From f0f8dc2850c45f8d5dc4e100e7802bba45436fb5 Mon Sep 17 00:00:00 2001 From: Ilia Ross Date: Sat, 16 Sep 2023 16:57:08 +0300 Subject: [PATCH] Fix to correctly escape content in editor mode https://forum.virtualmin.com/t/webmins-file-managers-editor-converting-html-special-characters-making-the-next-save-detrimental/122606/18?u=ilia https://github.com/webmin/webmin/commit/605a32f87d1709961aeda1c4294ee60fd727de9c --- ui-lib.pl | 2 +- web-lib-funcs.pl | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ui-lib.pl b/ui-lib.pl index f0e87d261..0c1f8e4e9 100755 --- a/ui-lib.pl +++ b/ui-lib.pl @@ -1305,7 +1305,7 @@ return ""; } diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl index 7740ec38e..354f93c21 100755 --- a/web-lib-funcs.pl +++ b/web-lib-funcs.pl @@ -242,7 +242,7 @@ if ($sorted_by && $sorted_by_sectioning_preserved) { } } -=head2 html_escape(string) +=head2 html_escape(string, [editor-mode]) Converts &, < and > codes in text to HTML entities, and returns the new string. This should be used when including data read from other sources in HTML pages. @@ -250,13 +250,16 @@ This should be used when including data read from other sources in HTML pages. =cut sub html_escape { -my ($tmp) = @_; +my ($tmp, $editor_mode) = @_; if (!defined $tmp) { return ''; # empty string }; # Before escaping ampersand use negative lookahead to see if occurrence # is not an HTML entity already to prevent double escaping -$tmp =~ s/&(?!(([a-zA-Z]+)|(#|#x)\d+);)/&/g; +$tmp =~ s/&(?!(([a-zA-Z]+)|(#|#x)\d+);)/&/g if (!$editor_mode); +# In editor mode always escape all ampersands +# to make sure they are displayed per se +$tmp =~ s/&/&/g if ($editor_mode); # Just always escape the following $tmp =~ s//>/g;