From 3946cb84583fdd1c14822b8734d8853d8cc3adee Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 19 May 2010 09:24:53 +0000
Subject: [PATCH] Replace all calls to htmlentities with htmlspecialchars.

htmlentities uses the ISO-8859-1 charset by default, which breaks when
we are using UTF-8 data. It also emits entities that are invalid in XML.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2302 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/casserver/www/serviceValidate.php       |  6 +++---
 modules/core/templates/show_metadata.tpl.php    |  2 +-
 modules/saml2debug/www/debug.php                |  2 +-
 modules/statistics/templates/statistics-tpl.php |  4 ++--
 templates/httpredirect-debug.php                |  2 +-
 templates/metadata.php                          |  2 +-
 www/saml2/idp/metadata.php                      |  4 ++--
 www/saml2/sp/metadata.php                       | 14 +++++++-------
 8 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/modules/casserver/www/serviceValidate.php b/modules/casserver/www/serviceValidate.php
index 823f59222..a80922557 100644
--- a/modules/casserver/www/serviceValidate.php
+++ b/modules/casserver/www/serviceValidate.php
@@ -54,15 +54,15 @@ function returnResponse($value, $content = '', $attributes = array()) {
 	if ($value === 'YES') {
 		$attributesxml = "";
 		foreach ($attributes as $attributename => $attributelist) {
-			$attr = htmlentities($attributename);
+			$attr = htmlspecialchars($attributename);
 			foreach ($attributelist as $attributevalue) {
-				$attributesxml .= "<cas:$attr>" . htmlentities($attributevalue) . "</cas:$attr>\n";
+				$attributesxml .= "<cas:$attr>" . htmlspecialchars($attributevalue) . "</cas:$attr>\n";
 			}
 		}
 		if (sizeof($attributes)) $attributesxml = '<cas:attributes>' . $attributesxml . '</cas:attributes>';
 		echo '<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
     <cas:authenticationSuccess>
-	<cas:user>' . htmlentities($content) . '</cas:user>' .
+	<cas:user>' . htmlspecialchars($content) . '</cas:user>' .
 	$attributesxml .
     '</cas:authenticationSuccess>
 </cas:serviceResponse>';
diff --git a/modules/core/templates/show_metadata.tpl.php b/modules/core/templates/show_metadata.tpl.php
index bdef18d8a..6f6782f66 100644
--- a/modules/core/templates/show_metadata.tpl.php
+++ b/modules/core/templates/show_metadata.tpl.php
@@ -7,7 +7,7 @@ $this->includeAtTemplateBase('includes/header.php');
 
 echo('<pre style="font-size: 110%">');
 
-echo(htmlentities(var_export($this->data['m'])));
+echo(htmlspecialchars(var_export($this->data['m'])));
 
 echo('</pre>');
 
diff --git a/modules/saml2debug/www/debug.php b/modules/saml2debug/www/debug.php
index d707fea02..0d1afa7b5 100644
--- a/modules/saml2debug/www/debug.php
+++ b/modules/saml2debug/www/debug.php
@@ -32,7 +32,7 @@ function decode($raw) {
 	if ($gzinflated != FALSE) {
 		$base64decoded = $gzinflated;
 	}
-	$decoded = htmlentities($base64decoded);
+	$decoded = htmlspecialchars($base64decoded);
 	return $decoded;
 }
 
diff --git a/modules/statistics/templates/statistics-tpl.php b/modules/statistics/templates/statistics-tpl.php
index 6bc4db889..6fe94a4de 100644
--- a/modules/statistics/templates/statistics-tpl.php
+++ b/modules/statistics/templates/statistics-tpl.php
@@ -133,9 +133,9 @@ foreach ($this->data['availdelimiters'] AS $key => $delim) {
 	if ($key == '_') {
 		echo '<option value="_">Total</option>';
 	} elseif (isset($_REQUEST['d']) && $delim == $_REQUEST['d']) {
-		echo '<option selected="selected" value="' . htmlentities($delim) . '">' . htmlspecialchars($delimName) . '</option>';
+		echo '<option selected="selected" value="' . htmlspecialchars($delim) . '">' . htmlspecialchars($delimName) . '</option>';
 	} else {
-		echo '<option  value="' . htmlentities($delim) . '">' . htmlspecialchars($delimName) . '</option>';
+		echo '<option  value="' . htmlspecialchars($delim) . '">' . htmlspecialchars($delimName) . '</option>';
 	}
 }
 echo '</select></form>';
diff --git a/templates/httpredirect-debug.php b/templates/httpredirect-debug.php
index 065857f48..62fa382c6 100644
--- a/templates/httpredirect-debug.php
+++ b/templates/httpredirect-debug.php
@@ -7,7 +7,7 @@
 
