From a800e7e62f73d82d04926f72333384d7cc31e01e Mon Sep 17 00:00:00 2001 From: Marina Glancy Date: Fri, 28 Oct 2022 10:27:37 +0200 Subject: [PATCH] MDL-74853 various: add second parameter to htmlentities functions Default value of the $flag argument changed in PHP 8.1 from ENT_COMPAT to ENT_QUOTES | ENT_SUBSTITUTE To ensure consistent behavior across different PHP version the second parameter is now required for the functions: htmlspecialchars(), htmlentities(), htmlspecialchars_decode(), html_entity_decode() and get_html_translation_table() --- .../classes/define_role_table_advanced.php | 2 +- admin/settings/plugins.php | 2 +- .../tool/brickfield/classes/accessibility.php | 4 ++-- .../htmlchecker/reporters/report_array.php | 2 +- .../reporters/report_codehighlight.php | 2 +- .../htmlchecker/reporters/report_xml.php | 2 +- .../classes/output/printable/renderer.php | 2 +- backup/cc/cc_lib/gral_lib/functions.php | 2 +- course/switchrole.php | 2 +- filter/tex/texdebug.php | 2 +- lib/behat/classes/behat_session_trait.php | 10 ++++----- lib/classes/output/mustache_pix_helper.php | 2 +- lib/classes/text.php | 8 +++---- lib/form/autocomplete.php | 2 +- lib/form/tags.php | 2 +- lib/moodlelib.php | 4 ++-- lib/pear/PEAR/Exception.php | 4 ++-- lib/rsslib.php | 2 +- lib/searchlib.php | 2 +- lib/setuplib.php | 4 ++-- lib/tablelib.php | 2 +- lib/tests/other/todochecker.php | 4 ++-- lib/tests/text_test.php | 8 +++---- lib/webdavlib.php | 2 +- lib/weblib.php | 4 ++-- lib/xmldb/xmldb_field.php | 2 +- lib/xmldb/xmldb_index.php | 2 +- lib/xmldb/xmldb_key.php | 2 +- lib/xmldb/xmldb_structure.php | 2 +- lib/xmldb/xmldb_table.php | 2 +- media/classes/player_native.php | 2 +- mod/assign/feedback/editpdf/classes/pdf.php | 4 ++-- .../classes/local/helpers/mod_helper.php | 2 +- mod/book/tool/exportimscp/locallib.php | 4 ++-- mod/data/classes/preset.php | 8 +++---- mod/data/field/latlong/field.class.php | 2 +- mod/data/field/latlong/kml.php | 2 +- mod/feedback/lib.php | 2 +- mod/forum/classes/output/forum_post.php | 22 +++++++++---------- mod/lesson/pagetypes/matching.php | 8 +++---- mod/lti/auth.php | 4 ++-- mod/lti/locallib.php | 12 +++++----- mod/wiki/parser/markups/creole.php | 2 +- question/format/xml/format.php | 4 ++-- question/type/gapselect/edit_form_base.php | 4 ++-- .../type/match/tests/walkthrough_test.php | 2 +- .../multianswer/edit_multianswer_form.php | 4 ++-- .../classes/table/custom_report_table.php | 2 +- repository/url/lib.php | 4 ++-- search/engine/solr/tests/engine_test.php | 12 +++++----- search/tests/document_test.php | 2 +- tag/classes/tag.php | 2 +- user/profile/field/text/field.class.php | 2 +- user/selector/lib.php | 4 ++-- webservice/renderer.php | 10 ++++----- 55 files changed, 109 insertions(+), 109 deletions(-) diff --git a/admin/roles/classes/define_role_table_advanced.php b/admin/roles/classes/define_role_table_advanced.php index 6fb58c6b25ff9..f230e0eb905c7 100644 --- a/admin/roles/classes/define_role_table_advanced.php +++ b/admin/roles/classes/define_role_table_advanced.php @@ -533,7 +533,7 @@ protected function get_shortname_field($id) { protected function get_description_field($id) { return ''; } diff --git a/admin/settings/plugins.php b/admin/settings/plugins.php index 372f07fe0764b..47331b47fcb10 100644 --- a/admin/settings/plugins.php +++ b/admin/settings/plugins.php @@ -101,7 +101,7 @@ new lang_string('limitconcurrentlogins', 'core_auth'), new lang_string('limitconcurrentlogins_desc', 