From 3d1f8f292a0b9eb8fdc621c3288639c92368d173 Mon Sep 17 00:00:00 2001
From: Scott Taylor <wonderboymusic@git.wordpress.org>
Date: Tue, 14 Jul 2015 17:55:07 +0000
Subject: [PATCH] After [33148]: Don't nest `esc_attr()` and
 `htmlspecialchars()` when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.


git-svn-id: https://develop.svn.wordpress.org/trunk@33271 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/edit-form-advanced.php           |  2 +-
 src/wp-includes/formatting.php                | 21 ++-----
 tests/phpunit/tests/formatting/EscAttr.php    |  4 +-
 tests/phpunit/tests/formatting/EscHtml.php    |  2 +-
 tests/phpunit/tests/formatting/JSEscape.php   |  6 +-
 .../tests/formatting/WPSpecialchars.php       | 58 +++++++++++++++++++
 6 files changed, 70 insertions(+), 23 deletions(-)

diff --git a/src/wp-admin/edit-form-advanced.php b/src/wp-admin/edit-form-advanced.php
index 793ef8c253..7ada16cadd 100644
--- a/src/wp-admin/edit-form-advanced.php
+++ b/src/wp-admin/edit-form-advanced.php
@@ -494,7 +494,7 @@ do_action( 'edit_form_top', $post ); ?>
 	$title_placeholder = apply_filters( 'enter_title_here', __( 'Enter title here' ), $post );
 	?>
 	<label class="screen-reader-text" id="title-prompt-text" for="title"><?php echo $title_placeholder; ?></label>
-	<input type="text" name="post_title" size="30" value="<?php echo esc_attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" spellcheck="true" autocomplete="off" />
+	<input type="text" name="post_title" size="30" value="<?php echo esc_attr( $post->post_title ); ?>" id="title" spellcheck="true" autocomplete="off" />
 </div>
 <?php
 /**
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index 3cd836c4f2..aae81dd50b 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -752,25 +752,14 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals
 		$quote_style = ENT_NOQUOTES;
 	}
 
-	// Handle double encoding ourselves
-	if ( $double_encode ) {
-		$string = @htmlspecialchars( $string, $quote_style, $charset );
-	} else {
-		// Decode &amp; into &
-		$string = wp_specialchars_decode( $string, $_quote_style );
-
-		// Guarantee every &entity; is valid or re-encode the &
+	if ( ! $double_encode ) {
+		// Guarantee every &entity; is valid, convert &garbage; into &amp;garbage;
+		// This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
 		$string = wp_kses_normalize_entities( $string );
-
-		// Now re-encode everything except &entity;
-		$string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
-
-		for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
-			$string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
-		}
-		$string = implode( '', $string );
 	}
 
+	$string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
+
 	// Backwards compatibility
 	if ( 'single' === $_quote_style )
 		$string = str_replace( "'", '&#039;', $string );
diff --git a/tests/phpunit/tests/formatting/EscAttr.php b/tests/phpunit/tests/formatting/EscAttr.php
index 35ea2f54a5..55ca837d05 100644
--- a/tests/phpunit/tests/formatting/EscAttr.php
+++ b/tests/phpunit/tests/formatting/EscAttr.php
@@ -26,7 +26,7 @@ class Tests_Formatting_EscAttr extends WP_UnitTestCase {
 	}
 
 	function test_esc_attr_amp() {
-		$out = esc_attr( 'foo & bar &baz; &apos;' );
-		$this->assertEquals( "foo &amp; bar &amp;baz; &apos;", $out );
+		$out = esc_attr( 'foo & bar &baz; &nbsp;' );
+		$this->assertEquals( "foo &amp; bar &amp;baz; &nbsp;", $out );
 	}
 }
diff --git a/tests/phpunit/tests/formatting/EscHtml.php b/tests/phpunit/tests/formatting/EscHtml.php
index 101692622e..14f17dfa8c 100644
--- a/tests/phpunit/tests/formatting/EscHtml.php
+++ b/tests/phpunit/tests/formatting/EscHtml.php
@@ -34,7 +34,7 @@ class Tests_Formatting_EscHtml extends WP_UnitTestCase {
 
 	function test_ignores_existing_entities() {
 		$source = '&#038; &#x00A3; &#x22; &amp;';
-		$res = '&amp; &#xA3; &quot; &amp;';
+		$res = '&#038; &#xA3; &#x22; &amp;';
 		$this->assertEquals( $res, esc_html($source) );
 	}
 }
diff --git a/tests/phpunit/tests/formatting/JSEscape.php b/tests/phpunit/tests/formatting/JSEscape.php
index 6ec3892982..286bf616e2 100644
--- a/tests/phpunit/tests/formatting/JSEscape.php
+++ b/tests/phpunit/tests/formatting/JSEscape.php
@@ -23,13 +23,13 @@ class Tests_Formatting_JSEscape extends WP_UnitTestCase {
 	}
 