 	<p><?php echo($this->t('{admin:debug_sending_message_text_link}')); ?></p>
 	
-	<p>[ <a id="sendlink" href="<?php echo htmlentities($this->data['url']); ?>"><?php echo($this->t('{admin:debug_sending_message_send}')); ?></a> ]</p>
+	<p>[ <a id="sendlink" href="<?php echo htmlspecialchars($this->data['url']); ?>"><?php echo($this->t('{admin:debug_sending_message_send}')); ?></a> ]</p>
 	
 	<h2><?php echo($this->t('{admin:debug_sending_message_msg_title}')); ?></h2>
 	
diff --git a/templates/metadata.php b/templates/metadata.php
index 48bc46128..3e39b36de 100644
--- a/templates/metadata.php
+++ b/templates/metadata.php
@@ -68,7 +68,7 @@ $this->includeAtTemplateBase('includes/header.php');
 			} else {
 				
 				echo '<div style="border: 1px solid #444; margin: .5em 2em .5em 2em; padding: .5em 1em 1em 1em; background: #FFFFCC">';
-				echo '	<a href="' . htmlentities($this->data['adminlogin']) . '">';
+				echo '	<a href="' . htmlspecialchars($this->data['adminlogin']) . '">';
 				echo $this->t('metadata_send_adminlogin');
 				echo '	</a>';
 				echo '</div>';
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 75ad959c3..965fa3914 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -84,8 +84,8 @@ try {
 
 		$t->data['header'] = 'saml20-idp';
 		$t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
-		$t->data['metadata'] = htmlentities($metaxml);
-		$t->data['metadataflat'] = htmlentities($metaflat);
+		$t->data['metadata'] = htmlspecialchars($metaxml);
+		$t->data['metadataflat'] = htmlspecialchars($metaflat);
 		$t->data['defaultidp'] = $defaultidp;
 		$t->show();
 
diff --git a/www/saml2/sp/metadata.php b/www/saml2/sp/metadata.php
index b00527353..a64170156 100644
--- a/www/saml2/sp/metadata.php
+++ b/www/saml2/sp/metadata.php
@@ -114,7 +114,7 @@ try {
 
 <p>Metadata was sent to you from a simpleSAMLphp SAML 2.0 Service Provider. The service provider requests to connect to the following Identity Provider: 
 	<ul>
-		<li><tt>' . htmlentities($_POST['sendtoidp']) . '</tt></li>
+		<li><tt>' . htmlspecialchars($_POST['sendtoidp']) . '</tt></li>
 	</ul>
 </p>
 
@@ -123,16 +123,16 @@ try {
 
 <p>Links to metadata at service provider
 <ul>
-	<li><a href="' . htmlentities(SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('output' => 'xhtml'))) . '">SimpleSAMLphp Metadata page</a></li>
-	<li><a href="' . htmlentities(SimpleSAML_Utilities::selfURLNoQuery()) . '">SimpleSAMLphp Metadata (XML only)</a></li>
+	<li><a href="' . htmlspecialchars(SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('output' => 'xhtml'))) . '">SimpleSAMLphp Metadata page</a></li>
+	<li><a href="' . htmlspecialchars(SimpleSAML_Utilities::selfURLNoQuery()) . '">SimpleSAMLphp Metadata (XML only)</a></li>
 </ul>
 </p>
 
 <p>SAML 2.0 XML Metadata :</p>
-<pre>' . htmlentities($metaxml) . '</pre>
+<pre>' . htmlspecialchars($metaxml) . '</pre>
 
 <p>Metadata in SimpleSAMLphp format :</p>
-<pre>' . htmlentities($metaflat) . '</pre>
+<pre>' . htmlspecialchars($metaflat) . '</pre>
 
 <p>SimpleSAMLphp version: ' . $config->getVersion() . '</p>
 
@@ -159,8 +159,8 @@ try {
 		$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
 	
 		$t->data['header'] = 'saml20-sp';
-		$t->data['metadata'] = htmlentities($metaxml);
-		$t->data['metadataflat'] = htmlentities($metaflat);
+		$t->data['metadata'] = htmlspecialchars($metaxml);
+		$t->data['metadataflat'] = htmlspecialchars($metaflat);
 		$t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
 		
 		$t->data['idpsend'] = $idpsend;
-- 
GitLab