diff --git a/public/legacy/include/portability/ApiBeanMapper/TypeMappers/TextMapper.php b/public/legacy/include/portability/ApiBeanMapper/TypeMappers/TextMapper.php index c5ad536b2b..3617d5ee48 100644 --- a/public/legacy/include/portability/ApiBeanMapper/TypeMappers/TextMapper.php +++ b/public/legacy/include/portability/ApiBeanMapper/TypeMappers/TextMapper.php @@ -62,7 +62,8 @@ public function toApi(SugarBean $bean, array &$container, string $name, string $ $value = html_entity_decode($value); } - $container[$newName] = $this->purify($bean, $name, $value); + // Some characters get double encoded when purifying, so need double decoding to get correct output + $container[$newName] = html_entity_decode(html_entity_decode($this->purify($bean, $name, $value))); } /** diff --git a/public/legacy/include/utils.php b/public/legacy/include/utils.php index f2299bca60..e9fb5fecd4 100755 --- a/public/legacy/include/utils.php +++ b/public/legacy/include/utils.php @@ -2806,7 +2806,7 @@ function purify_html(?string $value, array $extraOptions = []): string { $sanitizer = new SuiteCRM\HtmlSanitizer($extraOptions); - $cleanedValue = htmlentities($sanitizer->clean($value, true)); + $cleanedValue = htmlspecialchars($sanitizer->clean($value, true)); $decoded = html_entity_decode($cleanedValue); $doubleDecoded = html_entity_decode($decoded); @@ -2814,7 +2814,7 @@ function purify_html(?string $value, array $extraOptions = []): string { $doubleDecoded = ''; } - $doubleCleanedValue = htmlentities($sanitizer->clean($doubleDecoded, true)); + $doubleCleanedValue = htmlspecialchars($sanitizer->clean($doubleDecoded, true)); return $doubleCleanedValue; } diff --git a/public/legacy/include/utils/db_utils.php b/public/legacy/include/utils/db_utils.php index 984edcf2cb..9a3b9b7cf4 100755 --- a/public/legacy/include/utils/db_utils.php +++ b/public/legacy/include/utils/db_utils.php @@ -66,15 +66,6 @@ function from_db_convert($string, $type) return DBManagerFactory::getInstance()->fromConvert($string, $type); } -$toHTML = array( - '"' => '"', - '<' => '<', - '>' => '>', - "'" => ''', -); -$GLOBALS['toHTML_keys'] = array_keys($toHTML); -$GLOBALS['toHTML_values'] = array_values($toHTML); -$GLOBALS['toHTML_keys_set'] = implode("", $GLOBALS['toHTML_keys']); /** * Replaces specific characters with their HTML entity values * @param string $string String to check/replace @@ -93,14 +84,8 @@ function to_html($string, $encode=true) return $string; } - global $toHTML; - if ($encode && is_string($string)) { - if (is_array($toHTML)) { - $string = str_ireplace($GLOBALS['toHTML_keys'], $GLOBALS['toHTML_values'] ?? [], $string); - } else { - $string = htmlentities($string, ENT_HTML401|ENT_QUOTES, 'UTF-8'); - } + $string = htmlspecialchars($string, ENT_HTML401|ENT_QUOTES, 'UTF-8'); } return $string; @@ -123,22 +108,8 @@ function from_html($string, $encode=true) return $string; } - global $toHTML; - static $toHTML_values = null; - static $toHTML_keys = null; - static $cache = array(); - if (!empty($toHTML) && is_array($toHTML) && (!isset($toHTML_values) || !empty($GLOBALS['from_html_cache_clear']))) { - $toHTML_values = array_values($toHTML); - $toHTML_keys = array_keys($toHTML); - } - // Bug 36261 - Decode & so we can handle double encoded entities - $string = html_entity_decode($string, ENT_HTML401|ENT_QUOTES, 'UTF-8') ?? ''; - - if (!isset($cache[$string])) { - $cache[$string] = str_ireplace($toHTML_values ?? '', $toHTML_keys ?? '', $string); - } - return $cache[$string] ?? ''; + return html_entity_decode($string, ENT_HTML401|ENT_QUOTES, 'UTF-8') ?? ''; } /* diff --git a/public/legacy/tests/unit/phpunit/modules/AOR_Reports/AOR_ReportTest.php b/public/legacy/tests/unit/phpunit/modules/AOR_Reports/AOR_ReportTest.php index cc9ecf60b4..58f2b260ad 100644 --- a/public/legacy/tests/unit/phpunit/modules/AOR_Reports/AOR_ReportTest.php +++ b/public/legacy/tests/unit/phpunit/modules/AOR_Reports/AOR_ReportTest.php @@ -108,7 +108,6 @@ public function testbuild_report_chart(): void unset($GLOBALS['_SESSION']); unset($GLOBALS['objectList']); unset($GLOBALS['mod_strings']); - unset($GLOBALS['toHTML']); unset($GLOBALS['module']); unset($GLOBALS['action']); unset($GLOBALS['disable_date_format']);