Skip to content

Commit f1d8437

Browse files
Steveb-palongosz
Steveb-p
authored and
alongosz
committed
Fixed BC on XMLSanitizer
1 parent c8808a5 commit f1d8437

File tree

3 files changed

+17
-8
lines changed

3 files changed

+17
-8
lines changed

src/lib/RichText/XMLSanitizer.php

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,6 @@ final class XMLSanitizer
2020
{
2121
public function sanitizeXMLString(string $xmlString): string
2222
{
23-
$xmlString = $this->decodeHTMLEntities($xmlString);
2423
$xmlString = $this->removeComments($xmlString);
2524
$xmlString = $this->removeDangerousTags($xmlString);
2625
$xmlString = $this->sanitizeDocType($xmlString);
@@ -45,11 +44,6 @@ public function convertCDATAToText(DOMDocument $document): DOMDocument
4544
return $document;
4645
}
4746

48-
private function decodeHTMLEntities(string $xmlString): string
49-
{
50-
return html_entity_decode($xmlString, ENT_XML1, 'UTF-8');
51-
}
52-
5347
private function removeComments(string $xmlString): string
5448
{
5549
$xmlString = preg_replace('/<!--\s?.*?\s?-->/s', '', $xmlString);
@@ -124,6 +118,7 @@ private function filterEntitiesFromDocType(string $entitiesBlock): array
124118
$entityDefinitions = [];
125119

126120
foreach ($lines as $line) {
121+
$line = html_entity_decode($line, ENT_XML1, 'UTF-8');
127122
$line = trim($line);
128123

129124
if (preg_match('/<!ENTITY\s+(\S+)\s+(SYSTEM|PUBLIC)\s+/i', $line, $matches)) {

src/lib/eZ/RichText/DOMDocumentFactory.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,8 @@ public function loadXMLString(string $xmlString): DOMDocument
4242
// - substitute entities
4343
// - disable network access
4444
// - relax parser limits for document size/complexity
45-
$success = $document->loadXML($this->xmlSanitizer->sanitizeXMLString($xmlString), LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NONET | LIBXML_PARSEHUGE);
45+
$xmlString = $this->xmlSanitizer->sanitizeXMLString($xmlString);
46+
$success = $document->loadXML($xmlString, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NONET | LIBXML_PARSEHUGE);
4647
if (!$success) {
4748
throw new InvalidXmlException('$xmlString', libxml_get_errors());
4849
}

tests/lib/eZ/RichText/DOMDocumentFactoryTest.php

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,20 @@ public function testEntityReferencesThrowsInvalidXmlException(): void
7171
$this->domDocumentFactory->loadXMLString($xml);
7272
}
7373

74+
public function testEncodedTagContentIsLeftAlone(): void
75+
{
76+
$xml = <<<EOT
77+
<?xml version="1.0"?>
78+
<para>By placing your order you agree to our <link>data &amp; privacy regulations</link>.</para>
79+
80+
EOT;
81+
82+
$doc = $this->domDocumentFactory->loadXMLString($xml);
83+
$docXMLString = $doc->saveXML();
84+
85+
self::assertSame($xml, $docXMLString);
86+
}
87+
7488
public function testRemoveEncodedEntities(): void
7589
{
7690
$xml = <<<EOT
@@ -114,7 +128,6 @@ public function testRemoveEncodedEntities(): void
114128
*/
115129
public function testHandleDoctype(string $xml, string $stringNotContainsString): void
116130
{
117-
$xml =
118131
$doc = $this->domDocumentFactory->loadXMLString($xml);
119132
$docXMLString = $doc->saveXML();
120133
self::assertIsString($docXMLString);

0 commit comments

Comments
 (0)