Fixed |safe_email filter to return safe and escaped UTF-8 HTML [get…

…grav#3072]
NicoHood · Jan 9, 2021 · b15ad23 · b15ad23
1 parent 2738107
commit b15ad23
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v1.6.32
+## mm/dd/2021
+
+1. [](#bugfix)
+    * Fixed `|safe_email` filter to return safe and escaped UTF-8 HTML [#3072](https://github.com/getgrav/grav/issues/3072)
+
 # v1.6.31
 ## 12/14/2020
 

diff --git a/system/src/Grav/Common/Twig/TwigExtension.php b/system/src/Grav/Common/Twig/TwigExtension.php
@@ -98,8 +98,7 @@ public function getFilters()
             new \Twig_SimpleFilter('rtrim', [$this, 'rtrimFilter']),
             new \Twig_SimpleFilter('pad', [$this, 'padFilter']),
             new \Twig_SimpleFilter('regex_replace', [$this, 'regexReplace']),
-            new \Twig_SimpleFilter('safe_email', [$this, 'safeEmailFilter']),
-            new \Twig_SimpleFilter('safe_truncate', ['\Grav\Common\Utils', 'safeTruncate']),
+            new \Twig_SimpleFilter('safe_email', [$this, 'safeEmailFilter'], ['is_safe' => ['html']]),            new \Twig_SimpleFilter('safe_truncate', ['\Grav\Common\Utils', 'safeTruncate']),
             new \Twig_SimpleFilter('safe_truncate_html', ['\Grav\Common\Utils', 'safeTruncateHTML']),
             new \Twig_SimpleFilter('sort_by_key', [$this, 'sortByKeyFilter']),
             new \Twig_SimpleFilter('starts_with', [$this, 'startsWithFilter']),
@@ -232,14 +231,23 @@ public function fieldNameFilter($str)
      */
     public function safeEmailFilter($str)
     {
-        $email   = '';
-        for ($i = 0, $len = strlen($str); $i < $len; $i++) {
-            $j = random_int(0, 1);
+        static $list = [
+            '"' => '&#34;',
+            "'" => '&#39;',
+            '&' => '&amp;',
+            '<' => '&lt;',
+            '>' => '&gt;',
+            '@' => '&#64;'
+        ];
+
+        $characters = mb_str_split($str, 1, 'UTF-8');
 
-            $email .= $j === 0 ? '&#' . ord($str[$i]) . ';' : $str[$i];
+        $encoded = '';
+        foreach ($characters as $chr) {
+            $encoded .= $list[$chr] ?? (random_int(0, 1) ? '&#' . mb_ord($chr) . ';' : $chr);
         }
 
-        return str_replace('@', '&#64;', $email);
+        return $encoded;
     }
 
     /**