Right now it is possible to emit a raw \n or \r to the UDP feed by
encoding it as an HTML entity, e.g. This could be used for
arbitrary IRC command execution in bots which do not subsequently
perform their own escaping. This commit changes it so that entities are
decoded first before \n and \r are stripped.
Change-Id: I3f7005abded3fbafb586754d763a00a4018f0954
* @return string
*/
public static function cleanupForIRC( $text ) {
- return Sanitizer::decodeCharReferences( str_replace(
+ return str_replace(
array( "\n", "\r" ),
array( " ", "" ),
- $text
- ) );
+ Sanitizer::decodeCharReferences( $text )
+ );
}
}