Fix for bd7dc4d6 which broke the build (null bytes where not sanitized)

2d06c9a7 · Matthieu Napoli · 726ffad5 · 2d06c9a7 · 2d06c9a7
--- a/core/Common.php
+++ b/core/Common.php
@@ -314,6 +314,8 @@ class Common
        // note: before php 5.2.7, htmlspecialchars() double encodes &#x hex items
        $value = html_entity_decode($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8');

+        $value = self::sanitizeNullBytes($value);
+
        // escape
        $tmp = @htmlspecialchars($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8');

@@ -383,13 +385,21 @@ class Common
    }

    /**
-     *
-     * @param string
+     * @param string $value
     * @return string Line breaks and line carriage removed
     */
    public static function sanitizeLineBreaks($value)
    {
-        return str_replace(array("\n", "\r", "\0"), '', $value);
+        return str_replace(array("\n", "\r"), '', $value);
+    }
+
+    /**
+     * @param string $value
+     * @return string Null bytes removed
+     */
+    public static function sanitizeNullBytes($value)
+    {
+        return str_replace(array("\0"), '', $value);
    }

    /**

--- a/tests/PHPUnit/Unit/CommonTest.php
+++ b/tests/PHPUnit/Unit/CommonTest.php
@@ -55,8 +55,8 @@ class Core_CommonTest extends PHPUnit_Framework_TestCase
            ),
            // test filter - expect new line and null byte to be filtered out
            array(
-                "New\nLine\rNull\0Byte",
-                'NewLineNullByte'
+                "Null\0Byte",
+                'NullByte'
            ),
            // double encoded - no change (document as user error)
            array(