From afcfb1d1fb6c4420f518785371262bef3e8e9b2f Mon Sep 17 00:00:00 2001 From: Ryan Schmidt Date: Wed, 20 Jan 2016 11:06:45 -0600 Subject: [PATCH] Properly escape \n and \r in IRCColourfulRCFeedFormatter Right now it is possible to emit a raw \n or \r to the UDP feed by encoding it as an HTML entity, e.g. This could be used for arbitrary IRC command execution in bots which do not subsequently perform their own escaping. This commit changes it so that entities are decoded first before \n and \r are stripped. Change-Id: I3f7005abded3fbafb586754d763a00a4018f0954 --- includes/rcfeed/IRCColourfulRCFeedFormatter.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/rcfeed/IRCColourfulRCFeedFormatter.php b/includes/rcfeed/IRCColourfulRCFeedFormatter.php index 30be343165..0efcebf9a3 100644 --- a/includes/rcfeed/IRCColourfulRCFeedFormatter.php +++ b/includes/rcfeed/IRCColourfulRCFeedFormatter.php @@ -123,10 +123,10 @@ class IRCColourfulRCFeedFormatter implements RCFeedFormatter { * @return string */ public static function cleanupForIRC( $text ) { - return Sanitizer::decodeCharReferences( str_replace( + return str_replace( array( "\n", "\r" ), array( " ", "" ), - $text - ) ); + Sanitizer::decodeCharReferences( $text ) + ); } } -- 2.20.1