diff options
| author | Matthieu Napoli <matthieu@mnapoli.fr> | 2014-10-16 04:17:06 +0400 |
|---|---|---|
| committer | Matthieu Napoli <matthieu@mnapoli.fr> | 2014-10-16 04:17:06 +0400 |
| commit | a1e70f90bde3692fc153f9c395baf1bed214c2b1 (patch) | |
| tree | a63bbcf90e0da606f5d6f3cfff27357898e1fa80 /core | |
| parent | b97df3c84dd41c9149682c19b8d30b8dcfd4adf3 (diff) | |
| parent | a8bf225b405fa5be58f1622cf6c2bbcb5ee91a4c (diff) | |
Merge branch 'master' into bugfix/6156
Diffstat (limited to 'core')
| -rw-r--r-- | core/Common.php | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/core/Common.php b/core/Common.php index a11b3f977b..76c9777605 100644 --- a/core/Common.php +++ b/core/Common.php @@ -314,6 +314,8 @@ class Common // note: before php 5.2.7, htmlspecialchars() double encodes &#x hex items $value = html_entity_decode($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8'); + $value = self::sanitizeNullBytes($value); + // escape $tmp = @htmlspecialchars($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8'); @@ -383,13 +385,21 @@ class Common } /** - * - * @param string + * @param string $value * @return string Line breaks and line carriage removed */ public static function sanitizeLineBreaks($value) { - return str_replace(array("\n", "\r", "\0"), '', $value); + return str_replace(array("\n", "\r"), '', $value); + } + + /** + * @param string $value + * @return string Null bytes removed + */ + public static function sanitizeNullBytes($value) + { + return str_replace(array("\0"), '', $value); } /** |