Use ENT_QUOTES when converting UTF-8 to HTML (#448)

Closes #448.
2 years ago · 704af3d64d
2 changed files with 20 additions and 1 deletions
--- a/inc/config.php
+++ b/inc/config.php
@ -1304,6 +1304,8 @@
 	$config['error']['captcha_expired']		= _('That captcha has expired.');
 	$config['error']['captcha']		= _('Captcha failed.');
 	$config['error']['already_voted']		= _('You have already voted for this thread to be featured.');
+	$config['error']['flag_undefined']	= _('The flag %s is undefined, your PHP version is too old!');
+	$config['error']['flag_wrongtype']	= _('defined_flags_accumulate(): The flag %s is of the wrong type!');

 	// Moderator errors
 	$config['error']['toomanyunban']	= _('You are only allowed to unban %s users at a time. You tried to unban %u users.');
--- a/inc/functions.php
+++ b/inc/functions.php
@ -2663,8 +2663,25 @@ function escape_markup_modifiers($string) {
 	return preg_replace('@<(tinyboard) ([\w\s]+)>@mi', '<$1 escape $2>', $string);
 }

+function defined_flags_accumulate($desired_flags) {
+	$output_flags = 0x0;
+	foreach ($desired_flags as $flagname) {
+		if (defined($flagname)) {
+			$flag = constant($flagname);
+			if (gettype($flag) != 'integer')
+				error(sprintf($config['error']['flag_wrongtype'], $flagname));
+			$output_flags |= $flag;
+		} else {
+			if ($config['deprecation_errors'])
+				error(sprintf($config['error']['flag_undefined'], $flagname));
+		}
+	}
+	return $output_flags;
+}
+
 function utf8tohtml($utf8) {
-	return htmlspecialchars($utf8, ENT_NOQUOTES, 'UTF-8');
+	$flags = defined_flags_accumulate(['ENT_QUOTES', 'ENT_SUBSTITUTE', 'ENT_DISALLOWED']);
+	return htmlspecialchars($utf8, $flags, 'UTF-8');
 }

 function ordutf8($string, &$offset) {