From 85f34610f54826db780c969d17022f62c20d88df Mon Sep 17 00:00:00 2001 From: Mike Macgirvin Date: Sun, 25 Aug 2024 19:44:07 +1000 Subject: [PATCH] alt-text filtering --- include/bbcode.php | 2 +- src/Lib/Activity.php | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/include/bbcode.php b/include/bbcode.php index 34fe85097..bd492ebde 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1208,7 +1208,7 @@ function bb_imgoptions($match) if (!$alt) { $alt = t('Image/photo'); } - $alt = htmlspecialchars(str_replace('\\"', '"', $alt), ENT_QUOTES, 'UTF-8', false); + $alt = htmlspecialchars(str_replace('\\"', '"', $alt), ENT_COMPAT, 'UTF-8', false); $output .= (($style) ? 'style="' . $style . '" ' : '') . 'alt="' . $alt . '" ' . 'title="' . $alt . '" '; $output .= 'src="' . (($src) ? $src : $match[4]) . '" >'; diff --git a/src/Lib/Activity.php b/src/Lib/Activity.php index 1d66fbaae..51b233903 100644 --- a/src/Lib/Activity.php +++ b/src/Lib/Activity.php @@ -824,8 +824,7 @@ class Activity $entry['type'] = 'image/jpeg'; } if (array_key_exists('name', $att) && $att['name']) { - $entry['name'] = html2plain(purify_html($att['name']), 256); - $entry['name'] = str_replace('"', '"', $entry['name']); + $entry['name'] = htmlentities($att['name'], ENT_COMPAT, 'UTF-8', false); } // Friendica attachments don't match the URL in the body. // This makes it more difficult to detect image duplication in bb_attach() @@ -4812,10 +4811,11 @@ class Activity if (isset($a['image'])) { if (self::media_not_in_body($a['image'], $item['body']) && self::media_not_in_body($a['href'], $item['body'])) { if (isset($a['name']) && $a['name']) { - $alt = htmlspecialchars($a['name'], ENT_QUOTES, 'UTF-8', false); + // $alt = $a['name']; + $alt = htmlspecialchars($a['name'], ENT_COMPAT, 'UTF-8', false); // Escape brackets by converting to unicode full-width bracket since regular brackets will confuse multicode/bbcode parsing. // The full width bracket isn't quite as alien looking as most other unicode bracket replacements. - $alt = str_replace(['[', ']', '"'], ['[', ']', '\"'], $alt); + $alt = str_replace(['[', ']'], ['[', ']'], $alt); $item['body'] .= "\n\n" . '[img alt="' . $alt . '"]' . $a['href'] . '[/img]'; } else { $item['body'] .= "\n\n" . '[img]' . $a['href'] . '[/img]'; @@ -4825,10 +4825,11 @@ class Activity } elseif (self::media_not_in_body($a['href'], $item['body'])) { if (isset($a['name']) && $a['name']) { - $alt = htmlspecialchars($a['name'], ENT_QUOTES, 'UTF-8', false); + // $alt = $a['name']; + $alt = htmlspecialchars($a['name'], ENT_COMPAT, 'UTF-8', false); // Escape brackets by converting to unicode full-width bracket since regular brackets will confuse multicode/bbcode parsing. // The full width bracket isn't quite as alien looking as most other unicode bracket replacements. - $alt = str_replace(['[', ']', '"'], ['[', ']', '\"'], $alt); + $alt = str_replace(['[', ']'], ['[', ']'], $alt); $item['body'] .= "\n\n" . '[img alt="' . $alt . '"]' . $a['href'] . '[/img]'; } else { $item['body'] .= "\n\n" . '[img]' . $a['href'] . '[/img]';