From a66b995be7d187a208bf7f66ce4d83911ba5932f Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 22 Jun 2018 16:07:48 +0200
Subject: Explicit quotes decoding (#1947)

* Explicit quotes decoding

* Explicit htmlspecialchars_decode and htmlspecialchars
---
 app/FreshRSS.php                                  | 2 +-
 app/layout/header.phtml                           | 2 +-
 app/layout/nav_menu.phtml                         | 2 +-
 app/views/helpers/export/opml.phtml               | 8 ++++----
 app/views/helpers/index/normal/entry_bottom.phtml | 2 +-
 app/views/helpers/javascript_vars.phtml           | 2 +-
 app/views/stats/index.phtml                       | 2 +-
 app/views/stats/repartition.phtml                 | 2 +-
 8 files changed, 11 insertions(+), 11 deletions(-)

(limited to 'app')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 25fd429a2..2bd5135a9 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -66,7 +66,7 @@ class FreshRSS extends Minz_FrontController {
 				403,
 				array('error' => array(
 					_t('feedback.access.denied'),
-					' [HTTP_REFERER=' . htmlspecialchars($http_referer) . ']'
+					' [HTTP_REFERER=' . htmlspecialchars($http_referer, ENT_NOQUOTES, 'UTF-8') . ']'
 				))
 			);
 		}
diff --git a/app/layout/header.phtml b/app/layout/header.phtml
index 3eb8b984d..e75a25efa 100644
--- a/app/layout/header.phtml
+++ b/app/layout/header.phtml
@@ -26,7 +26,7 @@ if (FreshRSS_Auth::accessNeedsAction()) {
 		<form action="<?php echo _url('index', 'index'); ?>" method="get">
 			<div class="stick">
 				<input type="search" name="search" id="search" class="extend" value="<?php
-					echo htmlspecialchars(htmlspecialchars_decode(FreshRSS_Context::$search), ENT_COMPAT, 'UTF-8'); ?>" placeholder="<?php echo _t('gen.menu.search'); ?>" />
+					echo htmlspecialchars(htmlspecialchars_decode(FreshRSS_Context::$search, ENT_QUOTES), ENT_COMPAT, 'UTF-8'); ?>" placeholder="<?php echo _t('gen.menu.search'); ?>" />
 
 				<?php $get = Minz_Request::param('get', ''); ?>
 				<?php if ($get != '') { ?>
diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml
index f8a2376ec..d1f3bed43 100644
--- a/app/layout/nav_menu.phtml
+++ b/app/layout/nav_menu.phtml
@@ -163,7 +163,7 @@
 	<div class="item search">
 		<form action="<?php echo _url('index', 'index'); ?>" method="get">
 			<input type="search" name="search" class="extend" value="<?php
-				echo htmlspecialchars(htmlspecialchars_decode(FreshRSS_Context::$search), ENT_COMPAT, 'UTF-8'); ?>" placeholder="<?php echo _t('index.menu.search_short'); ?>" />
+				echo htmlspecialchars(htmlspecialchars_decode(FreshRSS_Context::$search, ENT_QUOTES), ENT_COMPAT, 'UTF-8'); ?>" placeholder="<?php echo _t('index.menu.search_short'); ?>" />
 
 			<?php $get = Minz_Request::param('get', ''); ?>
 			<?php if($get != '') { ?>
diff --git a/app/views/helpers/export/opml.phtml b/app/views/helpers/export/opml.phtml
index 236cca303..edb4d4eda 100644
--- a/app/views/helpers/export/opml.phtml
+++ b/app/views/helpers/export/opml.phtml
@@ -16,11 +16,11 @@ foreach ($this->categories as $key => $cat) {
 
 	foreach ($cat['feeds'] as $feed) {
 		$opml_array['body'][$key]['@outlines'][] = array(
-			'text' => htmlspecialchars_decode($feed->name()),
+			'text' => htmlspecialchars_decode($feed->name(), ENT_QUOTES),
 			'type' => 'rss',
-			'xmlUrl' => htmlspecialchars_decode($feed->url()),
-			'htmlUrl' => htmlspecialchars_decode($feed->website()),
-			'description' => htmlspecialchars_decode($feed->description()),
+			'xmlUrl' => htmlspecialchars_decode($feed->url(), ENT_QUOTES),
+			'htmlUrl' => htmlspecialchars_decode($feed->website(), ENT_QUOTES),
+			'description' => htmlspecialchars_decode($feed->description(), ENT_QUOTES),
 		);
 	}
 }
diff --git a/app/views/helpers/index/normal/entry_bottom.phtml b/app/views/helpers/index/normal/entry_bottom.phtml
index 793c644f9..6417da4cb 100644
--- a/app/views/helpers/index/normal/entry_bottom.phtml
+++ b/app/views/helpers/index/normal/entry_bottom.phtml
@@ -81,7 +81,7 @@
 			<ul class="dropdown-menu">
 				<li class="dropdown-close"><a href="#close">❌</a></li><?php
 				foreach($tags as $tag) {
-					?><li class="item"><a href="<?php echo _url('index', 'index', 'search', '#' . htmlspecialchars_decode($tag)); ?>"><?php echo $tag; ?></a></li><?php
+					?><li class="item"><a href="<?php echo _url('index', 'index', 'search', '#' . htmlspecialchars_decode($tag, ENT_QUOTES)); ?>"><?php echo $tag; ?></a></li><?php
 				} ?>
 			</ul>
 		</div>
diff --git a/app/views/helpers/javascript_vars.phtml b/app/views/helpers/javascript_vars.phtml
index 1b9b614d2..d7b3e4360 100644
--- a/app/views/helpers/javascript_vars.phtml
+++ b/app/views/helpers/javascript_vars.phtml
@@ -56,4 +56,4 @@ echo htmlspecialchars(json_encode(array(
 	'icons' => array(
 		'close' => _i('close'),
 	),
-), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES);
+), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES, 'UTF-8');
diff --git a/app/views/stats/index.phtml b/app/views/stats/index.phtml
index a36f812a8..2ff3e6c52 100644
--- a/app/views/stats/index.phtml
+++ b/app/views/stats/index.phtml
@@ -88,6 +88,6 @@ echo htmlspecialchars(json_encode(array(
 	'dataCount' => $this->count,
 	'feedByCategory' => $this->feedByCategory,
 	'entryByCategory' => $this->entryByCategory,
-), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES);
+), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES, 'UTF-8');
 ?></script>
 <script src="../scripts/stats.js?<?php echo @filemtime(PUBLIC_PATH . '/scripts/stats.js'); ?>"></script>
diff --git a/app/views/stats/repartition.phtml b/app/views/stats/repartition.phtml
index 5ebcdce5a..4bce418c9 100644
--- a/app/views/stats/repartition.phtml
+++ b/app/views/stats/repartition.phtml
@@ -69,6 +69,6 @@ echo htmlspecialchars(json_encode(array(
 	'days' => $this->days,
 	'repartitionMonth' => $this->repartitionMonth,
 	'months' => $this->months,
-), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES);
+), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES, 'UTF-8');
 ?></script>
 <script src="../scripts/repartition.js?<?php echo @filemtime(PUBLIC_PATH . '/scripts/repartition.js'); ?>"></script>
-- 
cgit v1.2.3