'core_auth'), 0, $options)); $temp->add(new admin_setting_configtext('alternateloginurl', new lang_string('alternateloginurl', 'auth'), - new lang_string('alternatelogin', 'auth', htmlspecialchars(get_login_url())), '')); + new lang_string('alternatelogin', 'auth', htmlspecialchars(get_login_url(), ENT_COMPAT)), '')); $temp->add(new admin_setting_configtext('forgottenpasswordurl', new lang_string('forgottenpasswordurl', 'auth'), new lang_string('forgottenpassword', 'auth'), '', PARAM_URL)); $temp->add(new admin_setting_confightmleditor('auth_instructions', new lang_string('instructions', 'auth'), diff --git a/admin/tool/brickfield/classes/accessibility.php b/admin/tool/brickfield/classes/accessibility.php index 35f3510b9e813..f413f52ce7636 100644 --- a/admin/tool/brickfield/classes/accessibility.php +++ b/admin/tool/brickfield/classes/accessibility.php @@ -388,13 +388,13 @@ public static function run_one_check( // Confirm if error is reported separately. if ($DB->record_exists_select(manager::DB_ERRORS, 'resultid = ? AND ' . $DB->sql_compare_text('htmlcode', 255) . ' = ' . $DB->sql_compare_text('?', 255), - [$resultid, html_entity_decode($tmp->html)])) { + [$resultid, html_entity_decode($tmp->html, ENT_COMPAT)])) { continue; } $error = new stdClass(); $error->resultid = $resultid; $error->linenumber = $tmp->line; - $error->htmlcode = html_entity_decode($tmp->html); + $error->htmlcode = html_entity_decode($tmp->html, ENT_COMPAT); $errors[] = $error; } diff --git a/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_array.php b/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_array.php index 5dacefdfd5450..e86e1a9c15029 100644 --- a/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_array.php +++ b/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_array.php @@ -43,7 +43,7 @@ public function get_report() { $output[$testname]['body'] = $translation['description']; foreach ($test as $k => $problem) { if (is_object($problem)) { - $output[$testname]['problems'][$k]['element'] = htmlentities($problem->get_html()); + $output[$testname]['problems'][$k]['element'] = htmlentities($problem->get_html(), ENT_COMPAT); $output[$testname]['problems'][$k]['line'] = $problem->get_line(); if ($problem->message) { $output[$testname]['problems']['message'] = $problem->message; diff --git a/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_codehighlight.php b/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_codehighlight.php index 60f33b6c67696..ef22d2bd80505 100644 --- a/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_codehighlight.php +++ b/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_codehighlight.php @@ -67,7 +67,7 @@ public function get_report(): string { } } $this->dom->formatOutput = true; - $html = htmlspecialchars($this->dom->saveHTML()); + $html = htmlspecialchars($this->dom->saveHTML(), ENT_COMPAT); $html = str_replace('"', '"', $html); foreach ($this->classnames as $name) { $html = preg_replace('/<'. $name .'([^&]+)+\>/', '', $html); diff --git a/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_xml.php b/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_xml.php index 58562eda5591d..36f8c12157ffe 100644 --- a/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_xml.php +++ b/admin/tool/brickfield/classes/local/htmlchecker/reporters/report_xml.php @@ -49,7 +49,7 @@ public function get_report() { $output .