arg) > 16) $str .= '&hellip;';
$args[] = "'" . $str . "'";
}
Expand Down
2 changes: 1 addition & 1 deletion lib/rsslib.php
Original file line number Diff line number Diff line change
Expand Up @@ -491,7 +491,7 @@ function rss_end_tag($tag,$level=0,$endline=true) {
function rss_full_tag($tag, $level, $endline, $content, $attributes = null) {
$st = rss_start_tag($tag,$level,$endline,$attributes);
$co="";
$co = preg_replace("/\r\n|\r/", "\n", htmlspecialchars($content));
$co = preg_replace("/\r\n|\r/", "\n", htmlspecialchars($content, ENT_COMPAT));
$et = rss_end_tag($tag,0,true);

return $st.$co.$et;
Expand Down
2 changes: 1 addition & 1 deletion lib/searchlib.php
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ public function search_token($type, $value) {
// Need to think about this some more.

function sanitize($userstring){
return htmlspecialchars($userstring);
return htmlspecialchars($userstring, ENT_COMPAT);
}
function getValue(){
return $this->value;
Expand Down
4 changes: 2 additions & 2 deletions lib/setuplib.php
Original file line number Diff line number Diff line change
Expand Up @@ -549,7 +549,7 @@ function get_exception_info($ex) {
if (function_exists('clean_text')) {
$message = clean_text($message);
} else {
$message = htmlspecialchars($message);
$message = htmlspecialchars($message, ENT_COMPAT);
}

if (!empty($CFG->errordocroot)) {
Expand Down Expand Up @@ -1436,7 +1436,7 @@ function redirect_if_major_upgrade_required() {
$url = $CFG->wwwroot . '/' . $CFG->admin . '/index.php';
@header($_SERVER['SERVER_PROTOCOL'] . ' 303 See Other');
@header('Location: ' . $url);
echo bootstrap_renderer::plain_redirect_message(htmlspecialchars($url));
echo bootstrap_renderer::plain_redirect_message(htmlspecialchars($url, ENT_COMPAT));
exit;
}
}
Expand Down
2 changes: 1 addition & 1 deletion lib/tablelib.php
Original file line number Diff line number Diff line change
Expand Up @@ -2204,7 +2204,7 @@ function document_started() {
function format_text($text, $format=FORMAT_MOODLE, $options=NULL, $courseid=NULL) {
//use some whitespace to indicate where there was some line spacing.
$text = str_replace(array('</p>', "\n", "\r"), ' ', $text);
return html_entity_decode(strip_tags($text));
return html_entity_decode(strip_tags($text), ENT_COMPAT);
}

/**
Expand Down
4 changes: 2 additions & 2 deletions lib/tests/other/todochecker.php
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,9 @@
}

$line = str_replace($issueid, '<a href="' . $issueurl . '" title="' . s($issuesummary) .
'">' . $issuename . '</a>', htmlspecialchars($line));
'">' . $issuename . '</a>', htmlspecialchars($line, ENT_COMPAT));
} else {
$line = htmlspecialchars($line);
$line = htmlspecialchars($line, ENT_COMPAT);
$error = 'No associated tracker issue.';
}

Expand Down
8 changes: 4 additions & 4 deletions lib/tests/text_test.php
Original file line number Diff line number Diff line change
Expand Up @@ -521,16 +521,16 @@ public function test_remove_unicode_non_characters() {
$this->assertSame('Frogs!', core_text::remove_unicode_non_characters('Frogs!'));

// Even if they contain some very scary characters.
$example = html_entity_decode('A&#xfffd;&#x1d15f;B');
$example = html_entity_decode('A&#xfffd;&#x1d15f;B', ENT_COMPAT);
$this->assertSame($example, core_text::remove_unicode_non_characters($example));

// Non-characters are removed wherever they may be, with other characters left.
$example = html_entity_decode('&#xfffe;A&#xffff;B&#x8fffe;C&#xfdd0;D&#xfffd;E&#xfdd5;');
$expected = html_entity_decode('ABCD&#xfffd;E');
$example = html_entity_decode('&#xfffe;A&#xffff;B&#x8fffe;C&#xfdd0;D&#xfffd;E&#xfdd5;', ENT_COMPAT);
$expected = html_entity_decode('ABCD&#xfffd;E', ENT_COMPAT);
$this->assertSame($expected, core_text::remove_unicode_non_characters($example));

