Better double encoding handling in _wp_special_chars(). Props miqrogroove.

git-svn-id: https://develop.svn.wordpress.org/trunk@18485 602fd350-edb4-49c9-b593-d223f7449a82
2011-07-29 20:43:45 +00:00 · 2011-07-29 20:43:45 +00:00 · fe742b417f
parent 57bff0b6d8
commit fe742b417f
1 changed files with 20 additions and 24 deletions
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -294,34 +294,31 @@ function seems_utf8($str) {
 function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
 	$string = (string) $string;
-	if ( 0 === strlen( $string ) ) {
+	if ( 0 === strlen( $string ) )
 		return '';
 	}
 	// Don't bother if there are no specialchars - saves some processing
-	if ( !preg_match( '/[&<>"\']/', $string ) ) {
+	if ( ! preg_match( '/[&<>"\']/', $string ) )
 		return $string;
 	}
 	// Account for the previous behaviour of the function when the $quote_style is not an accepted value
-	if ( empty( $quote_style ) ) {
+	if ( empty( $quote_style ) )
 		$quote_style = ENT_NOQUOTES;
-	} elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) {
+	elseif ( ! in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) )
 		$quote_style = ENT_QUOTES;
 	}
 	// Store the site charset as a static to avoid multiple calls to wp_load_alloptions()
-	if ( !$charset ) {
+	if ( ! $charset ) {
 		static $_charset;
-		if ( !isset( $_charset ) ) {
+		if ( ! isset( $_charset ) ) {
 			$alloptions = wp_load_alloptions();
 			$_charset = isset( $alloptions['blog_charset'] ) ? $alloptions['blog_charset'] : '';
 		}
 		$charset = $_charset;
 	}
-	if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) ) {
+
 	if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) )
 		$charset = 'UTF-8';
 	}
 	$_quote_style = $quote_style;
@ -333,28 +330,27 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals
 	}
 	// Handle double encoding ourselves
-	if ( !$double_encode ) {
+	if ( $double_encode ) {
 		$string = @htmlspecialchars( $string, $quote_style, $charset );
 	} else {
 		// Decode &amp; into &
 		$string = wp_specialchars_decode( $string, $_quote_style );
-		/* Critical */
+		// Guarantee every &entity; is valid or re-encode the &
-		// The previous line decodes &amp;phrase; into &phrase;  We must guarantee that &phrase; is valid before proceeding.
+		$string = wp_kses_normalize_entities( $string );
 		$string = wp_kses_normalize_entities($string);
-		// Now proceed with custom double-encoding silliness
+		// Now re-encode everything except &entity;
-		$string = preg_replace( '/&(#?x?[0-9a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string );
+		$string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
 	}
-	$string = @htmlspecialchars( $string, $quote_style, $charset );
+		for ( $i = 0; $i < count( $string ); $i += 2 )
 			$string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
-	// Handle double encoding ourselves
+		$string = implode( '', $string );
 	if ( !$double_encode ) {
 		$string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );
 	}
 	// Backwards compatibility
-	if ( 'single' === $_quote_style ) {
+	if ( 'single' === $_quote_style )
 		$string = str_replace( "'", '&#039;', $string );
 	}
 	return $string;
 }