= "\n\t"; foreach ($test as $problem) { if (is_object($problem)) { - $output .= "\n\tget_html()) . + $output .= "\n\tget_html(), ENT_COMPAT) . "]]>"; $output .= "\n\t". $problem->get_line() .""; if ($problem->message) { diff --git a/admin/tool/brickfield/classes/output/printable/renderer.php b/admin/tool/brickfield/classes/output/printable/renderer.php index 19d3d9dfccd96..5ddaee1749948 100644 --- a/admin/tool/brickfield/classes/output/printable/renderer.php +++ b/admin/tool/brickfield/classes/output/printable/renderer.php @@ -180,7 +180,7 @@ public function display(\stdClass $data, filter $filter): string { ]; $data->errordata = !empty($data->errordata) ? $data->errordata : []; foreach ($data->errordata as $err) { - $err->htmlcode = htmlentities($err->htmlcode); + $err->htmlcode = htmlentities($err->htmlcode, ENT_COMPAT); $row = [$data->tarlabels[$err->component], $err->shortname, $err->errline, $err->htmlcode]; $table->data[] = $row; } diff --git a/backup/cc/cc_lib/gral_lib/functions.php b/backup/cc/cc_lib/gral_lib/functions.php index f0b65b99ad670..1633923cdb8c2 100644 --- a/backup/cc/cc_lib/gral_lib/functions.php +++ b/backup/cc/cc_lib/gral_lib/functions.php @@ -89,7 +89,7 @@ function array_remove_by_key($arr,$key) { function cc_print_object($object) { - echo '
' . htmlspecialchars(print_r($object,true)) . '
'; + echo '
' . htmlspecialchars(print_r($object,true), ENT_COMPAT) . '
'; } diff --git a/course/switchrole.php b/course/switchrole.php index 5e5ce0a5be897..a54f8ad581245 100644 --- a/course/switchrole.php +++ b/course/switchrole.php @@ -102,7 +102,7 @@ foreach ($roles as $key => $role) { $url = new moodle_url('/course/switchrole.php', array('id' => $id, 'switchrole' => $key, 'returnurl' => $returnurl)); // Button encodes special characters, apply htmlspecialchars_decode() to avoid double escaping. - echo $OUTPUT->container($OUTPUT->single_button($url, htmlspecialchars_decode($role)), 'mx-3 mb-1'); + echo $OUTPUT->container($OUTPUT->single_button($url, htmlspecialchars_decode($role, ENT_COMPAT)), 'mx-3 mb-1'); } $url = new moodle_url($returnurl); diff --git a/filter/tex/texdebug.php b/filter/tex/texdebug.php index 5de6ccbd05598..25481b3101e17 100644 --- a/filter/tex/texdebug.php +++ b/filter/tex/texdebug.php @@ -248,7 +248,7 @@ function TexOutput($expression, $graphic=false) { chdir($latex->temp_dir); // put the expression as a file into the temp area - $expression = html_entity_decode($expression); + $expression = html_entity_decode($expression, ENT_COMPAT); $output .= "

Processing TeX expression:

$expression
\n"; $doc = $latex->construct_latex_document($expression); $fh = fopen($tex, 'w'); diff --git a/lib/behat/classes/behat_session_trait.php b/lib/behat/classes/behat_session_trait.php index a9c5f317f89de..8715fc810e122 100644 --- a/lib/behat/classes/behat_session_trait.php +++ b/lib/behat/classes/behat_session_trait.php @@ -941,7 +941,7 @@ public function look_for_exceptions() { $msgs[] = $errnostring . ": " .