// If you only have a non-character, you get empty string.
$example = html_entity_decode('&#xfffe;');
$example = html_entity_decode('&#xfffe;', ENT_COMPAT);
$this->assertSame('', core_text::remove_unicode_non_characters($example));

// Check that null argument is allowed.
Expand Down
2 changes: 1 addition & 1 deletion lib/webdavlib.php
Original file line number Diff line number Diff line change
Expand Up @@ -1709,7 +1709,7 @@ private function reopen() {
*/
private function translate_uri($uri) {
// remove all html entities...
$native_path = html_entity_decode($uri);
$native_path = html_entity_decode($uri, ENT_COMPAT);
$parts = explode('/', $native_path);
for ($i = 0; $i < count($parts); $i++) {
// check if part is allready utf8
Expand Down
4 changes: 2 additions & 2 deletions lib/weblib.php
Original file line number Diff line number Diff line change
Expand Up @@ -3439,7 +3439,7 @@ class html_progress_trace extends progress_trace {
* @return void Output is echo'd
*/
public function output($message, $depth = 0) {
echo '<p>', str_repeat('&#160;&#160;', $depth), htmlspecialchars($message), "</p>\n";
echo '<p>', str_repeat('&#160;&#160;', $depth), htmlspecialchars($message, ENT_COMPAT), "</p>\n";
flush();
}
}
Expand Down Expand Up @@ -3480,7 +3480,7 @@ public function output($message, $depth = 0) {
if ($samedepth) {
echo "</li>\n<li>";
}
echo htmlspecialchars($message);
echo htmlspecialchars($message, ENT_COMPAT);
flush();
}

Expand Down
2 changes: 1 addition & 1 deletion lib/xmldb/xmldb_field.php
Original file line number Diff line number Diff line change
Expand Up @@ -523,7 +523,7 @@ public function xmlOutput() {
$o.= ' DECIMALS="' . $this->decimals . '"';
}
if ($this->comment) {
$o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"';
$o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"';
}
$o.= '/>' . "\n";

Expand Down
2 changes: 1 addition & 1 deletion lib/xmldb/xmldb_index.php
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ public function xmlOutput() {
$o.= ' HINTS="' . implode(', ', $this->hints) . '"';
}
if ($this->comment) {
$o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"';
$o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"';
}
$o.= '/>' . "\n";

Expand Down
2 changes: 1 addition & 1 deletion lib/xmldb/xmldb_key.php
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,7 @@ public function xmlOutput() {
$o.= ' REFFIELDS="' . implode(', ', $this->reffields) . '"';
}
if ($this->comment) {
$o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"';
$o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"';
}
$o.= '/>' . "\n";

Expand Down
2 changes: 1 addition & 1 deletion lib/xmldb/xmldb_structure.php
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ public function xmlOutput() {
$o.= '<XMLDB PATH="' . $this->path . '"';
$o.= ' VERSION="' . $this->version . '"';
if ($this->comment) {
$o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"'."\n";
$o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"'."\n";
}
$rel = array_fill(0, count(explode('/', $this->path)), '..');
$rel = implode('/', $rel);
Expand Down
2 changes: 1 addition & 1 deletion lib/xmldb/xmldb_table.php
Original file line number Diff line number Diff line change
Expand Up @@ -731,7 +731,7 @@ public function xmlOutput() {
$o = '';
$o.= ' <TABLE NAME="' . $this->name . '"';
if ($this->comment) {
$o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"';
$o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"';
}
$o.= '>' . "\n";
// Now the fields
Expand Down
2 changes: 1 addition & 1 deletion media/classes/player_native.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ abstract class core_media_player_native extends core_media_player {
*/
public static function get_attribute($tag, $attrname, $type = PARAM_RAW) {
if (preg_match('/^<[^>]*\b' . $attrname . '="(.*?)"/is', $tag, $matches)) {
return clean_param(htmlspecialchars_decode($matches[1]), $type);
return clean_param(htmlspecialchars_decode($matches[1], ENT_COMPAT), $type);
} else if (preg_match('~^<[^>]*\b' . $attrname . '[ />]"~is', $tag, $matches)) {
// Some attributes may not have value, for example this is valid: <video controls>.
return clean_param("true", $type);
Expand Down
Loading

0 comments on commit a800e7e

Please sign in to comment.