Added support for encoding.

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@20661 44c647ce-9c0f-0410-b52a-842ac1e357ba

library/Zend/Markup/Renderer/Html.php

@@ -351,7 +351,7 @@ class Zend_Markup_Renderer_Html extends Zend_Markup_Renderer_RendererAbstract
     {
         $this->_defaultFilter = new Zend_Filter();
 
-        $this->_defaultFilter->addFilter(new Zend_Filter_HtmlEntities());
+        $this->_defaultFilter->addFilter(new Zend_Filter_HtmlEntities(array('encoding' => self::getEncoding())));
         $this->_defaultFilter->addFilter(new Zend_Filter_Callback('nl2br'));
     }
 
@@ -438,9 +438,11 @@ class Zend_Markup_Renderer_Html extends Zend_Markup_Renderer_RendererAbstract
          */
         foreach ($attributes as $attribute => $value) {
             if (isset($tokenAttributes[$attribute]) && !empty($tokenAttributes[$attribute])) {
-                $return .= ' ' . $attribute . '="' . htmlentities($tokenAttributes[$attribute], ENT_QUOTES) . '"';
+                $return .= ' ' . $attribute . '="' . htmlentities($tokenAttributes[$attribute],
+                                                                  ENT_QUOTES,
+                                                                  self::getEncoding()) . '"';
             } elseif (!empty($value)) {
-                $return .= ' ' . $attribute . '="' . htmlentities($value, ENT_QUOTES) . '"';
+                $return .= ' ' . $attribute . '="' . htmlentities($value, ENT_QUOTES, self::getEncoding()) . '"';
             }
         }
 

library/Zend/Markup/Renderer/Html/Img.php

@@ -74,8 +74,8 @@ class Zend_Markup_Renderer_Html_Img extends Zend_Markup_Renderer_Html_HtmlAbstra
         }
 
         // run the URI and alt through htmlentities
-        $uri = htmlentities($uri, ENT_QUOTES, 'UTF-8');
-        $alt = htmlentities($alt, ENT_QUOTES, 'UTF-8');
+        $uri = htmlentities($uri, ENT_QUOTES, 'UTF-8', Zend_Markup_Renderer_Html::getEncoding());
+        $alt = htmlentities($alt, ENT_QUOTES, 'UTF-8', Zend_Markup_Renderer_Html::getEncoding());
 
 
         return "<img src=\"{$uri}\" alt=\"{$alt}\"" . Zend_Markup_Renderer_Html::renderAttributes($token) . " />";

library/Zend/Markup/Renderer/RendererAbstract.php

@@ -104,6 +104,13 @@ abstract class Zend_Markup_Renderer_RendererAbstract
      */
     protected $_token;
 
+    /**
+     * Encoding
+     *
+     * @var string
+     */
+    protected static $_encoding = 'UTF-8';
+
 
     /**
      * Constructor
@@ -118,6 +125,9 @@ abstract class Zend_Markup_Renderer_RendererAbstract
             $options = $options->toArray();
         }
 
+        if (isset($options['encoding'])) {
+            $this->setEncoding($options['encoding']);
+        }
         if (isset($options['parser'])) {
             $this->setParser($options['parser']);
         }
@@ -165,6 +175,30 @@ abstract class Zend_Markup_Renderer_RendererAbstract
     }
 
     /**
+     * Set the renderer's encoding
+     *
+     * @param string $encoding
+     *
+     * @return Zend_Markup_Renderer_RendererAbstract
+     */
+    public static function setEncoding($encoding)
+    {
+        self::$_encoding = $encoding;
+
+        return $this;
+    }
+
+    /**
+     * Get the renderer's encoding
+     *
+     * @return string
+     */
+    public static function getEncoding()
+    {
+        return self::$_encoding;
+    }
+
+    /**
      * Add a new markup
      *
      * @param string $name

tests/Zend/Markup/BbcodeAndHtmlTest.php

@@ -474,6 +474,15 @@ BBCODE;
         $this->assertTrue(Zend_Markup_Renderer_Html::isValidUri("magnet:?xt=urn:bitprint:XZBS763P4HBFYVEMU5OXQ44XK32OMLIN.HGX3CO3BVF5AG2G34MVO3OHQLRSUF4VJXQNLQ7A &xt=urn:ed2khash:aa52fb210465bddd679d6853b491ccce&"));
         $this->assertTrue(!Zend_Markup_Renderer_Html::isValidUri("javascript:alert(1)"));
     }
+
+    public function testXssInImgAndUrl()
+    {
+        $this->assertEquals('<a href="http://google.com/&quot;&lt;script&gt;alert(1)&lt;/script&gt;">...</a>',
+            $this->_markup->render('[url=\'http://google.com/"<script>alert(1)</script>\']...[/url]'));
+        $this->assertEquals('<img src="http://google.com/&amp;quot;&amp;lt;script&amp;gt;alert(1)&amp;lt;/script&amp;gt;" alt="/script&amp;gt;" />',
+            $this->_markup->render('[img]http://google.com/"<script>alert(1)</script>[/img]'));
+    }
+
 }
 
 // Call Zend_Markup_BbcodeAndHtmlTest::main()