$error['message'] . " at " . $error['file'] . ": " . $error['line']; } $msg = "PHP errors found:\n" . implode("\n", $msgs); - throw new \Exception(htmlentities($msg)); + throw new \Exception(htmlentities($msg, ENT_COMPAT)); } return; @@ -979,7 +979,7 @@ public function look_for_exceptions() { } $msg = "Moodle exception: " . $errormsg->getText() . "\n" . $errorinfo; - throw new \Exception(html_entity_decode($msg)); + throw new \Exception(html_entity_decode($msg, ENT_COMPAT)); } // Debugging messages. @@ -989,7 +989,7 @@ public function look_for_exceptions() { $msgs[] = $this->get_debug_text($debuggingmessage->getHtml()); } $msg = "debugging() message/s found:\n" . implode("\n", $msgs); - throw new \Exception(html_entity_decode($msg)); + throw new \Exception(html_entity_decode($msg, ENT_COMPAT)); } // PHP debug messages. @@ -1000,7 +1000,7 @@ public function look_for_exceptions() { $msgs[] = $this->get_debug_text($phpmessage->getHtml()); } $msg = "PHP debug message/s found:\n" . implode("\n", $msgs); - throw new \Exception(html_entity_decode($msg)); + throw new \Exception(html_entity_decode($msg, ENT_COMPAT)); } // Any other backtrace. @@ -1014,7 +1014,7 @@ public function look_for_exceptions() { $msgs[] = $backtrace . '()'; } $msg = "Other backtraces found:\n" . implode("\n", $msgs); - throw new \Exception(htmlentities($msg)); + throw new \Exception(htmlentities($msg, ENT_COMPAT)); } } diff --git a/lib/classes/output/mustache_pix_helper.php b/lib/classes/output/mustache_pix_helper.php index 112d4da84e362..3de09778a6ec6 100644 --- a/lib/classes/output/mustache_pix_helper.php +++ b/lib/classes/output/mustache_pix_helper.php @@ -76,7 +76,7 @@ public function pix($text, Mustache_LambdaHelper $helper) { // chars have been escaped. However, render_pix_icon // assumes the alt arrives with no escaping. So we need // ot un-escape here. - $text = htmlspecialchars_decode($text); + $text = htmlspecialchars_decode($text, ENT_COMPAT); return trim($this->renderer->pix_icon($key, $text, $component)); } diff --git a/lib/classes/text.php b/lib/classes/text.php index f3cb012bc6d37..b3b3164fc3f6e 100644 --- a/lib/classes/text.php +++ b/lib/classes/text.php @@ -452,7 +452,7 @@ protected static function get_entities_table() { if (!isset($trans_tbl)) { if (version_compare(phpversion(), '5.3.4') < 0) { $trans_tbl = array(); - foreach (get_html_translation_table(HTML_ENTITIES) as $val=>$key) { + foreach (get_html_translation_table(HTML_ENTITIES, ENT_COMPAT) as $val=>$key) { $trans_tbl[$key] = self::convert($val, 'ISO-8859-1', 'utf-8'); } @@ -574,12 +574,12 @@ public static function remove_unicode_non_characters($value) { // characters of each code planes 0-16 inclusive... for ($plane = 0; $plane <= 16; $plane++) { $base = ($plane === 0 ? '' : dechex($plane)); - self::$noncharacters[] = html_entity_decode('&#x' . $base . 'fffe;'); - self::$noncharacters[] = html_entity_decode('&#x' . $base . 'ffff;'); + self::$noncharacters[] = html_entity_decode('&#x' . $base . 'fffe;', ENT_COMPAT); + self::$noncharacters[] = html_entity_decode('&#x' . $base . 'ffff;', ENT_COMPAT); } // ...And the character range U+FDD0 to U+FDEF. for ($char = 0xfdd0; $char <= 0xfdef; $char++) { - self::$noncharacters[] = html_entity_decode('&#x' . dechex($char) . ';'); + self::$noncharacters[] = html_entity_decode('&#x' . dechex($char) . ';', ENT_COMPAT); } } diff --git a/lib/form/autocomplete.php b/lib/form/autocomplete.php index af58840bc54d1..6cfa4e743debb 100644 --- a/lib/form/autocomplete.php +++ b/lib/form/autocomplete.php @@ -139,7 +139,7 @@ function toHtml(){ // version of this code in the new template version (see export_for_template). if ($this->valuehtmlcallback) { $html = preg_replace_callback('~value="([^"]+)"~', function($matches) { - $value = html_entity_decode($matches[1]); + $value = html_entity_decode($matches[1], ENT_COMPAT); $htmlvalue = call_user_func($this->valuehtmlcallback, $value); if ($htmlvalue !