 	function test_js_escape_amp() {
-		$out = esc_js('foo & bar &baz; &apos;');
-		$this->assertEquals("foo &amp; bar &amp;baz; &apos;", $out);
+		$out = esc_js('foo & bar &baz; &nbsp;');
+		$this->assertEquals("foo &amp; bar &amp;baz; &nbsp;", $out);
 	}
 
 	function test_js_escape_quote_entity() {
 		$out = esc_js('foo &#x27; bar &#39; baz &#x26;');
-		$this->assertEquals("foo \\' bar \\' baz &amp;", $out);
+		$this->assertEquals("foo \\' bar \\' baz &#x26;", $out);
 	}
 
 	function test_js_no_carriage_return() {
diff --git a/tests/phpunit/tests/formatting/WPSpecialchars.php b/tests/phpunit/tests/formatting/WPSpecialchars.php
index 6c8765d4db..ddae7fdefa 100644
--- a/tests/phpunit/tests/formatting/WPSpecialchars.php
+++ b/tests/phpunit/tests/formatting/WPSpecialchars.php
@@ -17,6 +17,10 @@ class Tests_Formatting_WPSpecialchars extends WP_UnitTestCase {
 
 		// Allowed entities should be unchanged
 		foreach ( $allowedentitynames as $ent ) {
+			if ( 'apos' == $ent ) {
+				// But for some reason, PHP doesn't allow &apos;
+				continue;
+			}
 			$ent = '&' . $ent . ';';
 			$this->assertEquals( $ent, _wp_specialchars( $ent ) );
 		}
@@ -39,4 +43,58 @@ class Tests_Formatting_WPSpecialchars extends WP_UnitTestCase {
 		$this->assertEquals( '&quot;&#039;hello!&#039;&quot;', _wp_specialchars($source, true) );
 		$this->assertEquals( $source, _wp_specialchars($source) );
 	}
+
+	/**
+	 * Check some of the double-encoding features for entity references.
+	 *
+	 * @ticket 17780
+	 * @dataProvider data_double_encoding
+	 */
+	function test_double_encoding( $input, $output ) {
+		return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, true ) );
+	}
+
+	function data_double_encoding() {
+		return array(
+			array(
+				'This & that, this &amp; that, &#8212; &quot; &QUOT; &Uacute; &nbsp; &#34; &#034; &#0034; &#x00022; &#x22; &dollar; &times;',
+				'This &amp; that, this &amp;amp; that, &amp;#8212; &amp;quot; &amp;QUOT; &amp;Uacute; &amp;nbsp; &amp;#34; &amp;#034; &amp;#0034; &amp;#x00022; &amp;#x22; &amp;dollar; &amp;times;',
+			),
+			array(
+				'&& &&amp; &amp;&amp; &amp;;',
+				'&amp;&amp; &amp;&amp;amp; &amp;amp;&amp;amp; &amp;amp;;',
+			),
+			array(
+				'&garbage; &***; &aaaa; &0000; &####; &;;',
+				'&amp;garbage; &amp;***; &amp;aaaa; &amp;0000; &amp;####; &amp;;;',
+			),
+		);
+	}
+
+	/**
+	 * Check some of the double-encoding features for entity references.
+	 *
+	 * @ticket 17780
+	 * @dataProvider data_no_double_encoding
+	 */
+	function test_no_double_encoding( $input, $output ) {
+		return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, false ) );
+	}
+
+	function data_no_double_encoding() {
+		return array(
+			array(
+				'This & that, this &amp; that, &#8212; &quot; &QUOT; &Uacute; &nbsp; &#34; &#034; &#0034; &#x00022; &#x22; &dollar; &times;',
+				'This &amp; that, this &amp; that, &#8212; &quot; &amp;QUOT; &Uacute; &nbsp; &#034; &#034; &#034; &#x22; &#x22; &amp;dollar; &times;',
+			),
+			array(
+				'&& &&amp; &amp;&amp; &amp;;',
+				'&amp;&amp; &amp;&amp; &amp;&amp; &amp;;',
+			),
+			array(
+				'&garbage; &***; &aaaa; &0000; &####; &;;',
+				'&amp;garbage; &amp;***; &amp;aaaa; &amp;0000; &amp;####; &amp;;;',
+			),
+		);
+	}
 }