Use ENT_QUOTES when converting UTF-8 to HTML (#448)

Closes #448.
savetheinternet · Sep 15, 2022 · 4c6a695 · 4c6a695
1 parent e42a1b0
commit 4c6a695
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/inc/config.php b/inc/config.php
@@ -1159,6 +1159,8 @@
 	$config['error']['mime_exploit']	= _('MIME type detection XSS exploit (IE) detected; post discarded.');
 	$config['error']['invalid_embed']	= _('Couldn\'t make sense of the URL of the video you tried to embed.');
 	$config['error']['captcha']		= _('You seem to have mistyped the verification.');
+	$config['error']['flag_undefined']	= _('The flag %s is undefined, your PHP version is too old!');
+	$config['error']['flag_wrongtype']	= _('defined_flags_accumulate(): The flag %s is of the wrong type!');
 
 
 	// Moderator errors

diff --git a/inc/functions.php b/inc/functions.php
@@ -2286,8 +2286,25 @@ function escape_markup_modifiers($string) {
 	return preg_replace('@<(tinyboard) ([\w\s]+)>@mi', '<$1 escape $2>', $string);
 }
 
+function defined_flags_accumulate($desired_flags) {
+	$output_flags = 0x0;
+	foreach ($desired_flags as $flagname) {
+		if (defined($flagname)) {
+			$flag = constant($flagname);
+			if (gettype($flag) != 'integer')
+				error(sprintf($config['error']['flag_wrongtype'], $flagname));
+			$output_flags |= $flag;
+		} else {
+			if ($config['deprecation_errors'])
+				error(sprintf($config['error']['flag_undefined'], $flagname));
+		}
+	}
+	return $output_flags;
+}
+
 function utf8tohtml($utf8) {
-	return htmlspecialchars($utf8, ENT_NOQUOTES, 'UTF-8');
+	$flags = defined_flags_accumulate(['ENT_QUOTES', 'ENT_SUBSTITUTE', 'ENT_DISALLOWED']);
+	return htmlspecialchars($utf8, $flags, 'UTF-8');
 }
 
 function ordutf8($string, &$offset) {