== false) { return $matches[0] . ' data-html="' . s($htmlvalue) . '"'; diff --git a/lib/form/tags.php b/lib/form/tags.php index b1ac99f3fedb5..d7306c482edb7 100644 --- a/lib/form/tags.php +++ b/lib/form/tags.php @@ -254,7 +254,7 @@ public function exportValue(&$submitValues, $assoc = false) { // Submitted tag data will be encoded, we want original text. if (array_key_exists($this->getName(), $submitValues)) { array_walk($submitValues[$this->getName()], static function(string &$tag): void { - $tag = html_entity_decode($tag); + $tag = html_entity_decode($tag, ENT_COMPAT); }); } diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 216b95c3517df..d22c8dad00832 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -8413,7 +8413,7 @@ function count_words($string) { // Now remove HTML tags. $string = strip_tags($string); // Decode HTML entities. - $string = html_entity_decode($string); + $string = html_entity_decode($string, ENT_COMPAT); // Now, the word count is the number of blocks of characters separated // by any sort of space. That seems to be the definition used by all other systems. @@ -8435,7 +8435,7 @@ function count_words($string) { */ function count_letters($string) { $string = strip_tags($string); // Tags are out now. - $string = html_entity_decode($string); + $string = html_entity_decode($string, ENT_COMPAT); $string = preg_replace('/[[:space:]]*/', '', $string); // Whitespace are out now. return core_text::strlen($string); diff --git a/lib/pear/PEAR/Exception.php b/lib/pear/PEAR/Exception.php index 67b261e9d43fe..528747383bd0f 100644 --- a/lib/pear/PEAR/Exception.php +++ b/lib/pear/PEAR/Exception.php @@ -329,7 +329,7 @@ public function toHtml() foreach ($causes as $i => $cause) { $html .= '' . str_repeat('-', $i) . ' ' . $cause['class'] . ': ' - . htmlspecialchars($cause['message']) . ' in ' . $cause['file'] . ' ' + . htmlspecialchars($cause['message'], ENT_COMPAT) . ' in ' . $cause['file'] . ' ' . 'on line ' . $cause['line'] . '' . "\n"; } @@ -355,7 +355,7 @@ public function toHtml() elseif (is_int($arg) || is_double($arg)) $args[] = $arg; else { $arg = (string)$arg; - $str = htmlspecialchars(substr($arg, 0, 16)); + $str = htmlspecialchars(substr($arg, 0, 16), ENT_COMPAT); if (strlen($arg) > 16) $str .= '…'; $args[] = "'" . $str . "'"; } diff --git a/lib/rsslib.php b/lib/rsslib.php index 7141fd719963d..4f625d1c43ab0 100644 --- a/lib/rsslib.php +++ b/lib/rsslib.php @@ -491,7 +491,7 @@ function rss_end_tag($tag,$level=0,$endline=true) { function rss_full_tag($tag, $level, $endline, $content, $attributes = null) { $st = rss_start_tag($tag,$level,$endline,$attributes); $co=""; - $co = preg_replace("/\r\n|\r/", "\n", htmlspecialchars($content)); + $co = preg_replace("/\r\n|\r/", "\n", htmlspecialchars($content, ENT_COMPAT)); $et = rss_end_tag($tag,0,true); return $st.$co.$et; diff --git a/lib/searchlib.php b/lib/searchlib.php index de3840bc9173d..c158c78ecf537 100644 --- a/lib/searchlib.php +++ b/lib/searchlib.php @@ -71,7 +71,7 @@ public function search_token($type, $value) { // Need to think about this some more. function sanitize($userstring){ - return htmlspecialchars($userstring); + return htmlspecialchars($userstring, ENT_COMPAT); } function getValue(){ return $this->value; diff --git a/lib/setuplib.php b/lib/setuplib.php index d021649cd6b88..891b4560203eb 100644 --- a/lib/setuplib.php +++ b/lib/setuplib.php @@ -549,7 +549,7 @@ function get_exception_info($ex) { if (function_exists('clean_text')) { $message = clean_text($message); } else { - $message = htmlspecialchars($message); + $message = htmlspecialchars($message, ENT_COMPAT); } if (!empty($CFG->errordocroot)) { @@ -1436,7 +1436,7 @@ function redirect_if_major_upgrade_required() { $url = $CFG->wwwroot . '/' . $CFG->admin . '/index.php'; @header($_SERVER['SERVER_PROTOCOL'] . ' 303 See Other'); @header('Location: ' . $url); - echo bootstrap_renderer::plain_redirect_message(htmlspecialchars($url)); + echo bootstrap_renderer::plain_redirect_message(htmlspecialchars($url, ENT_COMPAT)); exit; } } diff --git a/lib/tablelib.php b/lib/tablelib.php index e478263c29a22..f81bb10717de5 100644 --- a/lib/tablelib.php +++ b/lib/tablelib.php @@ -2204,7 +2204,7 @@ function document_started() { function format_text($text, $format=FORMAT_MOODLE, $options=NULL, $courseid=NULL) { //use some whitespace to indicate where there was some line spacing. $text = str_replace(array('

', "\n", "\r"), ' ', $text); - return html_entity_decode(strip_tags($text)); + return html_entity_decode(strip_tags($text), ENT_COMPAT); } /** diff --git a/lib/tests/other/todochecker.php b/lib/tests/other/todochecker.php index 4db0e73aff93b..2bb56af8b713e 100644 --- a/lib/tests/other/todochecker.php +++ b/lib/tests/other/todochecker.php @@ -82,9 +82,9 @@ } $line = str_replace($issueid, '' . $issuename . '', htmlspecialchars($line)); + '">' . $issuename . '', htmlspecialchars($line, ENT_COMPAT)); } else { - $line = htmlspecialchars($line); + $line = htmlspecialchars($line, ENT_COMPAT); $error = 'No associated tracker issue.'; } diff --git a/lib/tests/text_test.php b/lib/tests/text_test.php index e8785f47751fd..148575e8c63b3 100644 --- a/lib/tests/text_test.php +++ b/lib/tests/text_test.php @@ -521,16 +521,16 @@ public function test_remove_unicode_non_characters() { $this->assertSame('Frogs!', core_text::remove_unicode_non_characters('Frogs!')); // Even if they contain some very scary characters. - $example = html_entity_decode('A�𝅘𝅥B'); + $example = html_entity_decode('A�𝅘𝅥B', ENT_COMPAT); $this->assertSame($example, core_text::remove_unicode_non_characters($example)); // Non-characters are removed wherever they may be, with other characters left. - $example = html_entity_decode('￾A￿B򏿾C﷐D�E﷕'); - $expected = html_entity_decode('ABCD�E'); + $example = html_entity_decode('￾A￿B򏿾C﷐D�E﷕', ENT_COMPAT); + $expected = html_entity_decode('ABCD�E', ENT_COMPAT); $this->assertSame($expected, core_text::remove_unicode_non_characters($example)); // If you only have a non-character, you get empty string. - $example = html_entity_decode('￾'); + $example = html_entity_decode('￾', ENT_COMPAT); $this->assertSame('', core_text::remove_unicode_non_characters($example)); // Check that null argument is allowed. diff --git a/lib/webdavlib.php b/lib/webdavlib.php index bbd3d1b3baa7b..640903be44eb3 100644 --- a/lib/webdavlib.php +++ b/lib/webdavlib.php @@ -1709,7 +1709,7 @@ private function reopen() { */ private function translate_uri($uri) { // remove all html entities... - $native_path = html_entity_decode($uri); + $native_path = html_entity_decode($uri, ENT_COMPAT); $parts = explode('/', $native_path); for ($i = 0; $i < count($parts); $i++) { // check if part is allready utf8 diff --git a/lib/weblib.php b/lib/weblib.php index c3354e559af77..16c64967b4149 100644 --- a/lib/weblib.php +++ b/lib/weblib.php @@ -3439,7 +3439,7 @@ class html_progress_trace extends progress_trace { * @return void Output is echo'd */ public function output($message, $depth = 0) { - echo '

