diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/Minz/Request.php | 9 | ||||
| -rw-r--r-- | lib/core-extensions/UserCSS/extension.php | 4 | ||||
| -rw-r--r-- | lib/core-extensions/UserJS/extension.php | 4 |
3 files changed, 9 insertions, 8 deletions
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php index 13a4f6841..b4d4549a9 100644 --- a/lib/Minz/Request.php +++ b/lib/Minz/Request.php @@ -142,14 +142,15 @@ class Minz_Request { * It will return an array where each cell contains one line of a text. The new line * character is used to break the text into lines. This method is well suited to use * to split textarea content. - * @param array<string> $default + * @param bool $plaintext `true` to return special characters without any escaping (unsafe), `false` (default) to XML-encode them * @return array<string> */ - public static function paramTextToArray(string $key, array $default = []): array { + public static function paramTextToArray(string $key, bool $plaintext = false): array { if (isset(self::$params[$key]) && is_string(self::$params[$key])) { - return preg_split('/\R/u', self::$params[$key]) ?: []; + $result = preg_split('/\R/u', self::$params[$key]) ?: []; + return $plaintext ? $result : Minz_Helper::htmlspecialchars_utf8($result); } - return $default; + return []; } public static function defaultControllerName(): string { diff --git a/lib/core-extensions/UserCSS/extension.php b/lib/core-extensions/UserCSS/extension.php index 5343fd39a..c0622b145 100644 --- a/lib/core-extensions/UserCSS/extension.php +++ b/lib/core-extensions/UserCSS/extension.php @@ -22,13 +22,13 @@ final class UserCSSExtension extends Minz_Extension { $this->registerTranslates(); if (Minz_Request::isPost()) { - $css_rules = html_entity_decode(Minz_Request::paramString('css-rules')); + $css_rules = Minz_Request::paramString('css-rules', plaintext: true); $this->saveFile(self::FILENAME, $css_rules); } $this->css_rules = ''; if ($this->hasFile(self::FILENAME)) { - $this->css_rules = htmlentities($this->getFile(self::FILENAME) ?? ''); + $this->css_rules = htmlspecialchars($this->getFile(self::FILENAME) ?? '', ENT_NOQUOTES, 'UTF-8'); } } } diff --git a/lib/core-extensions/UserJS/extension.php b/lib/core-extensions/UserJS/extension.php index a33114ec5..3b860029a 100644 --- a/lib/core-extensions/UserJS/extension.php +++ b/lib/core-extensions/UserJS/extension.php @@ -22,13 +22,13 @@ final class UserJSExtension extends Minz_Extension { $this->registerTranslates(); if (Minz_Request::isPost()) { - $js_rules = html_entity_decode(Minz_Request::paramString('js-rules')); + $js_rules = Minz_Request::paramString('js-rules', plaintext: true); $this->saveFile(self::FILENAME, $js_rules); } $this->js_rules = ''; if ($this->hasFile(self::FILENAME)) { - $this->js_rules = htmlentities($this->getFile(self::FILENAME) ?? ''); + $this->js_rules = htmlspecialchars($this->getFile(self::FILENAME) ?? '', ENT_NOQUOTES, 'UTF-8'); } } } |