diff --git a/lib/cleanhtml.php b/lib/cleanhtml.php index 0241f0672..b1fabb0d3 100644 --- a/lib/cleanhtml.php +++ b/lib/cleanhtml.php @@ -268,14 +268,10 @@ function clean($t) { if (preg_match('/\Gml[] = $this->e("<0>Conditional HTML comments not allowed", $p, $p + strlen($m[0]), $t); return false; - } else if (preg_match('/\G(|\z)/s', $t, $m, 0, $p)) { + } else if (preg_match('/\G|\z)/s', $t, $m, 0, $p)) { $this->check_text($curtf, $tagstack, $p, $p + strlen($m[0]), $t); - if ($m[2] === "") { - $x .= substr($t, $xp) . "]]>"; - $p = $xp = $len; - } else { - $p += strlen($m[0]); - } + $x .= substr($t, $xp, $p - $xp) . htmlspecialchars($m[1]); + $p = $xp = $p + strlen($m[0]); } else if (preg_match('/\G|\z)\z/s', $t, $m, 0, $p)) { $x .= substr($t, $xp, $p - $xp); $p = $xp = $p + strlen($m[0]); diff --git a/test/t_unit.php b/test/t_unit.php index 6f10aacab..c91c40843 100644 --- a/test/t_unit.php +++ b/test/t_unit.php @@ -1088,7 +1088,7 @@ function test_sensitive_mail_preparation() { } function test_clean_html() { - $chtml = CleanHtml::basic(); + $chtml = CleanHTML::basic(); xassert_eqq($chtml->clean('Hello'), false); xassert_eqq($chtml->clean('Hello'), 'Hello'); xassert_eqq($chtml->clean(''), false); @@ -1102,6 +1102,7 @@ function test_clean_html() { xassert_eqq($chtml->clean('
hithere
'), '
hithere
'); xassert_eqq($chtml->clean("\n"), "\n"); xassert_eqq($chtml->clean("\n"), false); + xassert_eqq($chtml->clean("]]>"), "<alert>"); } function test_base48() {