', str_repeat('  ', $depth), htmlspecialchars($message), "

\n"; + echo '

', str_repeat('  ', $depth), htmlspecialchars($message, ENT_COMPAT), "

\n"; flush(); } } @@ -3480,7 +3480,7 @@ public function output($message, $depth = 0) { if ($samedepth) { echo "\n
  • "; } - echo htmlspecialchars($message); + echo htmlspecialchars($message, ENT_COMPAT); flush(); } diff --git a/lib/xmldb/xmldb_field.php b/lib/xmldb/xmldb_field.php index 25946b4a80cd1..51048c033aa64 100644 --- a/lib/xmldb/xmldb_field.php +++ b/lib/xmldb/xmldb_field.php @@ -523,7 +523,7 @@ public function xmlOutput() { $o.= ' DECIMALS="' . $this->decimals . '"'; } if ($this->comment) { - $o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"'; + $o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"'; } $o.= '/>' . "\n"; diff --git a/lib/xmldb/xmldb_index.php b/lib/xmldb/xmldb_index.php index a29426af991d0..1cc90fa771b8f 100644 --- a/lib/xmldb/xmldb_index.php +++ b/lib/xmldb/xmldb_index.php @@ -248,7 +248,7 @@ public function xmlOutput() { $o.= ' HINTS="' . implode(', ', $this->hints) . '"'; } if ($this->comment) { - $o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"'; + $o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"'; } $o.= '/>' . "\n"; diff --git a/lib/xmldb/xmldb_key.php b/lib/xmldb/xmldb_key.php index c27ef7135ab22..0101d1a6474f4 100644 --- a/lib/xmldb/xmldb_key.php +++ b/lib/xmldb/xmldb_key.php @@ -374,7 +374,7 @@ public function xmlOutput() { $o.= ' REFFIELDS="' . implode(', ', $this->reffields) . '"'; } if ($this->comment) { - $o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"'; + $o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"'; } $o.= '/>' . "\n"; diff --git a/lib/xmldb/xmldb_structure.php b/lib/xmldb/xmldb_structure.php index 22793fafc425a..d3a69efa497ca 100644 --- a/lib/xmldb/xmldb_structure.php +++ b/lib/xmldb/xmldb_structure.php @@ -344,7 +344,7 @@ public function xmlOutput() { $o.= 'version . '"'; if ($this->comment) { - $o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"'."\n"; + $o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"'."\n"; } $rel = array_fill(0, count(explode('/', $this->path)), '..'); $rel = implode('/', $rel); diff --git a/lib/xmldb/xmldb_table.php b/lib/xmldb/xmldb_table.php index b68350a93fe1f..1ee622526fb58 100644 --- a/lib/xmldb/xmldb_table.php +++ b/lib/xmldb/xmldb_table.php @@ -731,7 +731,7 @@ public function xmlOutput() { $o = ''; $o.= ' comment) { - $o.= ' COMMENT="' . htmlspecialchars($this->comment) . '"'; + $o.= ' COMMENT="' . htmlspecialchars($this->comment, ENT_COMPAT) . '"'; } $o.= '>' . "\n"; // Now the fields diff --git a/media/classes/player_native.php b/media/classes/player_native.php index 5057445d141df..869c448a5f6be 100644 --- a/media/classes/player_native.php +++ b/media/classes/player_native.php @@ -42,7 +42,7 @@ abstract class core_media_player_native extends core_media_player { */ public static function get_attribute($tag, $attrname, $type = PARAM_RAW) { if (preg_match('/^<[^>]*\b' . $attrname . '="(.*?)"/is', $tag, $matches)) { - return clean_param(htmlspecialchars_decode($matches[1]), $type); + return clean_param(htmlspecialchars_decode($matches[1], ENT_COMPAT), $type); } else if (preg_match('~^<[^>]*\b' . $attrname . '[ />]"~is', $tag, $matches)) { // Some attributes may not have value, for example this is valid: