From f54975d337b03435252d96d48458a72b23d9a27b Mon Sep 17 00:00:00 2001 From: Coleman Watts Date: Mon, 20 Feb 2023 13:38:09 -0500 Subject: [PATCH] Angular Coder: Fix unescaping of quotes breaking attributes Fixes the bug described in https://github.com/civicrm/civicrm-core/pull/25471#issuecomment-1423233785 --- Civi/Angular/Coder.php | 14 ++++++++++++-- tests/phpunit/Civi/Angular/PartialSyntaxTest.php | 4 ++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/Civi/Angular/Coder.php b/Civi/Angular/Coder.php index a1aa080238..9799e96594 100644 --- a/Civi/Angular/Coder.php +++ b/Civi/Angular/Coder.php @@ -61,8 +61,16 @@ class Coder { return $html; } + /** + * Angular is not as strict about special characters inside html attributes as the xhtml spec. + * + * This unescapes everything that angular expects to be unescaped. + * + * @param $matches + * @return string + */ protected function cleanupAttribute($matches) { - list ($full, $attr, $lquote, $value, $rquote) = $matches; + [$full, $attr, $lquote, $value, $rquote] = $matches; switch ($attr) { case 'href': @@ -72,7 +80,9 @@ class Coder { break; default: - $value = html_entity_decode($value); + $value = html_entity_decode($value, ENT_NOQUOTES); + $oppositeQuote = $lquote === '"' ? "'" : '"'; + $value = str_replace(htmlspecialchars($oppositeQuote, ENT_QUOTES), $oppositeQuote, $value); break; } diff --git a/tests/phpunit/Civi/Angular/PartialSyntaxTest.php b/tests/phpunit/Civi/Angular/PartialSyntaxTest.php index 39363c1aca..0cfb3bf1e5 100644 --- a/tests/phpunit/Civi/Angular/PartialSyntaxTest.php +++ b/tests/phpunit/Civi/Angular/PartialSyntaxTest.php @@ -68,6 +68,10 @@ class PartialSyntaxTest extends \CiviUnitTestCase { '
', '
', ]; + $cases[7] = [ + '
', + '
', + ]; return $cases; } -- 2.25.1