Commit 8eca1b8d authored by Brion Vibber's avatar Brion Vibber

Fix ticket #3057: apply HTML escaping on special characters in Twitter import

Changes the replacement of Twitter "entities" from in-place reverse ordering ('to preserve indices') to a forward-facing append-in-chunks that pulls in both the text and link portions, and escapes them all.
This unfortunately means first *de*-escaping the < and > that Twitter helpfully adds for us.... and any literal &blah;s that get written. This seems to match Twitter's web UI, however horrid it is.
parent 2a42dac7
......@@ -554,8 +554,8 @@ class TwitterImport
}
// Move all the entities into order so we can
// replace them in reverse order and thus
// not mess up their indices
// replace them and escape surrounding plaintext
// in order
$toReplace = array();
......@@ -577,13 +577,23 @@ class TwitterImport
}
}
// sort in reverse order by key
// sort in forward order by key
krsort($toReplace);
ksort($toReplace);
$result = '';
$cursor = 0;
foreach ($toReplace as $part) {
list($type, $object) = $part;
$orig = mb_substr($text, $object->indices[0], $object->indices[1] - $object->indices[0]);
$start = $object->indices[0];
$end = $object->indices[1];
if ($cursor < $start) {
// Copy in the preceding plaintext
$result .= $this->twitEscape(mb_substr($text, $cursor, $start - $cursor));
$cursor = $start;
}
$orig = $this->twitEscape(mb_substr($text, $start, $end - $start));
switch($type) {
case self::URL:
$linkText = $this->makeUrlLink($object, $orig);
......@@ -595,11 +605,29 @@ class TwitterImport
$linkText = $this->makeMentionLink($object, $orig);
break;
default:
$linkText = $orig;
continue;
}
$text = mb_substr($text, 0, $object->indices[0]) . $linkText . mb_substr($text, $object->indices[1]);
$result .= $linkText;
$cursor = $end;
}
return $text;
$last = $this->twitEscape(mb_substr($text, $cursor));
$result .= $last;
return $result;
}
function twitEscape($str)
{
// Twitter seems to preemptive turn < and > into &lt; and &gt;
// but doesn't for &, so while you may have some magic protection
// against XSS by not bothing to escape manually, you still get
// invalid XHTML. Thanks!
//
// Looks like their web interface pretty much sends anything
// through intact, so.... to do equivalent, decode all entities
// and then re-encode the special ones.
return htmlspecialchars(html_entity_decode($str, ENT_COMPAT, 'UTF-8'));
}
function makeUrlLink($object, $orig)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment