diff options
| author | JoshyPHP <s9e.dev@gmail.com> | 2015-06-24 22:20:39 +0200 |
|---|---|---|
| committer | JoshyPHP <s9e.dev@gmail.com> | 2015-06-25 03:11:58 +0200 |
| commit | 4f1b25706f6a1ae6eb1c6c60ef27b42bb7ac4b40 (patch) | |
| tree | 8d99b3692cec947962c5abfd9e287ba176736d58 | |
| parent | 129b3375ae873b3e6e947e3c5f47897bc4f9c572 (diff) | |
| download | forums-4f1b25706f6a1ae6eb1c6c60ef27b42bb7ac4b40.tar forums-4f1b25706f6a1ae6eb1c6c60ef27b42bb7ac4b40.tar.gz forums-4f1b25706f6a1ae6eb1c6c60ef27b42bb7ac4b40.tar.bz2 forums-4f1b25706f6a1ae6eb1c6c60ef27b42bb7ac4b40.tar.xz forums-4f1b25706f6a1ae6eb1c6c60ef27b42bb7ac4b40.zip | |
[ticket/10620] Removed extraneous quotes from attribute values
PHPBB3-10620
| -rw-r--r-- | phpBB/assets/javascript/editor.js | 18 | ||||
| -rw-r--r-- | phpBB/phpbb/textformatter/s9e/utils.php | 18 | ||||
| -rw-r--r-- | tests/functional/posting_test.php | 4 | ||||
| -rw-r--r-- | tests/functional/private_messages_test.php | 6 | ||||
| -rw-r--r-- | tests/text_formatter/s9e/default_formatting_test.php | 10 | ||||
| -rw-r--r-- | tests/text_formatter/s9e/utils_test.php | 10 |
6 files changed, 41 insertions, 25 deletions
diff --git a/phpBB/assets/javascript/editor.js b/phpBB/assets/javascript/editor.js index d0d849330a..878a5cab86 100644 --- a/phpBB/assets/javascript/editor.js +++ b/phpBB/assets/javascript/editor.js @@ -250,13 +250,13 @@ function generate_quote(text, attributes) if ('author' in attributes) { // Add the author as the BBCode's default attribute - quote += '=' + enquote(attributes.author); + quote += '=' + format_attribute_value(attributes.author); delete attributes.author; } for (var name in attributes) { var value = attributes[name]; - quote += ' ' + name + '=' + enquote(String(value)); + quote += ' ' + name + '=' + format_attribute_value(String(value)); } quote += ']' + text + '[/quote]'; @@ -264,16 +264,22 @@ function generate_quote(text, attributes) } /** -* Return given string between quotes +* Format given string to be used as an attribute value * -* Will use either single- or double- quotes depending on whichever requires less escaping. +* Will return the string as-is if it can be used in a BBCode without quotes. Otherwise, +* it will use either single- or double- quotes depending on whichever requires less escaping. * Quotes and backslashes are escaped with backslashes where necessary * * @param {!string} str Original string -* @return {!string} Escaped string within quotes +* @return {!string} Same string if possible, escaped string within quotes otherwise */ -function enquote(str) +function format_attribute_value(str) { + if (!/[ "'\\\]]/.test(str)) + { + // Return as-is if it contains none of: space, ' " \ or ] + return str; + } var singleQuoted = "'" + str.replace(/[\\']/g, '\\$&') + "'", doubleQuoted = '"' + str.replace(/[\\"]/g, '\\$&') + '"'; diff --git a/phpBB/phpbb/textformatter/s9e/utils.php b/phpBB/phpbb/textformatter/s9e/utils.php index df1966fa32..40479b3423 100644 --- a/phpBB/phpbb/textformatter/s9e/utils.php +++ b/phpBB/phpbb/textformatter/s9e/utils.php @@ -35,16 +35,22 @@ class utils implements \phpbb\textformatter\utils_interface } /** - * Return given string between quotes + * Format given string to be used as an attribute value * - * Will use either single- or double- quotes depending on whichever requires less escaping. + * Will return the string as-is if it can be used in a BBCode without quotes. Otherwise, + * it will use either single- or double- quotes depending on whichever requires less escaping. * Quotes and backslashes