diff options
author | diosmosis <benaka@piwik.pro> | 2014-11-17 10:48:45 +0300 |
---|---|---|
committer | diosmosis <benaka@piwik.pro> | 2014-11-17 10:48:45 +0300 |
commit | e109893929f9144486a708ab6c2218d471737fbf (patch) | |
tree | 09abcf281bfcba512f3698b2e9ffdf6d7d36519d /core/DataTable | |
parent | 6744fa6e01a394cc89d97755d0b89b492ff62afa (diff) |
Fix double encode in SafeDecodeLabel filter (only affects > 5.3).
Diffstat (limited to 'core/DataTable')
-rw-r--r-- | core/DataTable/Filter/SafeDecodeLabel.php | 10 |
1 files changed, 2 insertions, 8 deletions
diff --git a/core/DataTable/Filter/SafeDecodeLabel.php b/core/DataTable/Filter/SafeDecodeLabel.php index f2629618b1..1f3e70e670 100644 --- a/core/DataTable/Filter/SafeDecodeLabel.php +++ b/core/DataTable/Filter/SafeDecodeLabel.php @@ -39,16 +39,10 @@ class SafeDecodeLabel extends BaseFilter if (empty($value)) { return $value; } + $raw = urldecode($value); $value = htmlspecialchars_decode($raw, ENT_QUOTES); - - // ENT_IGNORE so that if utf8 string has some errors, we simply discard invalid code unit sequences - $style = ENT_QUOTES | ENT_IGNORE; - - // See changes in 5.4: http://nikic.github.com/2012/01/28/htmlspecialchars-improvements-in-PHP-5-4.html - // Note: at some point we should change ENT_IGNORE to ENT_SUBSTITUTE - $value = htmlspecialchars($value, $style, 'UTF-8'); - + // TODO: add test for XSS and invalid UTF in label return $value; } |