From ddcd0f243791ea64373b53f077689df0c46c713a Mon Sep 17 00:00:00 2001
From: JoshyPHP <s9e.dev@gmail.com>
Date: Fri, 7 Apr 2017 08:49:56 +0200
Subject: [ticket/15163] Escape curly braces in smilies HTML attributes

PHPBB3-15163
---
 phpBB/phpbb/textformatter/s9e/factory.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'phpBB/phpbb/textformatter')

diff --git a/phpBB/phpbb/textformatter/s9e/factory.php b/phpBB/phpbb/textformatter/s9e/factory.php
index 5cbf2712f7..7719ce5afa 100644
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@@ -311,7 +311,7 @@ class factory implements \phpbb\textformatter\cache_interface
 		{
 			$configurator->Emoticons->set(
 				$row['code'],
-				'<img class="smilies" src="{$T_SMILIES_PATH}/' . htmlspecialchars($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . htmlspecialchars($row['emotion']) . '"/>'
+				'<img class="smilies" src="{$T_SMILIES_PATH}/' . $this->escape_html_attribute($row['smiley_url']) . '" width="' . $row['smiley_width'] . '" height="' . $row['smiley_height'] . '" alt="{.}" title="' . $this->escape_html_attribute($row['emotion']) . '"/>'
 			);
 		}
 
@@ -441,6 +441,20 @@ class factory implements \phpbb\textformatter\cache_interface
 			->addParameterByName('parser');
 	}
 
+	/**
+	* Escape a literal to be used in an HTML attribute in an XSL template
+	*
+	* Escapes "HTML special chars" for obvious reasons and curly braces to avoid them
+	* being interpreted as an attribute value template
+	*
+	* @param  string $value Original string
+	* @return string        Escaped string
+	*/
+	protected function escape_html_attribute($value)
+	{
+		return htmlspecialchars(strtr($value, ['{' => '{{', '}' => '}}']), ENT_COMPAT | ENT_XML1, 'UTF-8');
+	}
+
 	/**
 	* Return the default BBCodes configuration
 	*
-- 
cgit v1.2.1