diff --git a/core/templates/login.php b/core/templates/login.php
index 7b09d4fac95610c3e384c16b201d8af99c212b8a..e87b871c67e0691cff4af81a2f4e7ef30b1fd18f 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -12,7 +12,7 @@ script('core', [
<form method="post" name="login">
<fieldset>
<?php if (!empty($_['redirect_url'])) {
- print_unescaped('<input type="hidden" name="redirect_url" value="' . OC_Util::sanitizeHTML($_['redirect_url']) . '">');
+ print_unescaped('<input type="hidden" name="redirect_url" value="' . \OCP\Util::sanitizeHTML($_['redirect_url']) . '">');
} ?>
<?php if (isset($_['apacheauthfailed']) && ($_['apacheauthfailed'])): ?>
<div class="warning">
diff --git a/lib/private/template.php b/lib/private/template.php
index 1476a964ef3679c67dc3a045766ccb90ddd0697c..d794dacac23366c5210f934afe9a4a87180ccf3b 100644
--- a/lib/private/template.php
+++ b/lib/private/template.php
@@ -226,12 +226,12 @@ class OC_Template extends \OC\Template\Base {
// Add custom headers
$headers = '';
foreach(OC_Util::$headers as $header) {
- $headers .= '<'.OC_Util::sanitizeHTML($header['tag']);
+ $headers .= '<'.\OCP\Util::sanitizeHTML($header['tag']);
foreach($header['attributes'] as $name=>$value) {
- $headers .= ' '.OC_Util::sanitizeHTML($name).'="'.OC_Util::sanitizeHTML($value).'"';
+ $headers .= ' '.\OCP\Util::sanitizeHTML($name).'="'.\OCP\Util::sanitizeHTML($value).'"';
}
if ($header['text'] !== null) {
- $headers .= '>'.OC_Util::sanitizeHTML($header['text']).'</'.OC_Util::sanitizeHTML($header['tag']).'>';
+ $headers .= '>'.\OCP\Util::sanitizeHTML($header['text']).'</'.\OCP\Util::sanitizeHTML($header['tag']).'>';
} else {
$headers .= '/>';
}
diff --git a/lib/private/template/functions.php b/lib/private/template/functions.php
index 79d18632d2fa79505e0e502bc3829ef51b7f1d79..d156d26f9ce33fe38e5ce998fee9cc6e00cd4deb 100644
--- a/lib/private/template/functions.php
+++ b/lib/private/template/functions.php
@@ -33,7 +33,7 @@
* @param string $string the string which will be escaped and printed
*/
function p($string) {
- print(OC_Util::sanitizeHTML($string));
+ print(\OCP\Util::sanitizeHTML($string));
}
/**
@@ -262,7 +262,7 @@ function html_select_options($options, $selected, $params=array()) {
$label = $label[$label_name];
}
$select = in_array($value, $selected) ? ' selected="selected"' : '';
- $html .= '<option value="' . OC_Util::sanitizeHTML($value) . '"' . $select . '>' . OC_Util::sanitizeHTML($label) . '</option>'."\n";
+ $html .= '<option value="' . \OCP\Util::sanitizeHTML($value) . '"' . $select . '>' . \OCP\Util::sanitizeHTML($label) . '</option>'."\n";
}
return $html;
}
diff --git a/lib/private/util.php b/lib/private/util.php
index c31ad63b9be2531506aec4536e326851fcfb6496..eb188b649e868342d3076d49c0b3e5fcf13cacdc 100644
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -1177,14 +1177,16 @@ class OC_Util {
* This function is used to sanitize HTML and should be applied on any
* string or array of strings before displaying it on a web page.
*
- * @param string|array &$value
+ * @param string|array $value
* @return string|array an array of sanitized strings or a single sanitized string, depends on the input parameter.
