From fd1b5e9343b6fe92b4e5dfbbc2f01ddfcd010af9 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 12 Sep 2024 11:04:49 +0200
Subject: Fix inversed encoding logic in paramArray (#6800)

* Fix inversed encoding logic in paramArray
https://github.com/FreshRSS/FreshRSS/pull/6797#discussion_r1754661634
Also fix the possibility to use `<'&">` in shortcuts, and some minor encoding bugs in user queries

* Forgot paramArrayString
---
 lib/Minz/Request.php | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'lib')

diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index fcece464b..542741d4a 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -40,7 +40,7 @@ class Minz_Request {
 	 * Read the URL parameter
 	 * @param string $key Key name
 	 * @param mixed $default default value, if no parameter is given
-	 * @param bool $specialchars special characters
+	 * @param bool $specialchars `true` to return special characters, `false` (default) to XML-encode them
 	 * @return mixed value of the parameter
 	 * @deprecated use typed versions instead
 	 */
@@ -61,21 +61,27 @@ class Minz_Request {
 		return isset(self::$params[$key]);
 	}
 
-	/** @return array<string|int,string|array<string,string|int|bool>> */
+	/**
+	 * @param bool $specialchars `true` to return special characters, `false` (default) to XML-encode them
+	 * @return array<string|int,string|array<string,string|int|bool>>
+	 */
 	public static function paramArray(string $key, bool $specialchars = false): array {
 		if (empty(self::$params[$key]) || !is_array(self::$params[$key])) {
 			return [];
 		}
-		return $specialchars ? Minz_Helper::htmlspecialchars_utf8(self::$params[$key]) : self::$params[$key];
+		return $specialchars ? self::$params[$key] : Minz_Helper::htmlspecialchars_utf8(self::$params[$key]);
 	}
 
-	/** @return array<string> */
+	/**
+	 * @param bool $specialchars `true` to return special characters, `false` (default) to XML-encode them
+	 * @return array<string>
+	 */
 	public static function paramArrayString(string $key, bool $specialchars = false): array {
 		if (empty(self::$params[$key]) || !is_array(self::$params[$key])) {
 			return [];
 		}
 		$result = array_filter(self::$params[$key], 'is_string');
-		return $specialchars ? Minz_Helper::htmlspecialchars_utf8($result) : $result;
+		return $specialchars ? $result : Minz_Helper::htmlspecialchars_utf8($result);
 	}
 
 	public static function paramTernary(string $key): ?bool {
@@ -106,6 +112,9 @@ class Minz_Request {
 		return 0;
 	}
 
+	/**
+	 * @param bool $specialchars `true` to return special characters, `false` (default) to XML-encode them
+	 */
 	public static function paramStringNull(string $key, bool $specialchars = false): ?string {
 		if (isset(self::$params[$key])) {
 			$s = self::$params[$key];
@@ -120,6 +129,9 @@ class Minz_Request {
 		return null;
 	}
 
+	/**
+	 * @param bool $specialchars `true` to return special characters, `false` (default) to XML-encode them
+	 */
 	public static function paramString(string $key, bool $specialchars = false): string {
 		return self::paramStringNull($key, $specialchars) ?? '';
 	}
-- 
cgit v1.2.3