alt-text filtering

2024-09-19 16:55:18 +00:00 · 2024-08-25 19:44:07 +10:00 · 2024-08-25 19:44:07 +10:00 · 85f34610f5
commit 85f34610f5
parent 976bad148f
2 changed files with 8 additions and 7 deletions
--- a/include/bbcode.php
+++ b/include/bbcode.php
@ -1208,7 +1208,7 @@ function bb_imgoptions($match)
    if (!$alt) {
        $alt = t('Image/photo');
    }
-    $alt = htmlspecialchars(str_replace('\\"', '"', $alt), ENT_QUOTES, 'UTF-8', false);
+    $alt = htmlspecialchars(str_replace('\\"', '"', $alt), ENT_COMPAT, 'UTF-8', false);
    $output .= (($style) ? 'style="' . $style . '" ' : '') . 'alt="' . $alt . '" ' . 'title="' . $alt  . '" ';

    $output .= 'src="' . (($src) ? $src : $match[4]) . '" >';
--- a/src/Lib/Activity.php
+++ b/src/Lib/Activity.php
@ -824,8 +824,7 @@ class Activity
                    $entry['type'] = 'image/jpeg';
                }
                if (array_key_exists('name', $att) && $att['name']) {
-                    $entry['name'] = html2plain(purify_html($att['name']), 256);
-                    $entry['name'] = str_replace('"', '&quot;', $entry['name']);
+                    $entry['name'] = htmlentities($att['name'], ENT_COMPAT, 'UTF-8', false);
                }
                // Friendica attachments don't match the URL in the body.
                // This makes it more difficult to detect image duplication in bb_attach()
@ -4812,10 +4811,11 @@ class Activity
                if (isset($a['image'])) {
                    if (self::media_not_in_body($a['image'], $item['body']) && self::media_not_in_body($a['href'], $item['body'])) {
                        if (isset($a['name']) && $a['name']) {
-                            $alt = htmlspecialchars($a['name'], ENT_QUOTES, 'UTF-8', false);
+                       //     $alt = $a['name'];
+                            $alt = htmlspecialchars($a['name'], ENT_COMPAT, 'UTF-8', false);
                            // Escape brackets by converting to unicode full-width bracket since regular brackets will confuse multicode/bbcode parsing.
                            // The full width bracket isn't quite as alien looking as most other unicode bracket replacements.
-                            $alt = str_replace(['[', ']', '&quot;'], ['&#xFF3B;', '&#xFF3D;', '\"'], $alt);
+                            $alt = str_replace(['[', ']'], ['&#xFF3B;', '&#xFF3D;'], $alt);
                            $item['body'] .= "\n\n" . '[img alt="' . $alt . '"]' . $a['href'] . '[/img]';
                        } else {
                            $item['body'] .= "\n\n" . '[img]' . $a['href'] . '[/img]';
@ -4825,10 +4825,11 @@ class Activity
                }
                elseif (self::media_not_in_body($a['href'], $item['body'])) {
                    if (isset($a['name']) && $a['name']) {
-                        $alt = htmlspecialchars($a['name'], ENT_QUOTES, 'UTF-8', false);
+                      //  $alt = $a['name'];
+                        $alt = htmlspecialchars($a['name'], ENT_COMPAT, 'UTF-8', false);
                        // Escape brackets by converting to unicode full-width bracket since regular brackets will confuse multicode/bbcode parsing.
                        // The full width bracket isn't quite as alien looking as most other unicode bracket replacements.
-                        $alt = str_replace(['[', ']', '&quot;'], ['&#xFF3B;', '&#xFF3D;', '\"'], $alt);
+                        $alt = str_replace(['[', ']'], ['&#xFF3B;', '&#xFF3D;'], $alt);
                        $item['body'] .= "\n\n" . '[img alt="' . $alt . '"]' . $a['href'] . '[/img]';
                    } else {
                        $item['body'] .= "\n\n" . '[img]' . $a['href'] . '[/img]';