are escaped with backslashes where necessary * * @param string $str Original string - * @return string Escaped string within quotes + * @return string Same string if possible, escaped string within quotes otherwise */ - protected function enquote($str) + protected function format_attribute_value($str) { + if (!preg_match('/[ "\'\\\\\\]]/', $str)) + { + // Return as-is if it contains none of: space, ' " \ or ] + return $str; + } $singleQuoted = "'" . addcslashes($str, "\\'") . "'"; $doubleQuoted = '"' . addcslashes($str, '\\"') . '"'; @@ -61,13 +67,13 @@ class utils implements \phpbb\textformatter\utils_interface if (isset($attributes['author'])) { // Add the author as the BBCode's default attribute - $quote .= '=' . $this->enquote($attributes['author']); + $quote .= '=' . $this->format_attribute_value($attributes['author']); unset($attributes['author']); } ksort($attributes); foreach ($attributes as $name => $value) { - $quote .= ' ' . $name . '=' . $this->enquote($value); + $quote .= ' ' . $name . '=' . $this->format_attribute_value($value); } $quote .= ']'; $newline = (strlen($quote . $text . '[/quote]') > 80 || strpos($text, "\n") !== false) ? "\n" : ''; diff --git a/tests/functional/posting_test.php b/tests/functional/posting_test.php index d9e6cc5ab3..4f4ecfef45 100644 --- a/tests/functional/posting_test.php +++ b/tests/functional/posting_test.php @@ -75,7 +75,7 @@ class phpbb_functional_posting_test extends phpbb_functional_test_case public function test_quote() { $text = 'Test post </textarea>"\' &&amp;'; - $expected = '([quote="admin"[^]]*\\]' . preg_quote($text) . '\\[/quote\\])'; + $expected = '([quote=admin[^]]*\\]' . preg_quote($text) . '\\[/quote\\])'; $this->login(); $topic = $this->create_topic(2, 'Test Topic 1', 'Test topic'); @@ -110,7 +110,7 @@ class phpbb_functional_posting_test extends phpbb_functional_test_case $this->set_quote_depth($quote_depth); $crawler = self::request('GET', $quote_url); $this->assertRegexp( - '(\\[quote="admin"[^]]*\\]' . preg_quote($expected_text) . '\\[/quote\\])', + '(\\[quote=admin[^]]*\\]' . preg_quote($expected_text) . '\\[/quote\\])', $crawler->filter('textarea#message')->text() ); } diff --git a/tests/functional/private_messages_test.php b/tests/functional/private_messages_test.php index 9bfb5bc7ad..a7d1a29e80 100644 --- a/tests/functional/private_messages_test.php +++ b/tests/functional/private_messages_test.php @@ -75,7 +75,7 @@ class phpbb_functional_private_messages_test extends phpbb_functional_test_case $topic = $this->create_topic(2, 'Test Topic 1', 'Test topic'); $post = $this->create_post(2, $topic['topic_id'], 'Re: Test Topic 1', $text); - $expected = '(\\[quote="admin" post_id="' . $post['post_id'] . '" time="\\d+" user_id="2"\\]' . $text . '\\[/quote\\])'; + $expected = '(\\[quote=admin post_id=' . $post['post_id'] . ' time=\\d+ user_id=2\\]' . $text . '\\[/quote\\])'; $crawler = self::request('GET', 'ucp.php?i=pm&mode=compose&action=quotepost&p=' . $post['post_id'] . '&sid=' . $this->sid); @@ -85,7 +85,7 @@ class phpbb_functional_private_messages_test extends phpbb_functional_test_case public function test_quote_pm() { $text = 'This is a test private message sent by the testing framework.'; - $expected = '(\\[quote="admin" time="\\d+" user_id="2"\\]' . $text . '\\[/quote\\])'; + $expected = '(\\[quote=admin time=\\d+ user_id=2\\]' . $text . '\\[/quote\\])'; $this->login(); $message_id = $this->create_private_message('Test', $text, array(2)); @@ -98,7 +98,7 @@ class phpbb_functional_private_messages_test extends