[ticket/12211] Do not run attachment file names twice through htmlspecialchars

Upload filenames are already processed via htmlspecialchars in the
type_cast_helper of the new request class. There is no need to run it through
htmlspecialchars() again in the filespec class.

PHPBB3-12211

1 files changed, 14 insertions, 0 deletions

diff --git a/tests/upload/filespec_test.php b/tests/upload/filespec_test.php
index 492f31cee6..2d46fd4058 100644
--- a/tests/upload/filespec_test.php
+++ b/tests/upload/filespec_test.php
@@ -273,4 +273,18 @@ class phpbb_filespec_test extends phpbb_test_case
 
 		$phpEx = '';
 	}
+
+	/**
+	* @dataProvider clean_filename_variables
+	*/
+	public function test_uploadname($filename)
+	{
+		$type_cast_helper = new \phpbb\request\type_cast_helper();
+
+		$upload_name = '';
+		$type_cast_helper->set_var($upload_name, $filename, 'string', true, true);
+		$filespec = $this->get_filespec(array('name'=> $upload_name));
+
+		$this->assertSame(trim(utf8_basename(htmlspecialchars($filename))), $filespec->uploadname);
+	}
 }