mirror of
https://github.com/webmin/webmin.git
synced 2026-07-03 17:10:32 +01:00
Fix to correctly escape content in editor mode
https://forum.virtualmin.com/t/webmins-file-managers-editor-converting-html-special-characters-making-the-next-save-detrimental/122606/18?u=ilia
605a32f87d
This commit is contained in:
@@ -1305,7 +1305,7 @@ return "<textarea class='ui_textarea' ".
|
||||
"rows='$rows' cols='$cols'".($wrap ? " wrap='$wrap'" : "").
|
||||
($dis ? " disabled='true'" : "").
|
||||
($tags ? " $tags" : "").">".
|
||||
&html_escape($value).
|
||||
&html_escape($value, 1).
|
||||
"</textarea>";
|
||||
}
|
||||
|
||||
|
||||
@@ -242,7 +242,7 @@ if ($sorted_by && $sorted_by_sectioning_preserved) {
|
||||
}
|
||||
}
|
||||
|
||||
=head2 html_escape(string)
|
||||
=head2 html_escape(string, [editor-mode])
|
||||
|
||||
Converts &, < and > codes in text to HTML entities, and returns the new string.
|
||||
This should be used when including data read from other sources in HTML pages.
|
||||
@@ -250,13 +250,16 @@ This should be used when including data read from other sources in HTML pages.
|
||||
=cut
|
||||
sub html_escape
|
||||
{
|
||||
my ($tmp) = @_;
|
||||
my ($tmp, $editor_mode) = @_;
|
||||
if (!defined $tmp) {
|
||||
return ''; # empty string
|
||||
};
|
||||
# Before escaping ampersand use negative lookahead to see if occurrence
|
||||
# is not an HTML entity already to prevent double escaping
|
||||
$tmp =~ s/&(?!(([a-zA-Z]+)|(#|#x)\d+);)/&/g;
|
||||
$tmp =~ s/&(?!(([a-zA-Z]+)|(#|#x)\d+);)/&/g if (!$editor_mode);
|
||||
# In editor mode always escape all ampersands
|
||||
# to make sure they are displayed per se
|
||||
$tmp =~ s/&/&/g if ($editor_mode);
|
||||
# Just always escape the following
|
||||
$tmp =~ s/</</g;
|
||||
$tmp =~ s/>/>/g;
|
||||
|
||||
Reference in New Issue
Block a user