phpbb_functional_test_case public function test_quote_forward() { $text = 'This is a test private message sent by the testing framework.'; - $expected = "[quote=\"admin\"]\n" . $text . "\n[/quote]"; + $expected = '[quote=admin]' . $text . '[/quote]'; $this->login(); $message_id = $this->create_private_message('Test', $text, array(2)); diff --git a/tests/text_formatter/s9e/default_formatting_test.php b/tests/text_formatter/s9e/default_formatting_test.php index 3f8e375ad1..38604b49a0 100644 --- a/tests/text_formatter/s9e/default_formatting_test.php +++ b/tests/text_formatter/s9e/default_formatting_test.php @@ -218,7 +218,7 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case '<blockquote><div><cite><a href="http://example.org" class="postlink">http://example.org</a> wrote:</cite>...</div></blockquote>' ), array( - '[quote="http://example.org"]...[/quote]', + '[quote=http://example.org]...[/quote]', '<blockquote><div><cite><a href="http://example.org" class="postlink">http://example.org</a> wrote:</cite>...</div></blockquote>' ), array( @@ -226,7 +226,7 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case "<blockquote class=\"uncited\"><div>\nThis is a long quote that is definitely going to exceed 80 characters\n</div></blockquote>\n\nFollowed by a reply" ), array( - '[quote="Username" post_id="123"]...[/quote]', + '[quote=Username post_id=123]...[/quote]', '<blockquote><div><cite>Username wrote: <a href="phpBB/viewtopic.php?p=123#p123" data-post-id="123" onclick="if(document.getElementById(hash.substr(1)))href=hash">↑</a></cite>...</div></blockquote>' ), array( @@ -235,16 +235,16 @@ class phpbb_textformatter_s9e_default_formatting_test extends phpbb_test_case '<blockquote><div><cite>Username wrote:</cite>...</div></blockquote>' ), array( - '[quote="Username" time="58705871"]...[/quote]', + '[quote=Username time=58705871]...[/quote]', '<blockquote><div><cite>1971-11-11 11:11:11 Username wrote:</cite>...</div></blockquote>' ), array( - '[quote="Username" user_id="123"]...[/quote]', + '[quote=Username user_id=123]...[/quote]', '<blockquote><div><cite><a href="phpBB/memberlist.php?mode=viewprofile&u=123">Username</a> wrote:</cite>...</div></blockquote>' ), array( // Users are not allowed to submit their own URL for the profile - '[quote="Username" profile_url="http://fake.example.org"]...[/quote]', + '[quote=Username profile_url=http://fake.example.org]...[/quote]', '<blockquote><div><cite>Username wrote:</cite>...</div></blockquote>' ), ); diff --git a/tests/text_formatter/s9e/utils_test.php b/tests/text_formatter/s9e/utils_test.php index 152c316b2e..f2b480facb 100644 --- a/tests/text_formatter/s9e/utils_test.php +++ b/tests/text_formatter/s9e/utils_test.php @@ -98,11 +98,15 @@ class phpbb_textformatter_s9e_utils_test extends phpbb_test_case array('foo') ), array( - '[quote="foo"]..[/quote] [quote="bar"]..[/quote]', + '[quote=foo]..[/quote] [quote]..[/quote]', + array('foo') + ), + array( + '[quote=foo]..[/quote] [quote=bar]..[/quote]', array('foo', 'bar') ), array( - '[quote="foo"].[quote="baz"]..[/quote].[/quote] [quote="bar"]..[/quote]', + '[quote=foo].[quote=baz]..[/quote].[/quote] [quote=bar]..[/quote]', array('foo', 'bar') ), ); @@ -169,7 +173,7 @@ class phpbb_textformatter_s9e_utils_test extends phpbb_test_case 'post_id' => 123, 'url' => 'http://example.org' ), - '[quote="user" post_id="123" url="http://example.org"]...[/quote]', + '[quote=user post_id=123 url=http://example.org]...[/quote]', ), array( 'This is a long quote that is definitely going to exceed 80 characters', |