From e50d9186ce15367e8f6e2aab5c04481ca0046ec6 Mon Sep 17 00:00:00 2001
From: JoshyPHP <s9e.dev@gmail.com>
Date: Tue, 19 May 2015 23:10:35 +0200
Subject: [ticket/13847] Changed enquote() logic to use whichever is the
 shortest

Will enclose attribute values in single- or double- quotes depending on
whichever requires the least escaping. Characters that need to be escaped
are always escaped regardless.

PHPBB3-13847
---
 phpBB/phpbb/textformatter/s9e/utils.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'phpBB/phpbb')

diff --git a/phpBB/phpbb/textformatter/s9e/utils.php b/phpBB/phpbb/textformatter/s9e/utils.php
index fe33c04da3..04df589930 100644
--- a/phpBB/phpbb/textformatter/s9e/utils.php
+++ b/phpBB/phpbb/textformatter/s9e/utils.php
@@ -37,7 +37,7 @@ class utils implements \phpbb\textformatter\utils_interface
 	/**
 	* Return given string between quotes
 	*
-	* Will use either single- or double- quotes depending on whichever requires to be escaped.
+	* Will use either single- or double- quotes depending on whichever requires less escaping.
 	* Quotes and backslashes are escaped with backslashes where necessary
 	*
 	* @param  string $str Original string
@@ -45,9 +45,10 @@ class utils implements \phpbb\textformatter\utils_interface
 	*/
 	protected function enquote($str)
 	{
-		$quote = (strpos($str, '"') === false || strpos($str, "'") !== false) ? '"' : "'";
+		$singleQuoted = "'" . addcslashes($str, "\\'") . "'";
+		$doubleQuoted = '"' . addcslashes($str, '\\"') . '"';
 
-		return $quote . addcslashes($str, '\\' . $quote) . $quote;
+		return (strlen($singleQuoted) < strlen($doubleQuoted)) ? $singleQuoted : $doubleQuoted;
 	}
 
 	/**
-- 
cgit v1.2.1