Refs #6372 Textarea Settings value should conserve line breaks

bd7dc4d6 · mattab · fa106611 · bd7dc4d6 · bd7dc4d6
--- a/core/Common.php
+++ b/core/Common.php
@@ -263,7 +263,7 @@ class Common
        if (is_numeric($value)) {
            return $value;
        } elseif (is_string($value)) {
-            $value = self::sanitizeInputValue($value);
+            $value = self::sanitizeString($value);

            if (!$alreadyStripslashed) // a JSON array was already stripslashed, don't do it again for each value
            {
@@ -289,21 +289,31 @@ class Common
    }

    /**
-     * Sanitize a single input value
+     * Sanitize a single input value and removes line breaks, tabs and null characters.
     *
     * @param string $value
     * @return string  sanitized input
     */
    public static function sanitizeInputValue($value)
+    {
+        $value = self::sanitizeLineBreaks($value);
+        $value = self::sanitizeString($value);
+        return $value;
+    }
+
+    /**
+     * Sanitize a single input value
+     *
+     * @param $value
+     * @return string
+     */
+    private static function sanitizeString($value)
    {
        // $_GET and $_REQUEST already urldecode()'d
        // decode
        // note: before php 5.2.7, htmlspecialchars() double encodes &#x hex items
        $value = html_entity_decode($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8');

-        // filter
-        $value = self::sanitizeLineBreaks($value);
-
        // escape
        $tmp = @htmlspecialchars($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8');

@@ -312,6 +322,7 @@ class Common
            // convert and escape
            $value = utf8_encode($value);
            $tmp = htmlspecialchars($value, self::HTML_ENCODING_QUOTE_STYLE, 'UTF-8');
+            return $tmp;
        }
        return $tmp;
    }

--- a/tests/PHPUnit/Unit/CommonTest.php
+++ b/tests/PHPUnit/Unit/CommonTest.php
@@ -199,6 +199,7 @@ class Core_CommonTest extends PHPUnit_Framework_TestCase
            array(array("test", 1345524, array("gaga")), array(), 'array', array("test", 1345524, array("gaga"))), // array as a default value / types
            array(array("test", 1345524, array("gaga")), 45, 'string', "45"),
            array(array("test", 1345524, array("gaga")), array(1), 'array', array("test", 1345524, array("gaga"))),
+            array(array("test", 1345524, "Start of hello\nworld\n\t", array("gaga")), array(1), 'array', array("test", 1345524, "Start of hello\nworld\n\t", array("gaga"))),
            array(array("test", 1345524, array("gaga")), 4, 'int', 4),
            array('', array(1), 'array', array(1)),
            array('', array(), 'array', array()),