From 3aa96a4a34c31f556f9bdd94ac7a683f01fc1838 Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Sun, 21 Feb 2010 23:15:05 +0000 Subject: [PATCH] for xml: decode all entities, remove all non-decodable entities, remove all html tags and encode <, > and & as entities --- etemplate/inc/class.bo_merge.inc.php | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/etemplate/inc/class.bo_merge.inc.php b/etemplate/inc/class.bo_merge.inc.php index 476597e010..b08207e6d0 100644 --- a/etemplate/inc/class.bo_merge.inc.php +++ b/etemplate/inc/class.bo_merge.inc.php @@ -5,7 +5,7 @@ * @link http://www.egroupware.org * @author Ralf Becker * @package addressbook - * @copyright (c) 2007-9 by Ralf Becker + * @copyright (c) 2007-10 by Ralf Becker * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License * @version $Id$ */ @@ -479,9 +479,30 @@ abstract class bo_merge { $replacements = $GLOBALS['egw']->translation->convert($replacements,$GLOBALS['egw']->translation->charset(),$charset); } - if ($is_xml) // zip'ed xml document (eg. OO) --> need to encode &,<,> to not mess up xml + if ($is_xml) // zip'ed xml document (eg. OO) { - $replacements = str_replace(array('&','&','<','>'),array('&','&','<','>'),$replacements); + // clean replacements from html or html-entities, which mess up xml + foreach($replacements as $name => &$value) + { + // decode html entities back to utf-8 + if (strpos($value,'&') !== false) + { + $value = html_entity_decode($value,ENT_QUOTES,$charset); + + // remove all non-decodable entities + if (strpos($value,'&') !== false) + { + $value = preg_replace('/&[^; ]+;/','',$value); + } + } + // remove all html tags, evtl. included + if (strpos($value,'<') !== false) + { + $value = strip_tags($value); + } + } + // now decode &, < and >, which need to be encoded as entities in xml + $replacements = str_replace(array('&','<','>'),array('&','<','>'),$replacements); } return str_replace(array_keys($replacements),array_values($replacements),$content); }