diff options
| -rw-r--r-- | includes/common.inc | 4 | ||||
| -rw-r--r-- | modules/filter/filter.test | 9 |
2 files changed, 11 insertions, 2 deletions
diff --git a/includes/common.inc b/includes/common.inc index fb4aff11d..0d95442a8 100644 --- a/includes/common.inc +++ b/includes/common.inc @@ -1359,12 +1359,12 @@ function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', // Defuse all HTML entities $string = str_replace('&', '&', $string); // Change back only well-formed entities in our whitelist - // Named entities - $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string); // Decimal numeric entities $string = preg_replace('/&#([0-9]+;)/', '&#\1', $string); // Hexadecimal numeric entities $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\1', $string); + // Named entities + $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\1', $string); return preg_replace_callback('% ( diff --git a/modules/filter/filter.test b/modules/filter/filter.test index a9738a97a..cf06b6da3 100644 --- a/modules/filter/filter.test +++ b/modules/filter/filter.test @@ -399,6 +399,15 @@ class FilterTestCase extends DrupalWebTestCase { $f = filter_xss("\xc0aaa"); $this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.')); + + $f = filter_xss("Who's Online"); + $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number')); + + $f = filter_xss("Who's Online"); + $this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number')); + + $f = filter_xss("Who' Online"); + $this->assertNormalized($f, "who' online", t('HTML filter -- double encoded html entity number')); } /** |