*/
- public static function sanitizeHTML(&$value) {
+ public static function sanitizeHTML($value) {
if (is_array($value)) {
- array_walk_recursive($value, 'OC_Util::sanitizeHTML');
+ $value = array_map(function($value) {
+ return self::sanitizeHTML($value);
+ }, $value);
} else {
- //Specify encoding for PHP<5.4
+ // Specify encoding for PHP<5.4
$value = htmlspecialchars((string)$value, ENT_QUOTES, 'UTF-8');
}
return $value;
diff --git a/lib/public/util.php b/lib/public/util.php
index 110028368d0ef6903d2dc76744d9ac9f399f2cbf..4e783b764ed3d8647e4ab2a849536aac754804cd 100644
--- a/lib/public/util.php
+++ b/lib/public/util.php
@@ -497,11 +497,11 @@ class Util {
* string or array of strings before displaying it on a web page.
*
* @param string|array $value
- * @return string|array an array of sanitized strings or a single sinitized string, depends on the input parameter.
+ * @return string|array an array of sanitized strings or a single sanitized string, depends on the input parameter.
* @since 4.5.0
*/
- public static function sanitizeHTML( $value ) {
- return(\OC_Util::sanitizeHTML($value));
+ public static function sanitizeHTML($value) {
+ return \OC_Util::sanitizeHTML($value);
}
/**
diff --git a/settings/templates/admin.php b/settings/templates/admin.php
index 0721c0e0afbed36829f6d38083534450da99adf5..f3de51a23c3c2af45da6ee599352b47c54cadc81 100644
--- a/settings/templates/admin.php
+++ b/settings/templates/admin.php
@@ -56,7 +56,7 @@ if ($_['mail_smtpmode'] == 'qmail') {
if (isset($form['anchor'])) {
$anchor = '#' . $form['anchor'];
$sectionName = $form['section-name'];
- print_unescaped(sprintf("<li><a href='%s'>%s</a></li>", OC_Util::sanitizeHTML($anchor), OC_Util::sanitizeHTML($sectionName)));
+ print_unescaped(sprintf("<li><a href='%s'>%s</a></li>", \OCP\Util::sanitizeHTML($anchor), \OCP\Util::sanitizeHTML($sectionName)));
}
}?>
</ul>
diff --git a/settings/templates/personal.php b/settings/templates/personal.php
index 0eba71d77d1a9ecbd08ec8324d6c0b1ec7573ce3..09194ea3e3922e906983c402439468996c6c9c33 100644
--- a/settings/templates/personal.php
+++ b/settings/templates/personal.php
@@ -14,7 +14,7 @@
if (isset($form['anchor'])) {
$anchor = '#' . $form['anchor'];
$sectionName = $form['section-name'];
- print_unescaped(sprintf("<li><a href='%s'>%s</a></li>", OC_Util::sanitizeHTML($anchor), OC_Util::sanitizeHTML($sectionName)));
+ print_unescaped(sprintf("<li><a href='%s'>%s</a></li>", \OCP\Util::sanitizeHTML($anchor), \OCP\Util::sanitizeHTML($sectionName)));
}
}?>
</ul>
diff --git a/tests/lib/util.php b/tests/lib/util.php
index 9b82be369557ddcd699d5efccaa8d4d284d4bfe6..fa559c17c8097661386e7d890edd42e5e65d40f1 100644
--- a/tests/lib/util.php
+++ b/tests/lib/util.php
@@ -95,16 +95,22 @@ class Test_Util extends \Test\TestCase {
}
function testSanitizeHTML() {
- $badArray = array(
+ $badArray = [
'While it is unusual to pass an array',
'this function actually <blink>supports</blink> it.',
- 'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!'
- );
- $goodArray = array(
+ 'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!',
+ [
+ 'And It Even May <strong>Nest</strong>',
+ ],
+ ];
+ $goodArray = [
'While it is unusual to pass an array',
'this function actually <blink>supports</blink> it.',
- 'And therefore there needs to be a <script>alert("Unit"+'test')</script> for it!'
- );
+ 'And therefore there needs to be a <script>alert("Unit"+'test')</script> for it!',
+ [
+ 'And It Even May <strong>Nest</strong>'
+ ],
+ ];
$result = OC_Util::sanitizeHTML($badArray);
$this->assertEquals($goodArray, $result);