Skip to content

Commit

Permalink
Fix #274 - Views Incorrectly Encode UTF Characters as HTML Entities
Browse files Browse the repository at this point in the history
  • Loading branch information
GoryMoon committed Aug 30, 2024
1 parent 1ebb0b2 commit c1edbab
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 35 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ public function toApi(SugarBean $bean, array &$container, string $name, string $
$value = html_entity_decode($value);
}

$container[$newName] = $this->purify($bean, $name, $value);
// Some characters get double encoded when purifying, so need double decoding to get correct output
$container[$newName] = html_entity_decode(html_entity_decode($this->purify($bean, $name, $value)));
}

/**
Expand Down
4 changes: 2 additions & 2 deletions public/legacy/include/utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -2806,15 +2806,15 @@ function purify_html(?string $value, array $extraOptions = []): string {

$sanitizer = new SuiteCRM\HtmlSanitizer($extraOptions);

$cleanedValue = htmlentities($sanitizer->clean($value, true));
$cleanedValue = htmlspecialchars($sanitizer->clean($value, true));
$decoded = html_entity_decode($cleanedValue);
$doubleDecoded = html_entity_decode($decoded);

if (stripos($decoded, '<script>') !== false || stripos($doubleDecoded, '<script>') !== false){
$doubleDecoded = '';
}

$doubleCleanedValue = htmlentities($sanitizer->clean($doubleDecoded, true));
$doubleCleanedValue = htmlspecialchars($sanitizer->clean($doubleDecoded, true));

return $doubleCleanedValue;
}
Expand Down
33 changes: 2 additions & 31 deletions public/legacy/include/utils/db_utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -66,15 +66,6 @@ function from_db_convert($string, $type)
return DBManagerFactory::getInstance()->fromConvert($string, $type);
}

$toHTML = array(
'"' => '&quot;',
'<' => '&lt;',
'>' => '&gt;',
"'" => '&#039;',
);
$GLOBALS['toHTML_keys'] = array_keys($toHTML);
$GLOBALS['toHTML_values'] = array_values($toHTML);
$GLOBALS['toHTML_keys_set'] = implode("", $GLOBALS['toHTML_keys']);
/**
* Replaces specific characters with their HTML entity values
* @param string $string String to check/replace
Expand All @@ -93,14 +84,8 @@ function to_html($string, $encode=true)
return $string;
}

global $toHTML;

if ($encode && is_string($string)) {
if (is_array($toHTML)) {
$string = str_ireplace($GLOBALS['toHTML_keys'], $GLOBALS['toHTML_values'] ?? [], $string);
} else {
$string = htmlentities($string, ENT_HTML401|ENT_QUOTES, 'UTF-8');
}
$string = htmlspecialchars($string, ENT_HTML401|ENT_QUOTES, 'UTF-8');
}

return $string;
Expand All @@ -123,22 +108,8 @@ function from_html($string, $encode=true)
return $string;
}

global $toHTML;
static $toHTML_values = null;
static $toHTML_keys = null;
static $cache = array();
if (!empty($toHTML) && is_array($toHTML) && (!isset($toHTML_values) || !empty($GLOBALS['from_html_cache_clear']))) {
$toHTML_values = array_values($toHTML);
$toHTML_keys = array_keys($toHTML);
}

// Bug 36261 - Decode &amp; so we can handle double encoded entities
$string = html_entity_decode($string, ENT_HTML401|ENT_QUOTES, 'UTF-8') ?? '';

if (!isset($cache[$string])) {
$cache[$string] = str_ireplace($toHTML_values ?? '', $toHTML_keys ?? '', $string);
}
return $cache[$string] ?? '';
return html_entity_decode($string, ENT_HTML401|ENT_QUOTES, 'UTF-8') ?? '';
}

/*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,6 @@ public function testbuild_report_chart(): void
unset($GLOBALS['_SESSION']);
unset($GLOBALS['objectList']);
unset($GLOBALS['mod_strings']);
unset($GLOBALS['toHTML']);
unset($GLOBALS['module']);
unset($GLOBALS['action']);
unset($GLOBALS['disable_date_format']);
Expand Down

0 comments on commit c1edbab

Please sign in to comment.